Taming LLMs to Detect Anomalies in Cloud Audit Logs
Yigael Berger
fwd:cloudsec North America 2025 · Day 2 · Track 2 - Crestone
Yigael Berger, Head of AI at Sweet Security, presented a practical method for fine-tuning **GPT-2** on cloud audit log data to build an anomaly detection engine that can distinguish routine DevOps activity from potentially malicious behavior. The core insight is elegant: rather than using an LLM to generate new tokens, the technique uses the LLM "in reverse" -- feeding it normalized CloudTrail data and reading the per-token likelihood scores to identify which log entries the model finds surprising. These anomaly scores are then fed as additional context into a larger, off-the-shelf LLM prompt to dramatically reduce false positives in cloud security detection. The research, co-developed with colleague Ido Kos, represents a production-ready approach that is accessible, inexpensive, and requires no machine learning expertise to implement.
AI review
A clever and genuinely practical application of fine-tuning GPT-2 as an anomaly detection engine for CloudTrail logs. The 'LLM in reverse' technique is elegant, the resource requirements are accessible, and it's clearly production-tested. Not offensive research, but the kind of defensive innovation that actually moves the needle on signal-to-noise in cloud detection.