From Detection to Response: A Deep Learning and Retrieval-Augmented Generation Framework for Network Intrusion Mitigation

TL;DR

This paper introduces an integrated framework combining deep learning detection with retrieval-augmented generation to provide actionable network intrusion responses, improving interpretability and effectiveness.

Contribution

It presents a novel end-to-end system that not only detects network attacks with high accuracy but also generates structured, citation-grounded mitigation reports using retrieval-augmented generation.

Findings

Achieved 99.84% accuracy on CICIDS2018 dataset

Constructed explanation-aware prompts from top features

Generated mitigation reports outperform vanilla LLM outputs

Abstract

Machine-learning-based Intrusion Detection Systems (IDS) have achieved impressive accuracy in classifying network attacks, yet they consistently fall short on the question that matters most to a security analyst: what should I do next? This paper presents a unified, end-to-end framework that closes the gap between threat detection and actionable response. The system operates in two tightly coupled stages. First, an ensemble of three independently trained binary Deep Neural Networks (DNNs) classifies network traffic flows as Benign, Denial of Service (DoS), or Distributed Denial of Service (DDoS), achieving 99.84% accuracy on the CICIDS2018 dataset and 95.30% on the UNSW-NB15 dataset. Second, a Retrieval-Augmented Generation (RAG) pipeline constructs explanation-aware prompts from the top-5 anomalous features, retrieves the most semantically and lexically relevant guidance from a knowledge base derived from authorized sources and di- rects a locally deployed language model to synthesise structured, citation-grounded mitigation reports. The RAG-enhanced reports outperform vanilla LLM outputs across all automated evaluation metrics.