Decoding Attacks with AI: A New Era for Security Analysis

Author: Denis Avetisyan

Researchers are harnessing the power of artificial intelligence to automatically analyze security incidents, reconstruct attack timelines, and deliver clearer, more actionable intelligence.

The system extracts security context from SIEM data, filters network traffic to identify potential compromises, and then employs a Retrieval-Augmented Generation Large Language Model to analyze this data and automatically produce detailed incident reports.

This review explores the application of retrieval-augmented generation with large language models for improved security incident analysis, focusing on log analysis and threat intelligence.

Analyzing cybersecurity incidents is increasingly challenging due to the sheer volume of data and the sophistication of modern attacks. This paper, ‘Retrieval-Augmented LLMs for Security Incident Analysis’, introduces a system leveraging large language models (LLMs) and retrieval-augmented generation (RAG) to automate log analysis and reconstruct attack sequences. Results demonstrate that this approach achieves high recall and precision in identifying malicious activity-including malware traffic and multi-stage Active Directory attacks-while significantly reducing costs compared to traditional methods. Could this represent a paradigm shift toward more efficient and interpretable security operations powered by LLMs?

The Data Deluge: Recognizing Signal Loss

Contemporary network infrastructure, while offering unprecedented connectivity, simultaneously produces a relentless torrent of security logs. Each firewall, server, and application constantly records events, resulting in volumes that easily reach terabytes per day for even modestly sized organizations. This data deluge overwhelms human security analysts, who lack the capacity to manually sift through such immense quantities of information to identify genuine threats. The sheer scale obscures malicious activity within a sea of benign events, creating a significant challenge for timely detection and response. Consequently, critical security incidents can remain unnoticed for extended periods, leaving systems vulnerable to exploitation and data breaches – a situation exacerbated by the growing complexity of modern cyberattacks.

Conventional Security Information and Event Management (SIEM) systems, while designed to aggregate and analyze security data, often falter when faced with the sheer complexity of modern threat landscapes. These systems rely heavily on predefined rules and signatures to detect malicious activity, but increasingly sophisticated attacks frequently bypass these static defenses. The core challenge lies in correlating disparate events – a firewall alert, a suspicious login attempt, unusual network traffic – into a cohesive narrative indicative of a genuine threat. Without robust correlation capabilities, SIEMs generate a high volume of false positives, overwhelming security teams and obscuring critical signals. This inability to distinguish between benign activity and true threats significantly diminishes their effectiveness, leaving organizations vulnerable to persistent and evolving cyberattacks. The systems struggle not from a lack of data, but from a lack of intelligent analysis capable of transforming raw information into actionable intelligence.

The accelerating production of security data frequently outpaces an organization’s ability to interpret it, establishing a dangerous latency between threat occurrence and effective response. While networks amass terabytes of logs daily, the sheer volume overwhelms security teams, hindering their capacity to distinguish between benign activity and genuine malicious intent. This discrepancy – the widening gap between data generation and the derivation of actionable intelligence – leaves systems exposed, as attacks can unfold and compromise data before analysts can detect and mitigate them. Consequently, organizations find themselves awash in information yet paradoxically vulnerable, highlighting the urgent need for automated analysis and intelligent threat detection capabilities to bridge this critical insight gap and proactively defend against evolving cyber threats.

Retrieval-Augmented Generation: Amplifying Intelligence

Retrieval-Augmented Generation (RAG) improves the performance of Large Language Models (LLMs) by supplementing the LLM’s inherent knowledge with information retrieved from external data sources. This process involves indexing external knowledge bases, such as security logs, and then, during inference, retrieving relevant documents based on the user’s query. The retrieved content is then combined with the prompt and fed into the LLM, allowing it to generate responses grounded in factual, up-to-date information rather than relying solely on its pre-trained parameters. This is particularly valuable when dealing with specialized domains like cybersecurity, where information rapidly evolves and pre-trained models may lack current awareness.

