# LLMs and ASP for situational awareness

In [None]:
%%file attack-template-library.lp
#program initial.

:- plan(plan1), not &tel{
    >? (h(techn(t1556)) 
    & (>? h(techn(t1059)) 
    & (>? h(techn(t1548))
    & (>? h(techn(t1059))))))}.
    

:- plan(plan2), not &tel{
    >? (h(techn(t1556)) 
    & (>? (h(techn(t1059)) | h(techn(t1548)))))}.

1 { plan(plan1;plan2) } 1 .



In [None]:
%%file alert-trace.lp
#program initial.

&tel{&true
    ;> o(alert(addGrpMem))
    ;> o(alert(benign)) 
    ;> o(alert(execIam))
    ;> o(alert(latMvmSaml))
    ;> o(alert(benign)) 
    ;> o(alert(execWinPsh))}.

We encode the problem in a *telingo* program where the adversary attack plan from (i) is formulated as a model constraint, the trace in (ii) is encoded as a temporal fact, and the rules in (iii) are encoded as dynamic rules. A stable model produced by the *telingo* solver tells us that it is plausible that the trace is an instance of the attack plan, while the absence of a model will rule it out, thus achieving the goal set out in the experiment. 

In [None]:
%%file mitre-detect-map.lp

#program always.
%static knowledge
tac_tec(privEsc,(t1556;t1548;t1134)).
tac_tec(execution,t1059).
tac_tec(initAccess, (t1566;t1133)) .


#program dynamic.

1 {hyp_o(techn(X)) : tac_tec(privEsc,X)} 1 :- o(alert(addGrpMem)) . %could be any of the privEsc techniques
1 {hyp_o(techn(t1059))} 1 :- o(alert(execIam)) .
1 {hyp_o(techn(t1548))} 1 :- o(alert(latMvmSaml)) .
1 {hyp_o(techn(t1059))} 1 :- o(alert(execWinPsh)) .

% observed explanation hypothesis-> happened
h(X) :- hyp_o(X).
h(tac(Tac)) :- h(techn(X)), tac_tec(Tac,X).

#defined hyp_u/2.
#defined hyp_o/2.
#defined h/2.

#show plan/1.
#show h/1.
#show hyp_u/1.
#show o/1.
#show hyp_o/1.

In [13]:
!telingo 0 attack-template-library.lp mitre-detect-map.lp alert-trace.lp 

telingo version 2.1.2
Reading from attack-template-library.lp ...
Solving...
Solving...
Solving...
Solving...
Solving...
Solving...
Solving...
Answer: 1
 State 0:
  plan(plan1)
 State 1:
  h(tac(privEsc)) h(techn(t1556))
  hyp_o(techn(t1556))
  o(alert(addGrpMem))
 State 2:
  o(alert(benign))
 State 3:
  h(tac(execution)) h(techn(t1059))
  hyp_o(techn(t1059))
  o(alert(execIam))
 State 4:
  h(tac(privEsc)) h(techn(t1548))
  hyp_o(techn(t1548))
  o(alert(latMvmSaml))
 State 5:
  o(alert(benign))
 State 6:
  h(tac(execution)) h(techn(t1059))
  hyp_o(techn(t1059))
  o(alert(execWinPsh))
Answer: 2
 State 0:
  plan(plan2)
 State 1:
  h(tac(privEsc)) h(techn(t1556))
  hyp_o(techn(t1556))
  o(alert(addGrpMem))
 State 2:
  o(alert(benign))
 State 3:
  h(tac(execution)) h(techn(t1059))
  hyp_o(techn(t1059))
  o(alert(execIam))
 State 4:
  h(tac(privEsc)) h(techn(t1548))
  hyp_o(techn(t1548))
  o(alert(latMvmSaml))
 State 5:
  o(alert(benign))
 State 6:
  h(tac(execution)) h(techn(t1059))
  hyp_