Security was top of mind when Dr. Marcus Botacin, assistant professor in the Department of Computer Science and Engineering, heard about large language models (LLMs) like ChatGPT. LLMs are a type of AI that can quickly craft text. Some LLMs, including ChatGPT, can also generate computer code. Botacin became concerned that attackers would use LLMs’ capabilities to rapidly write massive amounts of malware.
“When you’re a security researcher (or security paranoid), you see new technology and think, ‘What might go wrong? How can people abuse this kind of thing?’” Botacin said.
In a project beginning this year, Botacin plans to develop an LLM of his own to address this security threat. He compared his project to building a smaller, security-focused version of ChatGPT.
“The idea is to fight with the same weapons as the attackers,” Botacin said. “If attackers use LLMs to create millions of malwares at scale, we want to create millions of rules to defend at scale.”
Malware often displays unique patterns that can be used as signatures, like fingerprints, to identify it. Botacin plans for his LLM to use signatures to automatically identify malware and write rules to defend against it. Currently, human analysts write these rules, but this task is time-consuming and requires substantial experience, making it difficult for a human to defend against attackers using AI to generate a large amount of code instantaneously. Botacin wants his LLM to be a tool analysts can use to complement their skills and identify malware faster and more accurately.
“The idea is, of course, not to replace the analyst but to leave the analyst free to think—to guide the machine and then let the machine do the heavy work for the analyst,” Botacin said.
Botacin is still deciding on the format of the software interface for his LLM—it may be a website or source code that people can download—but it will be available to the public. Though it could be used preventatively, Botacin anticipates that analysts will use this LLM for incident response. For example, an analyst could run the LLM on their laptop, bring it with them to a company, and use it to search network computers for malware signatures.
This project aligns with Botacin’s other ongoing research where he is integrating malware detection into computer hardware as a preventative approach.
To make the LLM small enough to run on a laptop— “a ChatGPT that runs in your pocket”—the LLM will require extensive training. Conducting more training during development will allow for a smaller final product. Botacin has access to a cluster of graphics processing units (GPUs) that he will use to train the LLM. GPUs are ideal for training LLMs because of their capacity to process lots of data simultaneously.
The scientific partner for Botacin’s research is the Laboratory of Physical Science. He has been awarded a $150,000 grant to complete this project, which will fund doctoral and masters students in his lab.
By Amanda Norvelle, Texas A&M Engineering