Integrating Retrieval-Augmented Generation (RAG) with Large Language Models (LLMs) establishes a system capable of processing complex security events by first retrieving relevant data from external knowledge sources – such as security information and event management (SIEM) systems, threat intelligence feeds, or vulnerability databases – and then utilizing the LLM to synthesize this information into a coherent incident report. The LLM doesn’t rely solely on its pre-trained knowledge; instead, it grounds its response in the retrieved context, enabling it to accurately describe the event, identify affected systems, assess potential impact, and suggest remediation steps. This process moves beyond simple alert correlation, allowing for the generation of nuanced reports that incorporate specific details of the incident and provide actionable intelligence for security teams.

Traditional security systems often rely on pattern matching – identifying known signatures of malicious activity. Retrieval-Augmented Generation (RAG) combined with Large Language Models (LLMs) facilitates contextual reasoning by incorporating data from diverse sources, such as threat intelligence feeds, network traffic analysis, and endpoint logs. This allows the system to understand the relationships between events, not just recognize isolated indicators. Consequently, RAG-LLM systems can identify anomalies that deviate from established baselines, predict potential threats based on evolving contexts, and proactively alert security teams to incidents before they fully materialize, moving beyond reactive signature-based detection.

Contextual Security Extraction: Defining the Relevant Signal

Security Context Extraction (SCE) operates by systematically filtering and prioritizing data within the high volume of security logs generated by network and system activity. This process reduces the incidence of false positive alerts by focusing analysis on events directly relevant to potential threats. Specifically, SCE identifies and isolates key data points – such as source and destination IPs, usernames, file hashes, and process names – while suppressing noise from routine or benign activity. The resulting streamlined dataset significantly improves analysis speed, allowing security teams and automated systems to more efficiently detect, investigate, and respond to genuine security incidents. This targeted approach contrasts with traditional log analysis, which often requires manual sifting through large volumes of data to identify meaningful signals.

The process of security context extraction is critical for Large Language Model (LLM) performance in threat detection because it delivers pre-processed, relevant data directly to the LLM. Without sufficient contextual information, LLMs struggle to differentiate between benign activity and genuine threats, increasing false positives and hindering accurate categorization of threat indicators. By filtering and prioritizing security logs before they reach the LLM, this process provides the LLM with focused input, enabling it to more reliably identify malicious patterns, reconstruct attack chains, and ultimately improve the precision and efficiency of security analysis. This targeted input is essential for achieving high recall rates, as demonstrated by models utilizing this approach.

Evaluations utilizing large language models – including DeepSeek V3, Claude Sonnet 4, Cisco Foundation-Sec-8B, and Llama 3.1 – demonstrate the effectiveness of context-driven security analysis. Specifically, the system achieved 100% recall in identifying malware network traffic and 82% recall in reconstructing Active Directory attack sequences. Cost-performance analysis revealed that DeepSeek V3 delivers performance equivalent to Claude Sonnet 4, but at a 15-fold reduction in operational expense.

Infrastructure as Foundation: Enabling Intelligent Analysis

The sheer volume and speed of security-relevant data generated by modern systems necessitate a log management infrastructure capable of handling immense scale. Traditional methods often struggle with this influx, leading to critical information being lost or delayed. Systems built on technologies like Elasticsearch address this challenge by providing a distributed, scalable, and searchable repository for logs. This allows security teams to ingest, store, and analyze data from diverse sources in near real-time, facilitating rapid threat detection and incident response. Without such a robust foundation, even the most advanced analytical tools would be hampered, unable to effectively process the vital signals hidden within the constant stream of machine-generated events.

A well-architected infrastructure is fundamental to the rapid generation of accurate incident reports by Retrieval-Augmented Generation Large Language Models (RAG-LLMs). The system relies on immediate access to vast quantities of security data – logs, alerts, threat intelligence – and a robust infrastructure ensures this information is readily available. By indexing and organizing this data, the RAG-LLM can efficiently retrieve relevant details in response to a security event. This quick retrieval, coupled with the LLM’s natural language processing capabilities, enables the creation of comprehensive and easily understandable incident summaries, significantly reducing the time needed for analysis and response. The speed and accuracy of these reports are directly proportional to the efficiency of the underlying data access mechanisms, making a scalable and reliable infrastructure a non-negotiable component of a modern security operations center.

