Accelerating Incident Response: A Hybrid Approach for Data Breach Reporting

TL;DR

This paper presents a hybrid malware analysis pipeline that automates the extraction of breach-relevant information from Linux/ARM malware, using static and dynamic analysis combined with a Large Language Model to produce compliance-ready reports for GDPR.

Contribution

It introduces a novel hybrid analysis system that leverages LLMs constrained by formal schemas to streamline GDPR breach reporting, especially for IoT-related malware.

Findings

Automates breach report generation with high accuracy.

Reduces time and cognitive load for incident responders.

Enhances compliance with GDPR reporting requirements.

Abstract

The General Data Protection Regulation (GDPR) requires organisations to notify supervisory authorities of personal data breaches within 72 hours of discovery. Meeting this strict deadline is challenging because incident responders must manually translate low-level forensic artefacts such as malware traces, system-call logs, and network captures into the structured, legally framed information required by data-protection authorities. This gap between technical evidence and regulatory reporting often results in delays, incomplete notifications, and a high cognitive burden on analysts. We propose a hybrid malware analysis pipeline that automates the extraction and organisation of breach-relevant information, with a particular focus on exfiltration-oriented Linux/ARM malware, which is rapidly increasing in prevalence due to the widespread adoption of IoT and embedded devices. The system combines static analysis to identify potential exfiltrators with dynamic analysis to reconstruct their behaviour. It employs a Large Language Model (LLM) constrained by a formal JSON schema aligned with the official Italian Garante Privacy notification form. The LLM transforms heterogeneous forensic artefacts into a structured, compliance-ready report that a human operator can rapidly validate.