Embedded Files
Overview of Chimera
Here, we provide a detailed description of the Chimera framework, covering its overall architecture, agent society construction, and threat simulation mechanisms. To ensure transparency and reproducibility, we also release all the prompts used in Chimera. These prompts were not arbitrarily designed; rather, they were iteratively refined based on feedback and insights from both security and AI experts. Through multiple rounds of preliminary experimentation and consolidation, we distilled a set of robust and effective prompts that faithfully capture realistic enterprise operations and insider threat behaviors.
Figure: Overview of Chimera
Organization Profiling
Chimera begins by modeling the organization’s structure (employees, roles, and objectives) and system settings (OS, applications, services). These factors directly shape both application- and system-level logs. To support different needs, Chimera can either automatically generate realistic organizational profiles or accept user-defined ones, ensuring flexible yet faithful simulations.
Prompt for company profile generation
Agent Society Construction
Once the organizational setup is ready, Chimera builds an LLM-based agent society where each employee is represented by an agent bundle. Each bundle combines multiple LLM agents with specialized tools (e.g., terminal, browser, file operations) to mimic real work behaviors. Agents are initialized with realistic employee profiles (role, ID, system context), enabling them to act like real staff members. To simulate insider threats, some agents are designated as adversaries—executing attacks while still performing routine tasks—making scenarios both realistic and challenging.
Example of employee profile
Prompt for weekly group meeting
Prompt for post-meeting for detailed goal summarization
Organizational Operations & Threat Simulation
With the environment and agents in place, Chimera simulates daily organizational workflows. Benign agents follow task schedules, attend meetings, and update plans dynamically through interactions—each running in isolated Docker containers with realistic access-control rules. Adversarial agents blend malicious activities into their normal routines, executing attacks at contextually appropriate times while maintaining regular duties. All attack actions are pre-defined, scheduled, and automatically labeled, ensuring realistic yet well-annotated logs for downstream research.
Prompt for daily schedule generation
Prompt for daily task execution
Prompt for daily schedule update (after communication with colleagues)
Prompt for attacker activity synthesis and execution
Log Collection
Chimera captures fine-grained logs by running each agent in a dedicated Docker container, recording both system events and network traffic tied to individual employees. Beyond system-level monitoring, LLM agents also log collaboration activities and tool usage traces, enabling deeper behavioral analysis. Unlike traditional ITD datasets with fixed data sources, Chimera flexibly adapts to varied enterprise software stacks, automatically deploying required components with minimal manual effort.
Page updated
Google Sites
Report abuse