Ghaffarzadegan, Sepehr (2026) Automating Detection Lifecycle for APT Hunting: From CTI-Derived Sigma Rules to Infrastructure-Aware Rule Variants. Masters thesis, Concordia University.
Preview |
Text (application/pdf)
2MBGhaffarzadegan_MA_S2026.pdf - Accepted Version Available under License Spectrum Terms of Access. |
Abstract
Cyber threat intelligence (CTI) reports contain important information about adversary be-
havior, yet transforming this information into deployable detection logic remains a largely manual
and time-consuming task. Security practitioners must read narrative reports thoroughly, identify
relevant attack techniques, extract and understand the attacks, and translate them into detection rules
compatible with security monitoring systems. At the same time, detection rules remain static even as
adversaries evolve. Attackers frequently change their techniques, substitute tools, modify execution
paths, or move across platforms in order to evade fixed detections. These challenges create a gap
between intelligence production and operational detection capabilities. This thesis addresses this
gap by proposing a method for transforming CTI into adaptive detection rules. First, we intro-
duce AutoSigma, an automated solution for transforming unstructured CTI reports into relevant
Sigma rules. Rather than relying solely on language models, AutoSigma leverages a structured
knowledge base to enrich partial input, matches the enriched content against a repository of existing
Sigma rules, and then employs an LLM-as-a-Judge mechanism to iteratively validate the rules. By
combining knowledge-driven enrichment, template-based rule grounding, and a multi-stage solu-
tion, AutoSigma enables accurate, context-aware, and relevant rule generation, while reducing the
manual effort required from security practitioners. Second, we present ARMS, an automated rule
mutation solution designed to extend detection coverage under adversarial variation. ARMS be-
gins with an existing detection rule and generates infrastructure-aware behavioral variants. ARMS
identifies techniques related to the original attack through a three-dimensional proximity space that
captures structural relations, functional similarity, and environmental constraints. Only techniques
compatible with the target infrastructure are retained. Subsequently, ARMS uses a RAG-based
implementation to generate a new set of deployable detection rule variants. By generating the
set of infrastructure-aware rule variants, ARMS improves detection coverage when attackers alter
their techniques. Together, AutoSigma and ARMS form a unified detection lifecycle that connects
threat intelligence interpretation, rule synthesis, behavioral indexing, rule mutation, and deployment
feedback. This lifecycle aims to support a continuous detection process in which intelligence drives
detection creation and automated reasoning expands coverage as threats evolve. The results show
that the combination of structured knowledge with language model capabilities can significantly
accelerate CTI operationalization and contribute to more adaptive and resilient detection strategies
against evolving APT campaigns.
| Divisions: | Concordia University > Gina Cody School of Engineering and Computer Science > Electrical and Computer Engineering |
|---|---|
| Item Type: | Thesis (Masters) |
| Authors: | Ghaffarzadegan, Sepehr |
| Institution: | Concordia University |
| Degree Name: | M.A. Sc. |
| Program: | Electrical and Computer Engineering |
| Date: | 30 March 2026 |
| Thesis Supervisor(s): | Assi, Chadi and Debbabi, Mourad and Nour, Boubakr |
| ID Code: | 997106 |
| Deposited By: | Sepehr Ghaffarzadegan |
| Deposited On: | 29 Jun 2026 14:41 |
| Last Modified: | 29 Jun 2026 14:41 |
Repository Staff Only: item control page


Download Statistics
Download Statistics