ReGAIN: Retrieval-Grounded AI Framework for Network Traffic Analysis

TL;DR

ReGAIN is a novel framework that combines traffic summarization, retrieval-augmented generation, and LLM reasoning to improve transparency and accuracy in network traffic analysis, outperforming existing methods.

Contribution

ReGAIN introduces a multi-stage, retrieval-grounded AI framework that enhances interpretability and reduces false positives in network traffic analysis.

Findings

Achieves 95.95% to 98.82% accuracy on real-world attack data.

Outperforms rule-based, classical ML, and deep learning baselines.

Provides explainability through verifiable, evidence-based responses.

Abstract

Modern networks generate vast, heterogeneous traffic that must be continuously analyzed for security and performance. Traditional network traffic analysis systems, whether rule-based or machine learning-driven, often suffer from high false positives and lack interpretability, limiting analyst trust. In this paper, we present ReGAIN, a multi-stage framework that combines traffic summarization, retrieval-augmented generation (RAG), and Large Language Model (LLM) reasoning for transparent and accurate network traffic analysis. ReGAIN creates natural-language summaries from network traffic, embeds them into a multi-collection vector database, and utilizes a hierarchical retrieval pipeline to ground LLM responses with evidence citations. The pipeline features metadata-based filtering, MMR sampling, a two-stage cross-encoder reranking mechanism, and an abstention mechanism to reduce hallucinations and ensure grounded reasoning. Evaluated on ICMP ping flood and TCP SYN flood traces from the real-world traffic dataset, it demonstrates robust performance, achieving accuracy between 95.95% and 98.82% across different attack types and evaluation benchmarks. These results are validated against two complementary sources: dataset ground truth and human expert assessments. ReGAIN also outperforms rule-based, classical ML, and deep learning baselines while providing unique explainability through trustworthy, verifiable responses.