{"id":"https://openalex.org/W4409656997","doi":"https://doi.org/10.1145/3696410.3714798","title":"LLMCloudHunter: Harnessing LLMs for Automated Extraction of Detection Rules from Cloud-Based CTI","display_name":"LLMCloudHunter: Harnessing LLMs for Automated Extraction of Detection Rules from Cloud-Based CTI","publication_year":2025,"publication_date":"2025-04-22","ids":{"openalex":"https://openalex.org/W4409656997","doi":"https://doi.org/10.1145/3696410.3714798"},"language":"en","primary_location":{"id":"doi:10.1145/3696410.3714798","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3696410.3714798","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3696410.3714798","source":null,"license":"cc-by-nc-sa","license_id":"https://openalex.org/licenses/cc-by-nc-sa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Web Conference 2025","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://dl.acm.org/doi/pdf/10.1145/3696410.3714798","any_repository_has_fulltext":null},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5113001339","display_name":"Yuval Schwartz","orcid":"https://orcid.org/0009-0007-0126-7080"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":true,"raw_author_name":"Yuval Schwartz","raw_affiliation_strings":["Ben-Gurion University of the Negev, Be'er-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Ben-Gurion University of the Negev, Be'er-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5098402907","display_name":"Lavi Ben-Shimol","orcid":"https://orcid.org/0009-0003-8948-3386"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Lavi Ben-Shimol","raw_affiliation_strings":["Ben-Gurion University of the Negev, Be'er-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Ben-Gurion University of the Negev, Be'er-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5063793319","display_name":"Dudu Mimran","orcid":"https://orcid.org/0009-0004-9610-6156"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Dudu Mimran","raw_affiliation_strings":["Ben-Gurion University of the Negev, Be'er-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Ben-Gurion University of the Negev, Be'er-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5072913672","display_name":"Yuval Elovici","orcid":"https://orcid.org/0000-0002-9641-128X"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Yuval Elovici","raw_affiliation_strings":["Ben-Gurion University of the Negev, Be'er-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Ben-Gurion University of the Negev, Be'er-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5002391103","display_name":"Asaf Shabtai","orcid":"https://orcid.org/0000-0003-0630-4059"},"institutions":[{"id":"https://openalex.org/I124227911","display_name":"Ben-Gurion University of the Negev","ror":"https://ror.org/05tkyf982","country_code":"IL","type":"education","lineage":["https://openalex.org/I124227911"]}],"countries":["IL"],"is_corresponding":false,"raw_author_name":"Asaf Shabtai","raw_affiliation_strings":["Ben-Gurion University of the Negev, Be'er-Sheva, Israel"],"affiliations":[{"raw_affiliation_string":"Ben-Gurion University of the Negev, Be'er-Sheva, Israel","institution_ids":["https://openalex.org/I124227911"]}]}],"institutions":[],"countries_distinct_count":1,"institutions_distinct_count":5,"corresponding_author_ids":["https://openalex.org/A5113001339"],"corresponding_institution_ids":["https://openalex.org/I124227911"],"apc_list":null,"apc_paid":null,"fwci":43.6551,"has_fulltext":false,"cited_by_count":18,"citation_normalized_percentile":{"value":0.99752097,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":99,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"1922","last_page":"1941"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10181","display_name":"Natural Language Processing Techniques","score":0.9853000044822693,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T10181","display_name":"Natural Language Processing Techniques","score":0.9853000044822693,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11719","display_name":"Data Quality and Management","score":0.980400025844574,"subfield":{"id":"https://openalex.org/subfields/1803","display_name":"Management Science and Operations Research"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T10215","display_name":"Semantic Web and Ontologies","score":0.964900016784668,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/cloud-computing","display_name":"Cloud computing","score":0.7430819272994995},{"id":"https://openalex.org/keywords/extraction","display_name":"Extraction (chemistry)","score":0.5569903254508972},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.5459179282188416},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.3664730489253998},{"id":"https://openalex.org/keywords/data-science","display_name":"Data science","score":0.35096144676208496},{"id":"https://openalex.org/keywords/operating-system","display_name":"Operating system","score":0.09688648581504822},{"id":"https://openalex.org/keywords/chemistry","display_name":"Chemistry","score":0.06021830439567566}],"concepts":[{"id":"https://openalex.org/C79974875","wikidata":"https://www.wikidata.org/wiki/Q483639","display_name":"Cloud computing","level":2,"score":0.7430819272994995},{"id":"https://openalex.org/C4725764","wikidata":"https://www.wikidata.org/wiki/Q844704","display_name":"Extraction (chemistry)","level":2,"score":0.5569903254508972},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.5459179282188416},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3664730489253998},{"id":"https://openalex.org/C2522767166","wikidata":"https://www.wikidata.org/wiki/Q2374463","display_name":"Data science","level":1,"score":0.35096144676208496},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.09688648581504822},{"id":"https://openalex.org/C185592680","wikidata":"https://www.wikidata.org/wiki/Q2329","display_name":"Chemistry","level":0,"score":0.06021830439567566},{"id":"https://openalex.org/C43617362","wikidata":"https://www.wikidata.org/wiki/Q170050","display_name":"Chromatography","level":1,"score":0.0}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1145/3696410.3714798","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3696410.3714798","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3696410.3714798","source":null,"license":"cc-by-nc-sa","license_id":"https://openalex.org/licenses/cc-by-nc-sa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Web Conference 2025","raw_type":"proceedings-article"}],"best_oa_location":{"id":"doi:10.1145/3696410.3714798","is_oa":true,"landing_page_url":"https://doi.org/10.1145/3696410.3714798","pdf_url":"https://dl.acm.org/doi/pdf/10.1145/3696410.3714798","source":null,"license":"cc-by-nc-sa","license_id":"https://openalex.org/licenses/cc-by-nc-sa","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the ACM on Web Conference 2025","raw_type":"proceedings-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":false},"content_urls":{"pdf":"https://content.openalex.org/works/W4409656997.pdf"},"referenced_works_count":22,"referenced_works":["https://openalex.org/W2529518929","https://openalex.org/W2771963642","https://openalex.org/W2998286882","https://openalex.org/W3039979907","https://openalex.org/W3126854833","https://openalex.org/W3129220449","https://openalex.org/W3176367300","https://openalex.org/W3198980504","https://openalex.org/W3199212845","https://openalex.org/W3214329506","https://openalex.org/W4225658247","https://openalex.org/W4229028905","https://openalex.org/W4300819682","https://openalex.org/W4385819961","https://openalex.org/W4387298166","https://openalex.org/W4388115922","https://openalex.org/W4388441710","https://openalex.org/W4389524022","https://openalex.org/W4390655427","https://openalex.org/W4390970201","https://openalex.org/W4391093150","https://openalex.org/W4393205793"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W4244478748","https://openalex.org/W3150465815","https://openalex.org/W4223488648","https://openalex.org/W2134969820","https://openalex.org/W2251605416","https://openalex.org/W1997222214","https://openalex.org/W2560439919"],"abstract_inverted_index":{"As":[0],"the":[1,93,130,133,137,163,172,190],"number":[2],"and":[3,23,85,124,158,175,198],"sophistication":[4],"of":[5,17,25,79,96,132,156,160,165,178,183,189],"cyber":[6,33],"attacks":[7],"have":[8],"increased,":[9],"threat":[10,34,42,145,173],"hunting":[11],"has":[12],"become":[13],"a":[14,38,106,154,176,181],"critical":[15],"aspect":[16],"active":[18],"security,":[19],"enabling":[20],"proactive":[21],"detection":[22,119,192],"mitigation":[24],"threats":[26],"before":[27],"they":[28,67,74,87],"cause":[29],"significant":[30],"harm.":[31],"Open-source":[32],"intelligence":[35],"(OSCTI)":[36],"is":[37],"valuable":[39],"resource":[40],"for":[41,162,185],"hunters,":[43],"however,":[44],"it":[45],"often":[46],"comes":[47],"in":[48,82],"unstructured":[49],"formats":[50],"that":[51,109,150],"require":[52],"further":[53],"manual":[54],"analysis.":[55],"Previous":[56],"studies":[57],"aimed":[58],"at":[59],"automating":[60],"OSCTI":[61,83,126],"analysis":[62],"are":[63],"limited":[64],"since":[65],"(1)":[66],"failed":[68],"to":[69,115],"provide":[70],"actionable":[71],"outputs,":[72],"(2)":[73],"did":[75],"not":[76],"take":[77],"advantage":[78],"images":[80],"present":[81],"sources,":[84],"(3)":[86],"focused":[88],"on":[89],"on-premises":[90],"environments,":[91],"overlooking":[92],"growing":[94],"importance":[95],"cloud":[97,144],"environments.":[98],"To":[99],"address":[100],"these":[101],"gaps,":[102],"we":[103],"propose":[104],"LLMCloudHunter,":[105],"novel":[107],"framework":[108,139,152],"leverages":[110],"large":[111],"language":[112],"models":[113],"(LLMs)":[114],"automatically":[116],"generate":[117],"generic-signature":[118],"rule":[120,193],"candidates":[121,194],"from":[122],"textual":[123],"visual":[125],"data.":[127],"We":[128],"evaluated":[129],"quality":[131],"rules":[134],"generated":[135,191],"by":[136,171],"proposed":[138],"using":[140],"20":[141],"annotated":[142],"real-world":[143],"reports.":[146],"The":[147],"results":[148],"show":[149],"our":[151],"achieved":[153],"precision":[155,177],"83%":[157],"recall":[159,182],"99%":[161,179],"task":[164],"accurately":[166],"extracting":[167],"API":[168],"calls":[169],"made":[170],"actor":[174],"with":[180],"97%":[184],"IoCs.":[186],"Additionally,":[187],"99.18%":[188],"were":[195],"successfully":[196],"compiled":[197],"converted":[199],"into":[200],"Splunk":[201],"queries.":[202]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":16}],"updated_date":"2026-04-02T15:55:50.835912","created_date":"2025-10-10T00:00:00"}