Large Language Models for Explainable Threat Intelligence
This addresses the need for transparent and interpretable AI in cybersecurity for analysts, though it is incremental as it applies existing methods to a new domain.
The paper tackled the problem of complex cyber threats by developing RAGRecon, a system that uses large language models with retrieval-augmented generation to provide explainable threat intelligence, achieving over 91% accuracy in matching reference responses for the best combinations.
As cyber threats continue to grow in complexity, traditional security mechanisms struggle to keep up. Large language models (LLMs) offer significant potential in cybersecurity due to their advanced capabilities in text processing and generation. This paper explores the use of LLMs with retrieval-augmented generation (RAG) to obtain threat intelligence by combining real-time information retrieval with domain-specific data. The proposed system, RAGRecon, uses a LLM with RAG to answer questions about cybersecurity threats. Moreover, it makes this form of Artificial Intelligence (AI) explainable by generating and visually presenting to the user a knowledge graph for every reply. This increases the transparency and interpretability of the reasoning of the model, allowing analysts to better understand the connections made by the system based on the context recovered by the RAG system. We evaluated RAGRecon experimentally with two datasets and seven different LLMs and the responses matched the reference responses more than 91% of the time for the best combinations.