A LLM-based system for Network Vulnerability Detection and Mitigation

Cybersecurity within networks has never been more important than it is nowadays. It is fundamental for those who connect to a network to have a clear picture of the possible risks they face, the vulnerabilities there may be on that network, and the actions they can take as mitigations. This thesis aims to build a system that is able to provide a formal representation of a network, that describes its main characteristics, and with the help of Artificial Intelligence, is able to make inferences about potential vulnerabilities and mitigation techniques to be implemented. In the first part, my attention is focused on network scanning techniques, by which the system must be able to retrieve the information it needs, like nodes, edges, services, protocols. I also work on the design of the network description structure, in order to formally define what information might be relevant to the identification of possible sources of insecurity. The second part of the dissertation focuses on the adaptation of a Large Language Model to my purpose, so that it takes as input the information about the network previously found and it is able to return information and suggestions to the user regarding the security status of the network and possible vulnerabilities. To do this, I will investigate which LLM may be best suited for my goal and the best finetuning techniques that can give satisfactory results in terms of performance and computational cost. Then, I am going to use the Retrieval-Augmented Generation approach, which consists of providing additional context-related information that the model is not aware of, at the time it is queried. In this case, the information provided is taken from the list of Common Vulnerabilities and Exposures collected by the MITRE Corporation, an American cybersecurity organization and one of the most relevant in the field. The challenge, then, is primarily to understand whether the model is able to return correct information regarding the security state of the network, and also whether, from the information provided, it is also capable of making additional inferences related not only to individual network nodes but also to the interaction between them.