Evolving attacker capabilities demand realistic and continuously updated cyberattack emulation for threat-informed defense and security benchmarking. Towards automated attack emulation, this paper defines modular attack actions and a linking model to organize and chain heterogeneous attack tools into causality-preserving cyberattacks. Building on this foundation, we introduce Aurora: an automated cyberattack emulation system powered by symbolic planning and large language models (LLMs). Aurora crafts actionable, causality-preserving attack chains tailored to Cyber Threat Intelligence (CTI) reports and target environments, and automatically executes these emulations. Using Aurora, we generated an extensive cyberattack emulation dataset from 250 attack reports, 15 times larger than the leading expert-crafted dataset. Our evaluation shows that Aurora significantly outperforms existing methods in creating actionable, diverse, and realistic attack chains. We release the dataset and use it to evaluate three state-of-the-art intrusion detection systems, whose performance differed notably from results on older datasets, highlighting the need for up-to-date, automated attack emulation.
翻译:不断演变的攻击者能力要求进行真实且持续更新的网络攻击仿真,以支持威胁情报驱动的防御与安全基准测试。为实现自动化攻击仿真,本文定义了模块化攻击动作与链接模型,用于组织异构攻击工具并将其链接为保持因果关系的网络攻击。基于此基础,我们提出了Aurora:一个由符号规划与大语言模型(LLMs)驱动的自动化网络攻击仿真系统。Aurora能够根据网络威胁情报(CTI)报告与目标环境,定制可执行且保持因果关系的攻击链,并自动执行这些仿真。利用Aurora,我们从250份攻击报告中生成了一个大规模的网络攻击仿真数据集,其规模是当前领先的专家构建数据集的15倍。评估结果表明,Aurora在创建可执行、多样化且真实的攻击链方面显著优于现有方法。我们公开了该数据集,并利用其评估了三种最先进的入侵检测系统,这些系统的性能与在旧数据集上的结果存在显著差异,凸显了采用最新自动化攻击仿真的必要性。