{"id":"https://openalex.org/W4409045454","doi":"https://doi.org/10.3390/make7020031","title":"Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques","display_name":"Leveraging LLMs for Non-Security Experts in Threat Hunting: Detecting Living off the Land Techniques","publication_year":2025,"publication_date":"2025-03-30","ids":{"openalex":"https://openalex.org/W4409045454","doi":"https://doi.org/10.3390/make7020031"},"language":"en","primary_location":{"id":"doi:10.3390/make7020031","is_oa":true,"landing_page_url":"https://doi.org/10.3390/make7020031","pdf_url":"https://www.mdpi.com/2504-4990/7/2/31/pdf?version=1743331510","source":{"id":"https://openalex.org/S4210213891","display_name":"Machine Learning and Knowledge Extraction","issn_l":"2504-4990","issn":["2504-4990"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning and Knowledge Extraction","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://www.mdpi.com/2504-4990/7/2/31/pdf?version=1743331510","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Antreas Konstantinou","orcid":null},"institutions":[{"id":"https://openalex.org/I251738","display_name":"Edinburgh Napier University","ror":"https://ror.org/03zjvnn91","country_code":"GB","type":"education","lineage":["https://openalex.org/I251738"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Antreas Konstantinou","raw_affiliation_strings":["Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK","institution_ids":["https://openalex.org/I251738"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5010562761","display_name":"Dimitrios Kasimatis","orcid":"https://orcid.org/0009-0009-2036-426X"},"institutions":[{"id":"https://openalex.org/I251738","display_name":"Edinburgh Napier University","ror":"https://ror.org/03zjvnn91","country_code":"GB","type":"education","lineage":["https://openalex.org/I251738"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Dimitrios Kasimatis","raw_affiliation_strings":["Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK"],"raw_orcid":"https://orcid.org/0009-0009-2036-426X","affiliations":[{"raw_affiliation_string":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK","institution_ids":["https://openalex.org/I251738"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5068020099","display_name":"William J. Buchanan","orcid":"https://orcid.org/0000-0003-0809-3523"},"institutions":[{"id":"https://openalex.org/I251738","display_name":"Edinburgh Napier University","ror":"https://ror.org/03zjvnn91","country_code":"GB","type":"education","lineage":["https://openalex.org/I251738"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"William J. Buchanan","raw_affiliation_strings":["Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK"],"raw_orcid":"https://orcid.org/0000-0003-0809-3523","affiliations":[{"raw_affiliation_string":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK","institution_ids":["https://openalex.org/I251738"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5048418386","display_name":"Sana Ullah Jan","orcid":"https://orcid.org/0000-0003-3950-4719"},"institutions":[{"id":"https://openalex.org/I251738","display_name":"Edinburgh Napier University","ror":"https://ror.org/03zjvnn91","country_code":"GB","type":"education","lineage":["https://openalex.org/I251738"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Sana Ullah Jan","raw_affiliation_strings":["Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK"],"raw_orcid":"https://orcid.org/0000-0003-3950-4719","affiliations":[{"raw_affiliation_string":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK","institution_ids":["https://openalex.org/I251738"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100754273","display_name":"Jawad Ahmad","orcid":"https://orcid.org/0000-0001-6289-8248"},"institutions":[{"id":"https://openalex.org/I138564716","display_name":"Prince Mohammad bin Fahd University","ror":"https://ror.org/03d64na34","country_code":"SA","type":"education","lineage":["https://openalex.org/I138564716"]}],"countries":["SA"],"is_corresponding":false,"raw_author_name":"Jawad Ahmad","raw_affiliation_strings":["Cybersecurity Center, Prince Mohammad Bin Fahd University, Al-Khobar 34754, Saudi Arabia"],"raw_orcid":"https://orcid.org/0000-0001-6289-8248","affiliations":[{"raw_affiliation_string":"Cybersecurity Center, Prince Mohammad Bin Fahd University, Al-Khobar 34754, Saudi Arabia","institution_ids":["https://openalex.org/I138564716"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5115920303","display_name":"Ilias Politis","orcid":"https://orcid.org/0009-0007-2882-6452"},"institutions":[{"id":"https://openalex.org/I4210135709","display_name":"Industrial Systems Institute","ror":"https://ror.org/02sy6k521","country_code":"GR","type":"nonprofit","lineage":["https://openalex.org/I4210135709"]}],"countries":["GR"],"is_corresponding":false,"raw_author_name":"Ilias