Large Language Models for Explainable Threat Intelligence

TL;DR

This paper presents RAGRecon, a system that uses large language models with retrieval-augmented generation to provide explainable and transparent threat intelligence by generating knowledge graphs, improving cybersecurity analysis.

Contribution

Introduces RAGRecon, a novel LLM-based system that combines retrieval-augmented generation with visual explanations for cybersecurity threat analysis.

Findings

Responses matched reference data over 91% of the time.

System effectively generates explainable knowledge graphs.

Evaluated with two datasets and seven LLMs.

Abstract

As cyber threats continue to grow in complexity, traditional security mechanisms struggle to keep up. Large language models (LLMs) offer significant potential in cybersecurity due to their advanced capabilities in text processing and generation. This paper explores the use of LLMs with retrieval-augmented generation (RAG) to obtain threat intelligence by combining real-time information retrieval with domain-specific data. The proposed system, RAGRecon, uses a LLM with RAG to answer questions about cybersecurity threats. Moreover, it makes this form of Artificial Intelligence (AI) explainable by generating and visually presenting to the user a knowledge graph for every reply. This increases the transparency and interpretability of the reasoning of the model, allowing analysts to better understand the connections made by the system based on the context recovered by the RAG system. We evaluated RAGRecon experimentally with two datasets and seven different LLMs and the responses matched the reference responses more than 91% of the time for the best combinations.