Cybersecurity

Augmenting Security Operations Centers with Accelerated Alert Triage and LLM Agents Using NVIDIA Morpheus

Person looking at multiple monitors.

Every day, security operation center (SOC) analysts receive an overwhelming amount of incoming security alerts. To ensure the continued safety of their organization, they are tasked with wading through the incoming noise, triaging out false positives, and sniffing out what could be indicators of a true security breach. However, the sheer quantity of alerts may mean that important early indicators of a breach get buried. Not to mention the process itself, which is often repetitive, time-consuming, and costly.

Can we build a workflow to alleviate these issues while still maintaining a good or even better level of security?

We begin this attempt by looking at NVIDIA Morpheus, a GPU-accelerated cybersecurity AI framework for processing and analyzing high-velocity data streams. In particular, we focus on the digital fingerprinting AI workflow, which enables large-scale anomaly detection on networks. 

The digital fingerprinting workflow learns the normal behavior profile of any given entity, representing it in an autoencoder model. When behavior deviates, such as if a user displays several new geolocations, a z-score is generated with a magnitude corresponding to the degree of abnormality. 

Incorporating generative AI with NVIDIA NIM to enhance security operations 

Traditionally, outputs of AI-based cyber-anomaly detection pipelines, such as digital fingerprinting, are tabular data structures with anomaly scores and additional metadata regarding which parts of a security event were anomalous. 

While this feed is highly informative, it can be time-consuming to interpret. In this post, we describe how we augmented the digital fingerprinting workflow with generative AI to demonstrate how you can instead transform these outputs into actionable insights that are easy to interpret and interact with. 

Using a default Llama 3.1 model, we synthesized these scattered insights into readable reports, producing one report per user. The goal of this synthesis process is to catch, group, and place alerts that would otherwise have been categorized as too low-priority to receive a manual look-over. Automating this triage work also decreases the overall time to respond to an alert.

Having finished generating and preprocessing alerts, you can use the user summary reports to inform a security co-pilot. The co-pilot receives verbal queries from a human SOC analyst and produces spoken responses. 

Here are the steps for the co-pilot process:

  • Transcribe the query into text. 
  • Deploy an LLM agent and give this agent access to the user summary reports. You also give read access to databases and tools that a human SOC analyst would traditionally use, including a user directory and a network traffic database. 
  • The agent performs iterative reasoning through retrieval-augmented generation (RAG). 
  • The LLM agent’s final response is turned back into audio.
  • The audio instructs the animations on the face of an avatar.

NVIDIA NIM microservices (containerized standalone models that emphasize ease of deployment) are the heart of this agentic process. 

For speech services:

  • Parakeet-CTC-1.1B NIM microservice for automatic speech recognition (ASR) to transcribe voice queries to text.
  • FastPitch-HifiGAN NIM microservice for text-to-speech (TTS) from NVIDIA Riva, to convert the LLM response back to audio. 
  • Llama 3.1 NIM microservice powers the LLM agent. 

For the embedding and retrieval process of RAG:

Inference calls powered by self-hosted NIM microservices can easily be swapped out for cloud-based endpoints hosted at build.nvidia.com because of the common API standard, providing a lightweight way of testing different model API endpoints.

A diagram shows modules for data ingestion, processing, and output, with connections between components labeled.
Figure 1. Security analyst co-pilot full reference architecture

The result of integrating this full architecture is a smart security co-pilot for streamlining SOC analyst tasks. Next, we discuss a complete scenario that shows just how much time and repetitive labor this workflow saves.

Co-pilot: On

Imagine that you are a Level 1 SOC analyst encountering an alert that claims the endpoint user june@domain.com has been displaying unusual volumes of outbound network traffic. 

First, you check your internal database of network traffic. You must write some strict query language rules to specify the parameters you’re searching in, such as time frame. 

Upon constructing and running the query, you see one recurring destination URL. You enter this URL into a malware detection tool, such as VirusTotal. The URL historically belongs to a known malicious actor, so you conclude that this alert is a true positive. 

As you can see, SOC analyst is one of many occupations that involves juggling numerous dashboards and data modalities, leading to repetitive tasks that could benefit from automation.

This series of events could be accomplished with a verbal request to the RAG co-pilot: “Can you provide me additional insight about whether the user june@domain.com has been compromised?”

Because the LLM agent has been given access to all the internal and external data that a human analyst would have, it can reason to itself about the most logical path to perform an investigation and then gather the pieces of evidence needed by such an investigation. 

When it comes to cybersecurity, we want to mitigate risk as far as possible, due to the large impact that cyber threats can have. The LLM does not synthesize any conclusions but presents what it believes to be relevant evidence to the human analyst. The SOC analyst can then give a final verdict, or inquire further. To follow up, you might ask the LLM agent something like, “Did you notice any other users displaying similar indicators of compromise?”

Our ultimate goal is to increase the productivity of SOC analysts, enabling you to focus on detecting and mitigating cyber attacks that are more complicated and creative. The freedom afforded by natural language querying means that you no longer have to construct rigid, rule-based searches, or take additional time to interpret granular numerical data. 

Meanwhile, the keyboard-free speech interaction enabled by NVIDIA Riva NIM microservices speeds up every interaction.

A secondary aim of the co-pilot is to build user trust. Compared to a fully event-driven and automatic execution chain, the end user can control and inquire about each step of the LLM’s reasoning. Adding the NVIDIA ACE Audio2Face NIM microservice turns interactions into intuitive conversational experiences, adding a layer of communication in facial expression.

As a display of the art of the possible, we show how a user can engage in a back-and-forth discussion with the digital agent, as if problem-solving together on a team (Video 1). In this way, we are using AI to transform the security operations center.

Video 1. NVIDIA Morpheus Security Alert Triage LLM Agent

In the future, we hope to work on easier integration of specific data sources, turning the currently asynchronous data pools into live event-driven ingests that can handle real-world volumes. 

In collaboration with the NVIDIA internal Threat Operations team, we’re striving to pinpoint where tools such as this workflow can be most beneficial and intuitive for users. 

Getting started with NVIDIA Morpheus 

Morpheus digital fingerprinting, as seen in this project, uniquely provides 100% data visibility for zero-trust anomaly detection on end users and devices.

This checklist and multi-step agentic RAG workflow is based on the architecture provided by the Morpheus security vulnerability analysis AI workflow. The workflow was originally created to automate the screening for common vulnerabilities and exposures in code releases. 

At its core, it provides a reference architecture for iterative complex reasoning with parallelized inference, easily adaptable to multiple industries and use cases from a SOC co-pilot to a vision-accessibility tool that can navigate a dynamic open-world environment.

Build powerful cybersecurity pipelines and complex agentic workflows using NVIDIA Morpheus with other NVIDIA NIM microservices.

For more information, see the following resources:

Discuss (0)

Tags