Anomaly detection in cybersecurity has lengthy promised the power to determine threats by highlighting deviations from anticipated conduct. In relation to figuring out malicious instructions, nevertheless, its sensible software typically ends in excessive charges of false positives – making it costly and inefficient. However with latest improvements in AI, is there a special approach that we now have but to discover?
In our discuss at Black Hat USA 2025, we offered our analysis into creating a pipeline that doesn’t rely on anomaly detection as some extent of failure. By combining anomaly detection with giant language fashions (LLMs), we will confidently determine essential knowledge that can be utilized to enhance a devoted command-line classifier.
Utilizing anomaly detection to feed a unique course of avoids the doubtless catastrophic false-positive charges of an unsupervised methodology. As an alternative, we create enhancements in a supervised mannequin focused in the direction of classification.
Unexpectedly, the success of this methodology didn’t rely on anomaly detection finding malicious command strains. As an alternative, anomaly detection, when paired with LLM-based labeling, yields a remarkably numerous set of benign command strains. Leveraging these benign knowledge when coaching command-line classifiers considerably reduces false-positive charges. Moreover, it permits us to make use of plentiful current knowledge with out the needles in a haystack which can be malicious command strains in manufacturing knowledge.
On this article, we’ll discover the methodology of our experiment, highlighting how numerous benign knowledge recognized by way of anomaly detection broadens the classifier’s understanding and contributes to making a extra resilient detection system.
By shifting focus from solely aiming to search out malicious anomalies to harnessing benign variety, we provide a possible paradigm shift in command-line classification methods.
Cybersecurity practitioners sometimes need to strike a stability between pricey labeled datasets and noisy unsupervised detections. Conventional benign labeling focuses on incessantly noticed, low-complexity benign behaviors, as a result of that is simple to realize at scale, inadvertently excluding uncommon and complex benign instructions. This hole prompts classifiers to misclassify refined benign instructions as malicious, driving false optimistic charges increased.
Latest developments in LLMs have enabled extremely exact AI-based labeling at scale. We examined this speculation by labelling anomalies detected in actual manufacturing telemetry (over 50 million each day instructions), attaining near-perfect precision on benign anomalies. Utilizing anomaly detection explicitly to boost the protection of benign knowledge, our intention was to vary the position of anomaly detection – shifting from erratically figuring out malicious conduct to reliably highlighting benign variety. This strategy is essentially new, as anomaly detection historically prioritizes malicious discoveries fairly than enhancing benign label variety.
Utilizing anomaly detection paired with automated, dependable benign labeling from superior LLMs, particularly OpenAI’s o3-mini mannequin, we augmented supervised classifiers and considerably enhanced their efficiency.
Knowledge assortment and featurization
We in contrast two distinct implementations of knowledge assortment and featurization over the month of January 2025, making use of every implementation each day to judge efficiency throughout a consultant timeline.
Full-scale implementation (all out there telemetry)
The primary methodology operated on full each day Sophos telemetry, which included about 50 million distinctive command strains per day. This methodology required scaling infrastructure utilizing Apache Spark clusters and automatic scaling by way of AWS SageMaker.
The options for the full-scale strategy had been based mostly totally on domain-specific guide engineering. We calculated a number of descriptive command-line options:
- Entropy-based options measured command complexity and randomness
- Character-level options encoded the presence of particular characters and particular tokens
- Token-level options captured the frequency and significance of tokens throughout command-line distributions
- Behavioral checks particularly focused suspicious patterns generally correlated with malicious intent, reminiscent of obfuscation methods, knowledge switch instructions, and reminiscence or credential-dumping operations.
Decreased-scale embeddings implementation (sampled subset)
Our second technique addressed scalability issues through the use of each day sampled subsets with 4 million distinctive command strains per day. Lowering the computational load allowed for the analysis of efficiency trade-offs and useful resource efficiencies of a cheaper strategy.
Notably, function embeddings and anomaly processing for this strategy might feasibly be executed on cheap Amazon SageMaker GPU cases and EC2 CPU cases – considerably decreasing operational prices.
As an alternative of function engineering, the sampled methodology used semantic embeddings generated from a pre-trained transformer embedding mannequin particularly designed for programming purposes: Jina Embeddings V2. This mannequin is explicitly pre-trained on command strains, scripting languages, and code repositories. Embeddings signify instructions in a semantically significant, high-dimensional vector area, eliminating guide function engineering burdens and inherently capturing advanced command relationships.
Though embeddings from transformer-based fashions will be computationally intensive, the smaller knowledge measurement of this strategy made their calculation manageable.
Using two distinct methodologies allowed us to evaluate whether or not we might get hold of computational reductions with out appreciable lack of detection efficiency — a helpful perception towards manufacturing deployment.