The synergy between sophisticated artificial intelligence and resilient infrastructure fundamentally shifts security operations from reactive response to proactive threat mitigation. By leveraging AI’s capacity for pattern recognition and anomaly detection, coupled with the speed and scalability of a robust data management system, security teams can anticipate potential incidents before they escalate. This allows for automated investigation, prioritized alerts, and ultimately, a reduction in the dwell time of threats-the critical period between intrusion and discovery. The result is a minimized attack surface and a significant decrease in potential damage, fostering a security posture built on foresight rather than hindsight.

Beyond Detection: The Promise of Proactive Security

Modern cybersecurity increasingly relies on the ability to anticipate threats, and Retrieval-Augmented Generation Large Language Models (RAG-LLMs) are emerging as powerful tools in this pursuit. These systems don’t simply react to identified malware or attacks; they actively sift through network traffic, pinpointing subtle indicators often associated with Active Directory compromises and malicious software. By analyzing communication patterns, user behavior, and system logs, RAG-LLMs can detect anomalies that might evade traditional signature-based detection methods. This proactive approach allows security teams to hunt for potential threats within the network before they escalate into full-blown incidents, significantly enhancing an organization’s security posture and reducing the dwell time of attackers. The capability extends beyond simple identification, offering a crucial shift from reactive defense to a predictive and preventative security strategy.

Sophisticated threat hunting systems move beyond simply identifying malicious activity by enriching threat indicators with crucial contextual data. This correlation process links seemingly isolated events – such as unusual network traffic or suspicious file modifications – to assets, users, and business processes. For instance, a system might detect a compromised user account attempting to access sensitive data, but correlating this with contextual information reveals which data is targeted, the user’s role, and the potential business impact. This delivers actionable insights to incident responders, allowing them to prioritize investigations, contain threats more effectively, and minimize damage – shifting the focus from reactive response to proactive mitigation and informed decision-making.

The evolution of threat hunting systems is rapidly shifting toward fully automated incident response, driven by advancements in artificial intelligence. Current research prioritizes developing AI models capable of not only identifying malicious activity but also orchestrating containment and remediation efforts without human intervention. This includes dynamically adjusting network security policies, isolating compromised systems, and deploying targeted countermeasures. Furthermore, predictive analytics are being integrated to anticipate potential attacks by identifying anomalous patterns and vulnerabilities before exploitation, effectively moving beyond reactive defense to a proactive security posture. These systems aim to learn from historical data and emerging threat intelligence, continuously refining their ability to forecast and neutralize attacks with minimal human oversight, ultimately reducing the dwell time of threats and minimizing potential damage.

The pursuit of comprehensive security incident analysis, as detailed in the presented work, often results in systems burdened by excessive complexity. This research, focusing on Retrieval-Augmented Generation for log analysis, exemplifies a necessary reduction. It prioritizes actionable intelligence over exhaustive data processing. This aligns with the sentiment expressed by Marvin Minsky: “The more of a principle you have, the less of it you need.” The system’s ability to reconstruct attack sequences from raw logs, while maintaining interpretability, demonstrates a focused application of computational resources. This approach, leveraging LLMs and threat intelligence, efficiently distills signal from noise, embodying a principle of elegant problem-solving. The reduction in cost and improvement in accuracy are not merely technical achievements, but reflections of a fundamentally cleaner design.

What Remains?

The presented work offers a functional synthesis, yet a certain fragility persists. The system excels at reconstructing incident narratives given sufficient data, but the quality of those reconstructions remains tethered to the completeness and veracity of the initial log corpus. A truly robust system must account not for what is logged, but for what is systematically not. The art, then, lies in quantifying the darkness – in building models of informational entropy that anticipate gaps in observation.

Current evaluations focus on accuracy, a metric easily seduced by surface-level correlation. More critical will be measures of utility. Can such a system genuinely reduce the cognitive load on security analysts, allowing them to focus on novel threats rather than sifting through established patterns? Or does it merely automate the generation of plausible stories, obscuring the deeper, less narratively satisfying truths?

The trajectory is clear: toward systems that don’t simply respond to incidents, but actively predict them. But prediction, in this context, is not clairvoyance. It’s applied thermodynamics – a matter of minimizing free energy, of identifying the most probable paths toward system failure. The challenge isn’t building a more elaborate model of attack; it’s designing a simpler model of defense.

Original article: https://arxiv.org/pdf/2603.18196.pdf

Contact the author: https://www.linkedin.com/in/avetisyan/