Prompting LLM to Enforce and Validate CIS Critical Security Control

Mohiuddin Ahmed; Jinpeng Wei; Ehab Al-Shaer

doi:10.1145/3649158.3657036

Prompting LLM to Enforce and Validate CIS Critical Security Control

Mohiuddin Ahmed
, Jinpeng Wei
, Ehab Al-Shaer

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

2 Scopus citations

Abstract

Proper security control enforcement reduces the attack surface and protects the organizations against attacks. Organizations like NIST and CIS (Center for Internet Security) provide critical security controls (CSCs) as a guideline to enforce cyber security. Automated enforcement and measurability mechanisms for these CSCs still need to be developed. Analyzing the implementations of security products to validate security control enforcement is non-trivial. Moreover, manually analyzing and developing measures and metrics to monitor, and implementing those monitoring mechanisms are resource-intensive tasks and massively dependent on the security analyst's expertise and knowledge. To tackle those problems, we use large language models (LLMs) as a knowledge base and reasoner to extract measures, metrics, and monitoring mechanism implementation steps from security control descriptions to reduce the dependency on security analysts. Our approach used few-shot learning with chain-of-thought (CoT) prompting to generate measures and metrics and generated knowledge prompting for metrics implementation. Our evaluation shows that prompt engineering to extract measures, metrics, and monitoring implementation mechanisms can reduce dependency on humans and semi-automate the extraction process. We also demonstrate metric implementation steps using generated knowledge prompting with LLMs.

Original language	English
Title of host publication	SACMAT 2024 - Proceedings of the 29th ACM Symposium on Access Control Models and Technologies
Publisher	Association for Computing Machinery
Pages	93-104
Number of pages	12
ISBN (Electronic)	9798400704918
DOIs	https://doi.org/10.1145/3649158.3657036
State	Published - 24 Jun 2024
Externally published	Yes
Event	29th ACM Symposium on Access Control Models and Technologies, SACMAT 2024 - San Antonio, United States Duration: 15 May 2024 → 17 May 2024

Publication series

Name	Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

Conference

Conference	29th ACM Symposium on Access Control Models and Technologies, SACMAT 2024
Country/Territory	United States
City	San Antonio
Period	15/05/24 → 17/05/24

Bibliographical note

Publisher Copyright:
© 2024 ACM.

Keywords

account management.
critical security control
llm
prompt engineering

ASJC Scopus subject areas

Software
Computer Networks and Communications
Safety, Risk, Reliability and Quality
Information Systems

Access to Document

10.1145/3649158.3657036

Cite this

Ahmed, M., Wei, J., & Al-Shaer, E. (2024). Prompting LLM to Enforce and Validate CIS Critical Security Control. In SACMAT 2024 - Proceedings of the 29th ACM Symposium on Access Control Models and Technologies (pp. 93-104). (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT). Association for Computing Machinery. https://doi.org/10.1145/3649158.3657036

@inproceedings{18d45106ef7141febc905d84428aed23,

title = "Prompting LLM to Enforce and Validate CIS Critical Security Control",

abstract = "Proper security control enforcement reduces the attack surface and protects the organizations against attacks. Organizations like NIST and CIS (Center for Internet Security) provide critical security controls (CSCs) as a guideline to enforce cyber security. Automated enforcement and measurability mechanisms for these CSCs still need to be developed. Analyzing the implementations of security products to validate security control enforcement is non-trivial. Moreover, manually analyzing and developing measures and metrics to monitor, and implementing those monitoring mechanisms are resource-intensive tasks and massively dependent on the security analyst's expertise and knowledge. To tackle those problems, we use large language models (LLMs) as a knowledge base and reasoner to extract measures, metrics, and monitoring mechanism implementation steps from security control descriptions to reduce the dependency on security analysts. Our approach used few-shot learning with chain-of-thought (CoT) prompting to generate measures and metrics and generated knowledge prompting for metrics implementation. Our evaluation shows that prompt engineering to extract measures, metrics, and monitoring implementation mechanisms can reduce dependency on humans and semi-automate the extraction process. We also demonstrate metric implementation steps using generated knowledge prompting with LLMs.",

keywords = "account management., critical security control, llm, prompt engineering",

author = "Mohiuddin Ahmed and Jinpeng Wei and Ehab Al-Shaer",

note = "Publisher Copyright: {\textcopyright} 2024 ACM.; 29th ACM Symposium on Access Control Models and Technologies, SACMAT 2024 ; Conference date: 15-05-2024 Through 17-05-2024",

year = "2024",

month = jun,

day = "24",

doi = "10.1145/3649158.3657036",

language = "English",

series = "Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT",

publisher = "Association for Computing Machinery",

pages = "93--104",

booktitle = "SACMAT 2024 - Proceedings of the 29th ACM Symposium on Access Control Models and Technologies",

