GenDFIR: Advancing Cyber Incident Timeline Analysis Through Retrieval Augmented Generation and Large Language Models
This addresses the challenge of manual, time-consuming timeline analysis in digital forensics and incident response for cybersecurity professionals, though it appears incremental as it applies existing LLM/RAG techniques to this domain.
The paper tackles the problem of automating cyber incident timeline analysis by introducing GenDFIR, a framework that combines Retrieval-Augmented Generation with large language models (Llama 3.1 8B) to interpret and enrich event data. Results on synthetic data in a controlled environment demonstrate its reliability and robustness, showcasing potential for automation in threat detection.
Cyber timeline analysis, or forensic timeline analysis, is crucial in Digital Forensics and Incident Response (DFIR). It examines artefacts and events particularly timestamps and metadata to detect anomalies, establish correlations, and reconstruct incident timelines. Traditional methods rely on structured artefacts, such as logs and filesystem metadata, using specialised tools for evidence identification and feature extraction. This paper introduces GenDFIR, a framework leveraging large language models (LLMs), specifically Llama 3.1 8B in zero shot mode, integrated with a Retrieval-Augmented Generation (RAG) agent. Incident data is preprocessed into a structured knowledge base, enabling the RAG agent to retrieve relevant events based on user prompts. The LLM interprets this context, offering semantic enrichment. Tested on synthetic data in a controlled environment, results demonstrate GenDFIR's reliability and robustness, showcasing LLMs potential to automate timeline analysis and advance threat detection.