利用LLM嵌入和相似性辅助数字取证与事件响应分析.pdf

1、U singL L M s,E m beddings,and Sim ilarity to A ssist D F IR A nalysisMatthew Seyer,KPMGDevanshi Agnihotri,KPMGSANS AI Cybersecurity Summit 252 2023 KPMG LLP,a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG In

2、ternational Limited,a private English company limited by guarantee.All rights reserved.What is Similarity?Likeness/resemblance between two or more thingsUtilizing Similarity in Investigations1.Answering questions with similarity2.Sorting data by similarity for review3.Quickly identify risky activity

3、 in a systematic processSim ilarity in Investigations3 2023 KPMG LLP,a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limited,a private English company limited by guarantee.All rights reserved.A

4、nsw ering questions about sim ilarityI found attacker activity!Does similar activity exist?How early do we see this activity?4 2023 KPMG LLP,a Delaware limited liability partnership and a member firm of the KPMG global organization of independent member firms affiliated with KPMG International Limit

5、ed,a private English company limited by guarantee.All rights reserved.Sorting by Sim ilarityLexical(A-Z)SortSimilarity(Cluster)Sortcsc.exe/r:System.EnterpriseServices.dll/target:library/keyfile:key.snkC:AtomicRedTeamatomicsT1121srcT1121.cscsc.exe/r:System.EnterpriseServices.dll/target:library/keyfil

6、e:key.snkC:AtomicRedTeamatomicsT1121srcT1121.csbcdedit.exe /set default recoveryenabled nocsc.exe /r:System.EnterpriseServices.dll/target:libraryC:AtomicRedTeamatomicsT1121srcT1121.cscmd.exe/c bcdedit.exe/set default bootstatuspolicyignoreallfailurescvtres.exe/NOLOGO/READONLY/MACHINE:IX86/OUT:C:User