Designing and engineering LLM techniques for detecting novel bash attacks

In recent years, command-line interface (CLI) commands have become more articulated and increased in complexity. This has underscored the possible need for advanced tools that can efficiently analyze and understand this data. In this thesis, Bash is the language taken into account. Command-line interactions, which are integral to system administration, software development, and data processing, often involve sequences of commands, from now on called sessions, and their corresponding outputs that encode rich semantic details. However, capturing and leveraging this information for tasks such as session similarity measurement, anomaly detection, and command category classification, can present a significant challenge especially when an attacker exploits noisy or obfuscated sessions. Indeed one of the main objectives of this thesis is to find the answer to the following question: Is it really needed to understand the semantic meaning of a Bash session or its syntax analysis is enough for the previously said tasks? The thesis introduces a comparison between different methods applied for the resolution of the novelty detection problem. As a baseline, we started from deterministic and simple ones like Tf-Idf, until complex ones like LLMs. The baseline is used to exploit a syntactic approach, instead, the LLMs, are used to obtain semantic knowledge through contrastive loss training on Bash session datasets. In the end, the results will show that complex models will learn more than the basic syntax, achieving good results in tasks with few sessions, while having bigger problems when the datasets to analyze increase in numbers.