Anomaly detection methods
Following featurization, we detected anomalies with three unsupervised anomaly detection algorithms, every chosen on account of distinct modeling traits. The isolation forest identifies sparse random partitions; a modified k-means makes use of centroid distance to search out atypical factors that don’t comply with frequent tendencies within the knowledge; and principal element evaluation (PCA) locates knowledge with giant reconstruction errors within the projected subspace.
Deduplication of anomalies and LLM labeling
With preliminary anomaly discovery accomplished, we addressed a sensible situation: anomaly duplication. Many anomalous instructions solely differed minimally from one another, reminiscent of a small parameter change or a substitution of variable names. To keep away from redundancies and inadvertently up-weighting sure sorts of instructions, we established a deduplication step
We computed command-line embeddings utilizing the transformer mannequin (Jina Embeddings V2), then measured the similarity of anomaly candidates with cosine similarity comparisons. Cosine similarity offers a sturdy and environment friendly vector-based measure of semantic similarity between embedded representations, guaranteeing that downstream labelling evaluation targeted on considerably novel anomalies.
Subsequently, anomalies had been categorised utilizing automated LLM-based labeling. Our methodology used OpenAI’s o3-mini reasoning LLM, particularly chosen for its efficient contextual understanding of cybersecurity-related textual knowledge, owing to its general-purpose fine-tuning on numerous reasoning duties.
This mannequin routinely assigned every anomaly a transparent benign or malicious label, drastically decreasing pricey human analyst interventions.
The validation of LLM labeling demonstrated an exceptionally excessive precision for benign labels (close to 100%), confirmed by subsequent professional analyst guide scoring throughout a full week of anomaly knowledge. This excessive precision supported direct integration of labeled benign anomalies into subsequent phases for classifier coaching with excessive belief and minimal human validation.
This rigorously structured methodological pipeline — from complete knowledge assortment to express labeling — yielded numerous benign-labeled command datasets and considerably lowered false-positive charges when applied in supervised classification fashions.
The total-scale and reduced-scale implementations resulted in two separate distributions as seen in Figures 1 and a couple of respectively. To exhibit the generalizability of our methodology, we augmented two separate baseline coaching datasets: a regex baseline (RB) and an aggregated baseline (AB). The regex baseline sourced labels from static, regex-based guidelines and was meant to signify one of many easiest attainable labeling pipelines. The aggregated baseline sourced labels from regex-based guidelines, sandbox knowledge, buyer case investigations, and buyer telemetry. This represents a extra mature and complicated labeling pipeline.
Determine 1: Cumulative distribution of command strains gathered per day over the check month utilizing the full-scale methodology. The graph exhibits all command strains, deduplication by distinctive command line, and near-deduplication by cosine similarity of command line embeddings
Determine 2: Cumulative distribution of command strains gathered per day over the check month utilizing the reduced-scale methodology. The lowered scale plateaus slower as a result of the sampled knowledge is probably going discovering extra native optima
| Coaching set | Incident check AUC | Time break up check AUC |
| Aggregated Baseline (AB) | 0.6138 | 0.9979 |
| AB + Full-scale | 0.8935 | 0.9990 |
| AB + Decreased-scale Mixed | 0.8063 | 0.9988 |
| Regex Baseline (RB) | 0.7072 | 0.9988 |
| RB + Full-scale | 0.7689 | 0.9990 |
| RB + Decreased-scale Mixed | 0.7077 | 0.9995 |
Desk 1: Space beneath the curve for the aggregated baseline and regex baseline fashions skilled with further anomaly-derived benign knowledge. The aggregated baseline coaching set consists of buyer and sandbox knowledge. The regex baseline coaching set consists of regex-derived knowledge
As seen in Desk 1, we evaluated our skilled fashions on each a time break up check set and an expert-labeled benchmark derived from incident investigations and an energetic studying framework. The time break up check set spans three weeks instantly succeeding the coaching interval. The expert-labeled benchmark intently resembles the manufacturing distribution of beforehand deployed fashions.
By integrating anomaly-derived benign knowledge, we improved the world beneath the curve (AUC) on the expert-labeled benchmark of the aggregated and regex baseline fashions by 27.97 factors and 6.17 factors respectively.
As an alternative of ineffective direct malicious classification, we exhibit anomaly detection’s distinctive utility in enriching benign knowledge protection within the lengthy tail – a paradigm shift that enhances classifier accuracy and minimizes false-positive charges.
Fashionable LLMs have enabled automated pipelines for benign knowledge labelling – one thing not attainable till just lately. Our pipeline was seamlessly built-in into an current manufacturing pipeline, highlighting its generic and adaptable nature.
