Gal Braun

Quiver – Using Cutting Edge ML to detect interesting command lines for Hunters

What do GPT3, DALL-E2, and Copilot have in common? By grasping the structure and nature of language, they can generate text, images, and code that provide added value to a user. They now understand command lines!

Quiver – QUick Verifier for Threat HuntER is an application aimed at understanding command lines and performing tasks like Attribution, Classification, Anomaly Detection, and many others.

DALL-E2 is known to take an input prompt in human language and draw a stunning an image that matches exactly; GPT3 and its likings can create an infinite amount of texts that seem like a real person has written, even lately fooling a Google engineer it has become sentient; While Github’s Copilot can generate whole functions from a comment string.

Command lines are a language in themselves and can be learned the same way other languages can. And the application can be as versatile as we want. Imagine giving a command line to an input prompt and getting the probability of it being a reverse shell, by an Iranian actor, or maybe used for cybercrime. A single prompt on its own may not help so much, but with the power of language models algorithms, the threat hunter can have millions of answers in a matter of minutes, shedding a light on the most important or urgent activities within the network.

In this session, we’ll demonstrate how we developed such a model, along with real-world examples of how the model is used in applications like anomaly detection, attribution, and classification.

Gal Braun is a data scientist at SentinelOne, working on Data Science & Machine learning focused on explainability, representation learning, and visualizations.

He holds a BSc in Computer Science from the Technion and is currently pursuing his MSc in Information Systems Engineering from Ben-Gurion University.