MoRSE: Bridging the Cybersecurity Gap with AI

Introduction

Cybersecurity is the practice of protecting computer systems, networks and programs from digital attacks. The frequency with which cyber-threats are made, as well the increasing level of sophistication employed by attackers means that cybersecurity is constantly evolving. The integration of artificial intelligence (AI), large language models (LLMs), and retrieval augmented generation (RAG) is making strides well beyond traditional cybersecurity. But challenges such as dynamic developments related to cyber threats and the requirement for real-time updates are major obstacles. MoRSE, a novel AI model, aims to deal with this. By employing RAG (retrieval augmented generation) technology, it can improve the effectiveness of cybersecurity measures.

MoRSE was developed by a team of researchers from such institutions the Istituto di Informatica e Telematica, Consiglio Nazionale Delle Ricerche, Pisa, Italy, TeCIP, Scuola Universitaria Superiore Sant’Anna, Pisa, Italy, University of Padua, Italy, and Delft University of Technology, Netherlands. The main objective of developing MoRSE was to have an AI chatbot that is specialized in cybersecurity knowledge, and can offer comprehensive and accurate knowledge on this subject. By developing MoRSE, they aimed to fill the gap in cybersecurity expertise with help from AI.

source - https://github.com/Mixture-of-RAGs-Security-Experts/MoRSE

What is MoRSE?

MoRSE (Mixture of RAGs Security Experts) is a specialized AI chatbot designed to bridge the gap in cybersecurity expertise. It is the first of its kind, utilizing two Retrieval Augmented Generation (RAG) systems to retrieve and organize information from multidimensional cybersecurity contexts.

Key Features of MoRSE

• Parallel Retrievers: MoRSE uses parallel retrievers that work together to retrieve semantically related information in different formats and structures.
• Non-Parametric Knowledge Bases: Unlike traditional Large Language Models (LLMs) that rely on parametric knowledge bases, MoRSE retrieves relevant documents from non-parametric knowledge bases in response to user queries.
• Real-Time Updates: MoRSE benefits from real-time updates to its knowledge bases, enabling continuous knowledge enrichment without the need for retraining.
• Improved Accuracy: Experimental evaluation has shown that MoRSE improves the relevance and correctness of answers by more than 10% compared to known solutions such as GPT-4 and Mixtral 7x8.

Capabilities/Use Case of MoRSE

• Comprehensive Knowledge: MoRSE can give cyber security practitioners precise knowledge and a broad coverage of the field, providing a consulting tool for those practising this particular art.
• Multidimensional Contexts: MoRSE can make sense of many different cybersecurity contexts -- and will answer user queries accurately.
• Real-World Applications: In practice, helping to identify vulnerabilities, exploits and defense moves is a real-world application of MoRSE. It therefore has the effect of changing decision making in cyber security.

How does MoRSE work?

As shown in the figure below, Morse consists primarily of two elements: a Graphical User Interface (GUI) and the Morse core. The GUI lets the user type in his query to be answered, draws up some or all of that in a structured way. Combining this friendly environment with robust performance improves system usability making it useful to people with different degrees of expertise in cybersecurity.

source - https://arxiv.org/pdf/2407.15748

The Morse core is the heart of the whole system, consisting of three components which govern processing user queries and composing an answer. The first of these is the Query Handling Module. This module pre-processes user queries, specialised in dealing with multi-hop queries and difficult questions, particularly in the context of Common Vulnerability Exposures (CVEs) and Common Weakness Enumerations (CWEs).

Furthermore, the core consists of two Retrieval Augmented Generation (RAG) systems: the Structured RAG and the Unstructured RAG. The Structured RAG extracts information from pre-processed, structured data. During the pre-processing step, text from various sources is converted into well-defined structures that include both generated questions and contextualized entity descriptions. This makes it easy to retrieve specific information when answering user queries. If Structured RAG fails to find an answer, then Unstructured RAG will get to work. It searches unstructured, unprocessed raw text for answers, which gives a wider range of search possibilities but involves more time and effort. The RAGs work together, to compose the answer to a query, and return it for structured visualization by GUI. This new architecture ensures that Morse is able to deal with a full spectrum of cybersecurity questions.