Politis","raw_affiliation_strings":["Industrial Systems Institute, Research Center \u201cATHENA\u201d, Patras Science Park Building, Platani, 265 04 Patras, Greece","Industrial Systems Institute, Research Center \"ATHENA\", Patras Science Park Building, Platani, 265 04 Patras, Greece"],"raw_orcid":"https://orcid.org/0009-0007-2882-6452","affiliations":[{"raw_affiliation_string":"Industrial Systems Institute, Research Center \u201cATHENA\u201d, Patras Science Park Building, Platani, 265 04 Patras, Greece","institution_ids":["https://openalex.org/I4210135709"]},{"raw_affiliation_string":"Industrial Systems Institute, Research Center \"ATHENA\", Patras Science Park Building, Platani, 265 04 Patras, Greece","institution_ids":["https://openalex.org/I4210135709"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5082150685","display_name":"Nikolaos Pitropakis","orcid":"https://orcid.org/0000-0002-3392-9970"},"institutions":[{"id":"https://openalex.org/I230915877","display_name":"The American College of Greece","ror":"https://ror.org/03vkake80","country_code":"GR","type":"nonprofit","lineage":["https://openalex.org/I230915877"]},{"id":"https://openalex.org/I251738","display_name":"Edinburgh Napier University","ror":"https://ror.org/03zjvnn91","country_code":"GB","type":"education","lineage":["https://openalex.org/I251738"]}],"countries":["GB","GR"],"is_corresponding":false,"raw_author_name":"Nikolaos Pitropakis","raw_affiliation_strings":["Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK","Department of Information Technology, The American College of Greece, 153 42 Athens, Greece"],"raw_orcid":"https://orcid.org/0000-0002-3392-9970","affiliations":[{"raw_affiliation_string":"Blockpass ID Lab, Edinburgh Napier University, Edinburgh EH10 5DT, UK","institution_ids":["https://openalex.org/I251738"]},{"raw_affiliation_string":"Department of Information Technology, The American College of Greece, 153 42 Athens, Greece","institution_ids":["https://openalex.org/I230915877"]}]}],"institutions":[],"countries_distinct_count":3,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5010562761"],"corresponding_institution_ids":["https://openalex.org/I251738"],"apc_list":{"value":1400,"currency":"CHF","value_usd":1515},"apc_paid":{"value":1400,"currency":"CHF","value_usd":1515},"fwci":11.163,"has_fulltext":false,"cited_by_count":7,"citation_normalized_percentile":{"value":0.98235663,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":98,"max":99},"biblio":{"volume":"7","issue":"2","first_page":"31","last_page":"31"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.9965000152587891,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T10883","display_name":"Ethics and Social Impacts of AI","score":0.9965000152587891,"subfield":{"id":"https://openalex.org/subfields/3311","display_name":"Safety Research"},"field":{"id":"https://openalex.org/fields/33","display_name":"Social Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.9962000250816345,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9923999905586243,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/business","display_name":"Business","score":0.4058198630809784},{"id":"https://openalex.org/keywords/environmental-planning","display_name":"Environmental planning","score":0.40316569805145264},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.38092130422592163},{"id":"https://openalex.org/keywords/geography","display_name":"Geography","score":0.3569904863834381},{"id":"https://openalex.org/keywords/environmental-resource-management","display_name":"Environmental resource management","score":0.3469729423522949},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.26843637228012085},{"id":"https://openalex.org/keywords/economics","display_name":"Economics","score":0.14666348695755005}],"concepts":[{"id":"https://openalex.org/C144133560","wikidata":"https://www.wikidata.org/wiki/Q4830453","display_name":"Business","level":0,"score":0.4058198630809784},{"id":"https://openalex.org/C91375879","wikidata":"https://www.wikidata.org/wiki/Q15473274","display_name":"Environmental planning","level":1,"score":0.40316569805145264},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.38092130422592163},{"id":"https://openalex.org/C205649164","wikidata":"https://www.wikidata.org/wiki/Q1071","display_name":"Geography","level":0,"score":0.3569904863834381},{"id":"https://openalex.org/C107826830","wikidata":"https://www.wikidata.org/wiki/Q929380","display_name":"Environmental resource management","level":1,"score":0.3469729423522949},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.26843637228012085},{"id":"https://openalex.org/C162324750","wikidata":"https://www.wikidata.org/wiki/Q8134","display_name":"Economics","level":0,"score":0.14666348695755005}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.3390/make7020031","is_oa":true,"landing_page_url":"https://doi.org/10.3390/make7020031","pdf_url":"https://www.mdpi.com/2504-4990/7/2/31/pdf?version=1743331510","source":{"id":"https://openalex.org/S4210213891","display_name":"Machine