}

Ahmed, M, Wei, J & Al-Shaer, E 2024, Prompting LLM to Enforce and Validate CIS Critical Security Control. in SACMAT 2024 - Proceedings of the 29th ACM Symposium on Access Control Models and Technologies. Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT, Association for Computing Machinery, pp. 93-104, 29th ACM Symposium on Access Control Models and Technologies, SACMAT 2024, San Antonio, United States, 15/05/24. https://doi.org/10.1145/3649158.3657036

Prompting LLM to Enforce and Validate CIS Critical Security Control. / Ahmed, Mohiuddin; Wei, Jinpeng; Al-Shaer, Ehab.
SACMAT 2024 - Proceedings of the 29th ACM Symposium on Access Control Models and Technologies. Association for Computing Machinery, 2024. p. 93-104 (Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Prompting LLM to Enforce and Validate CIS Critical Security Control

AU - Ahmed, Mohiuddin

AU - Wei, Jinpeng

AU - Al-Shaer, Ehab

PY - 2024/6/24

Y1 - 2024/6/24

N2 - Proper security control enforcement reduces the attack surface and protects the organizations against attacks. Organizations like NIST and CIS (Center for Internet Security) provide critical security controls (CSCs) as a guideline to enforce cyber security. Automated enforcement and measurability mechanisms for these CSCs still need to be developed. Analyzing the implementations of security products to validate security control enforcement is non-trivial. Moreover, manually analyzing and developing measures and metrics to monitor, and implementing those monitoring mechanisms are resource-intensive tasks and massively dependent on the security analyst's expertise and knowledge. To tackle those problems, we use large language models (LLMs) as a knowledge base and reasoner to extract measures, metrics, and monitoring mechanism implementation steps from security control descriptions to reduce the dependency on security analysts. Our approach used few-shot learning with chain-of-thought (CoT) prompting to generate measures and metrics and generated knowledge prompting for metrics implementation. Our evaluation shows that prompt engineering to extract measures, metrics, and monitoring implementation mechanisms can reduce dependency on humans and semi-automate the extraction process. We also demonstrate metric implementation steps using generated knowledge prompting with LLMs.

AB - Proper security control enforcement reduces the attack surface and protects the organizations against attacks. Organizations like NIST and CIS (Center for Internet Security) provide critical security controls (CSCs) as a guideline to enforce cyber security. Automated enforcement and measurability mechanisms for these CSCs still need to be developed. Analyzing the implementations of security products to validate security control enforcement is non-trivial. Moreover, manually analyzing and developing measures and metrics to monitor, and implementing those monitoring mechanisms are resource-intensive tasks and massively dependent on the security analyst's expertise and knowledge. To tackle those problems, we use large language models (LLMs) as a knowledge base and reasoner to extract measures, metrics, and monitoring mechanism implementation steps from security control descriptions to reduce the dependency on security analysts. Our approach used few-shot learning with chain-of-thought (CoT) prompting to generate measures and metrics and generated knowledge prompting for metrics implementation. Our evaluation shows that prompt engineering to extract measures, metrics, and monitoring implementation mechanisms can reduce dependency on humans and semi-automate the extraction process. We also demonstrate metric implementation steps using generated knowledge prompting with LLMs.

KW - account management.

KW - critical security control

KW - llm

KW - prompt engineering

UR - https://www.scopus.com/pages/publications/85197805571

U2 - 10.1145/3649158.3657036

DO - 10.1145/3649158.3657036

M3 - Conference contribution

AN - SCOPUS:85197805571

T3 - Proceedings of ACM Symposium on Access Control Models and Technologies, SACMAT

SP - 93

EP - 104

BT - SACMAT 2024 - Proceedings of the 29th ACM Symposium on Access Control Models and Technologies

PB - Association for Computing Machinery

T2 - 29th ACM Symposium on Access Control Models and Technologies, SACMAT 2024

Y2 - 15 May 2024 through 17 May 2024

ER -

Prompting LLM to Enforce and Validate CIS Critical Security Control

Abstract

Publication series

Conference

Bibliographical note

Keywords

ASJC Scopus subject areas

Access to Document

Fingerprint

Cite this