Key Technologies and Techniques of MoRSE

• Natural Language Processing (NLP): This fundamental technology allows MoRSE to comprehend user queries in human language and generate responses that resemble human speech to the highest degree possible. 
• Machine Translation: Machine translation could help MoRSE to automatically transform complex cybersecurity terminologies into simpler language others can understand. Functioning as a specialized AI chatbot for cybersecurity, this capability means that people who are not technicians still have the capacity to absorb and use the practical information MoRSE gives. MoRSE not only makes cybersecurity jargon more intelligible, but also helps it to become better communicated and understood within the cybersecurity community. 
• Retrieval Augmented Generation (RAG): It's here that MoRSE comes into play. Combining pretrained language models with retrieval from non-parametric knowledge bases should yield exact solutions in real-time. This enables MoRSE to provide an overall picture of how cybersecurity fits together and crop up the right documents in answer to user questions. 
• Knowledge Enrichment Techniques: MoRSE is updated in real time. Knowledge bases gain from this updating, so that MoRSE's stored knowledge is always growing. This means that MoRSE must have always up-to-date knowledge in order to respond to user requests with the most current and applicable information.

Performance Evaluation

To evaluate MoRSE, researchers used a 600-question set divided into three parts totaling 150 General Cybersecurity questions- multi-hop 150 questions, and Common Vulnerabilities and Exposures (CVE) 300 questions. These problems formed themselves into the Diamond Model classification, representing actual needs of the cyber world.

source - https://arxiv.org/pdf/2407.15748

Comparative analyses showed that MoRSE outperformed all other LLMs for common queries posed in cyber security. As far as completeness and returned frequencies were concerned, MoRSE exceeded the other LLMs such as GPT-4, GEMINI, MIXTRAL and HACKERGPT by some margin: for General questions it was better than them combined, with an advantage of over 15 per cent And for Multi-Hop questions and those concerning CVE Questions alike it was better by more than 10% respectively.

source - https://arxiv.org/pdf/2407.15748

In terms of accuracy, MoRSE also outperformed GPT-4 by 50% for CVE Questions showing its effectiveness in Comparative Measurement of Specialized Domains Relative to GPT (General Major Language Models). All these results were then confirmed by LLM as a Judge and showed MoRSE to be a clear head above any competitors--specially in performance.

How to Access and Use MoRSE?

MoRSE is available on GitHub and can be accessed here. Users can find instructions for local use and access a demo link to a YouTube video showcasing a detailed overview of MoRSE’s capabilities. This video provides a better understanding of how MoRSE operates and its key functionalities. Further detailed information is available on the GitHub repository, with links provided for authenticated users to access more data.

If you would like to read more details about this AI model, the sources are all included at the end of this article in the 'source' section.

Limitations and Future Work

While MoRSE offers comprehensive cybersecurity knowledge, it may face challenges with the dynamic nature of cyber threats and handling ambiguous queries. Additionally, its real-time performance could be affected by computational resources and network latency. Future improvements could focus on adapting to rapidly changing threats, better handling ambiguous queries, and optimizing real-time performance.

Conclusion

MoRSE is a big initiative towards providing cybersecurity researchers the required expertise. MoRSE uses RAG techniques along with the real-time update to provide an exact and all-inclusive information which is very helpful for cybersecurity professional. The more AI expands, the more models such as MoRSE will become essential to strengthening cybersecurity and defending against cyber attacks.

Source
Research paper : https://arxiv.org/abs/2407.15748
research document: https://arxiv.org/pdf/2407.15748
GitHub Repo: https://github.com/Mixture-of-RAGs-Security-Experts/MoRSE

Disclaimer - It’s important to note that the article is intended to be informational and is based on a research paper available on arXiv. It does not provide cybersecurity advice or professional consultation. The article aims to inform readers about the advancements in AI in the cybersecurity field, specifically about the MoRSE model.