Learning and Knowledge Extraction","issn_l":"2504-4990","issn":["2504-4990"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning and Knowledge Extraction","raw_type":"journal-article"},{"id":"pmh:oai:doaj.org/article:db941292fb1a4ed0afac6bdbd1c9d9ee","is_oa":true,"landing_page_url":"https://doaj.org/article/db941292fb1a4ed0afac6bdbd1c9d9ee","pdf_url":null,"source":{"id":"https://openalex.org/S4306401280","display_name":"DOAJ (DOAJ: Directory of Open Access Journals)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by-sa","license_id":"https://openalex.org/licenses/cc-by-sa","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Machine Learning and Knowledge Extraction, Vol 7, Iss 2, p 31 (2025)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.3390/make7020031","is_oa":true,"landing_page_url":"https://doi.org/10.3390/make7020031","pdf_url":"https://www.mdpi.com/2504-4990/7/2/31/pdf?version=1743331510","source":{"id":"https://openalex.org/S4210213891","display_name":"Machine Learning and Knowledge Extraction","issn_l":"2504-4990","issn":["2504-4990"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Machine Learning and Knowledge Extraction","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":false},"content_urls":{"pdf":"https://content.openalex.org/works/W4409045454.pdf"},"referenced_works_count":19,"referenced_works":["https://openalex.org/W2051124130","https://openalex.org/W2342850280","https://openalex.org/W2557671501","https://openalex.org/W2951286828","https://openalex.org/W2998983696","https://openalex.org/W3034723486","https://openalex.org/W3095319910","https://openalex.org/W3133702157","https://openalex.org/W3152957156","https://openalex.org/W3160638507","https://openalex.org/W3204819333","https://openalex.org/W3214083186","https://openalex.org/W4220841428","https://openalex.org/W4242767706","https://openalex.org/W4285295354","https://openalex.org/W4293152942","https://openalex.org/W4385571596","https://openalex.org/W4392353733","https://openalex.org/W6739901393"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2748952813","https://openalex.org/W4323341852","https://openalex.org/W2896677295","https://openalex.org/W2765153054","https://openalex.org/W2596173151","https://openalex.org/W3213789065","https://openalex.org/W3080576469","https://openalex.org/W2753638813","https://openalex.org/W4231340554"],"abstract_inverted_index":{"This":[0],"paper":[1],"explores":[2],"the":[3,27],"potential":[4],"use":[5],"of":[6],"Large":[7],"Language":[8],"Models":[9],"(LLMs),":[10],"such":[11],"as":[12,125,135],"ChatGPT,":[13],"Google":[14],"Gemini,":[15],"and":[16,70,85,163],"Microsoft":[17],"Copilot,":[18],"in":[19,160],"threat":[20,34,74,129,161],"hunting,":[21,130],"specifically":[22],"focusing":[23],"on":[24],"Living":[25],"off":[26],"Land":[28],"(LotL)":[29],"techniques.":[30],"LotL":[31,83],"methods":[32],"allow":[33],"actors":[35],"to":[36,53,72,81,90,167],"blend":[37],"into":[38,171],"regular":[39],"network":[40],"activity,":[41],"which":[42],"makes":[43],"detection":[44,162],"by":[45],"automated":[46],"security":[47,63,141],"systems":[48],"challenging.":[49],"The":[50,94],"study":[51],"seeks":[52],"determine":[54],"whether":[55],"LLMs":[56,98,120,148],"can":[57,132],"reliably":[58],"generate":[59],"effective":[60],"queries":[61,87,106],"for":[62,107,112,128,157],"tools,":[64],"enabling":[65],"organisations":[66],"with":[67,114],"limited":[68],"budgets":[69],"expertise":[71],"conduct":[73],"hunting.":[75],"A":[76],"testing":[77],"environment":[78],"was":[79],"created":[80],"simulate":[82],"techniques,":[84,110],"LLM-generated":[86],"were":[88],"used":[89],"identify":[91],"malicious":[92],"activity.":[93],"results":[95,159],"demonstrate":[96],"that":[97],"do":[99],"not":[100,122,153],"consistently":[101],"produce":[102],"accurate":[103,158],"or":[104],"reliable":[105],"detecting":[108],"these":[109],"particularly":[111],"users":[113],"varying":[115],"skill":[116],"levels.":[117],"However,":[118],"while":[119],"may":[121],"be":[123,154,168],"suitable":[124],"standalone":[126],"tools":[127],"they":[131,151],"still":[133],"serve":[134],"supportive":[136],"resources":[137],"within":[138],"a":[139],"broader":[140],"strategy.":[142],"These":[143],"findings":[144],"suggest":[145],"that,":[146],"although":[147],"offer":[149],"potential,":[150],"should":[152],"relied":[155],"upon":[156],"require":[164],"further":[165],"refinement":[166],"effectively":[169],"integrated":[170],"cybersecurity":[172],"workflows.":[173]},"counts_by_year":[{"year":2026,"cited_by_count":2},{"year":2025,"cited_by_count":5}],"updated_date":"2026-06-16T09:24:06.705377","created_date":"2025-04-01T00:00:00"}