Dynamic Threat Detection Agent Uses GenAI for Cybersecurity
The Dynamic Threat Detection Agent (DTDA), an innovative AI-based system, is designed to automate the identification of cyber threats. Created for Microsoft Defender, this system persistently analyzes security incidents to reveal concealed threats and produce understandable detections. It integrates a comprehensive activity timeline that includes alerts, events, user and entity behavior analytics, and threat intelligence. Employing versioned LLM prompt contracts with schema validation, it incorporates grounding requirements, bounded retries, and fail-closed suppression. An investigation loop involving a planner and executor formulates attack-specific hypotheses while collecting both supporting and contradicting evidence. This strategy aims to transition defenders from a reactive stance to a more proactive detection approach.
Key facts
- DTDA is introduced as an always-on adaptive agent for threat detection.
- It continuously investigates security incidents across Microsoft Defender.
- The system uncovers hidden threats and generates explainable detections.
- It uses a unified activity timeline spanning alerts, events, analytics, and threat intelligence.
- Versioned LLM prompt contracts include schema validation and fail-closed suppression.
- A planner-executor loop generates hypotheses and gathers evidence.
- The goal is to move from reactive to proactive defense.
- The paper is available on arXiv under identifier 2605.20896.
Entities
Institutions
- Microsoft Defender
- arXiv