{"id":"https://openalex.org/W4407509125","doi":"https://doi.org/10.3390/computers14020067","title":"Advancing Cyber Incident Timeline Analysis Through Retrieval-Augmented Generation and Large Language Models","display_name":"Advancing Cyber Incident Timeline Analysis Through Retrieval-Augmented Generation and Large Language Models","publication_year":2025,"publication_date":"2025-02-13","ids":{"openalex":"https://openalex.org/W4407509125","doi":"https://doi.org/10.3390/computers14020067"},"language":"en","primary_location":{"id":"doi:10.3390/computers14020067","is_oa":true,"landing_page_url":"https://doi.org/10.3390/computers14020067","pdf_url":"https://www.mdpi.com/2073-431X/14/2/67/pdf?version=1739466261","source":{"id":"https://openalex.org/S4210228075","display_name":"Computers","issn_l":"2073-431X","issn":["2073-431X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers","raw_type":"journal-article"},"type":"article","indexed_in":["crossref","doaj"],"open_access":{"is_oa":true,"oa_status":"gold","oa_url":"https://www.mdpi.com/2073-431X/14/2/67/pdf?version=1739466261","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5107689731","display_name":"Fatma Yasmine Loumachi","orcid":null},"institutions":[{"id":"https://openalex.org/I126193024","display_name":"London Metropolitan University","ror":"https://ror.org/00ae33288","country_code":"GB","type":"education","lineage":["https://openalex.org/I126193024"]}],"countries":["GB"],"is_corresponding":false,"raw_author_name":"Fatma Yasmine Loumachi","raw_affiliation_strings":["Cyber Security Research Centre, London Metropolitan University, London N7 8DB, UK"],"affiliations":[{"raw_affiliation_string":"Cyber Security Research Centre, London Metropolitan University, London N7 8DB, UK","institution_ids":["https://openalex.org/I126193024"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5101549630","display_name":"Mohamed Chahine Ghanem","orcid":"https://orcid.org/0000-0002-7067-7848"},"institutions":[{"id":"https://openalex.org/I126193024","display_name":"London Metropolitan University","ror":"https://ror.org/00ae33288","country_code":"GB","type":"education","lineage":["https://openalex.org/I126193024"]},{"id":"https://openalex.org/I146655781","display_name":"University of Liverpool","ror":"https://ror.org/04xs57h96","country_code":"GB","type":"education","lineage":["https://openalex.org/I146655781"]}],"countries":["GB"],"is_corresponding":true,"raw_author_name":"Mohamed Chahine Ghanem","raw_affiliation_strings":["Cyber Security Research Centre, London Metropolitan University, London N7 8DB, UK","Cybersecurity Institute Liverpool, University of Liverpool, Liverpool L69 7ZX, UK"],"affiliations":[{"raw_affiliation_string":"Cyber Security Research Centre, London Metropolitan University, London N7 8DB, UK","institution_ids":["https://openalex.org/I126193024"]},{"raw_affiliation_string":"Cybersecurity Institute Liverpool, University of Liverpool, Liverpool L69 7ZX, UK","institution_ids":["https://openalex.org/I146655781"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5026903935","display_name":"Mohamed Amine Ferrag","orcid":"https://orcid.org/0000-0002-0632-3172"},"institutions":[{"id":"https://openalex.org/I4210097536","display_name":"University of Guelma","ror":"https://ror.org/00xe6p546","country_code":"DZ","type":"education","lineage":["https://openalex.org/I4210097536"]}],"countries":["DZ"],"is_corresponding":false,"raw_author_name":"Mohamed Amine Ferrag","raw_affiliation_strings":["Department of Computer Science, Guelma University, Guelma 24000, Algeria"],"affiliations":[{"raw_affiliation_string":"Department of Computer Science, Guelma University, Guelma 24000, Algeria","institution_ids":["https://openalex.org/I4210097536"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":3,"corresponding_author_ids":["https://openalex.org/A5101549630"],"corresponding_institution_ids":["https://openalex.org/I126193024","https://openalex.org/I146655781"],"apc_list":{"value":1600,"currency":"CHF","value_usd":1732},"apc_paid":{"value":1600,"currency":"CHF","value_usd":1732},"fwci":31.6594,"has_fulltext":true,"cited_by_count":15,"citation_normalized_percentile":{"value":0.99714678,"is_in_top_1_percent":true,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":99,"max":100},"biblio":{"volume":"14","issue":"2","first_page":"67","last_page":"67"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11719","display_name":"Data Quality and Management","score":0.9850000143051147,"subfield":{"id":"https://openalex.org/subfields/1803","display_name":"Management Science and Operations Research"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},"topics":[{"id":"https://openalex.org/T11719","display_name":"Data Quality and Management","score":0.9850000143051147,"subfield":{"id":"https://openalex.org/subfields/1803","display_name":"Management Science and Operations Research"},"field":{"id":"https://openalex.org/fields/18","display_name":"Decision Sciences"},"domain":{"id":"https://openalex.org/domains/2","display_name":"Social Sciences"}},{"id":"https://openalex.org/T11512","display_name":"Anomaly Detection Techniques and Applications","score":0.9728999733924866,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T13083","display_name":"Advanced Text Analysis Techniques","score":0.9467999935150146,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/timeline","display_name":"Timeline","score":0.9318466186523438},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.6093682050704956},{"id":"https://openalex.org/keywords/information-retrieval","display_name":"Information retrieval","score":0.4430042803287506},{"id":"https://openalex.org/keywords/natural-language-processing","display_name":"Natural language processing","score":0.3727899193763733},{"id":"https://openalex.org/keywords/statistics","display_name":"Statistics","score":0.11339899897575378},{"id":"https://openalex.org/keywords/mathematics","display_name":"Mathematics","score":0.09533601999282837}],"concepts":[{"id":"https://openalex.org/C4438859","wikidata":"https://www.wikidata.org/wiki/Q186117","display_name":"Timeline","level":2,"score":0.9318466186523438},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.6093682050704956},{"id":"https://openalex.org/C23123220","wikidata":"https://www.wikidata.org/wiki/Q816826","display_name":"Information retrieval","level":1,"score":0.4430042803287506},{"id":"https://openalex.org/C204321447","wikidata":"https://www.wikidata.org/wiki/Q30642","display_name":"Natural language processing","level":1,"score":0.3727899193763733},{"id":"https://openalex.org/C105795698","wikidata":"https://www.wikidata.org/wiki/Q12483","display_name":"Statistics","level":1,"score":0.11339899897575378},{"id":"https://openalex.org/C33923547","wikidata":"https://www.wikidata.org/wiki/Q395","display_name":"Mathematics","level":0,"score":0.09533601999282837}],"mesh":[],"locations_count":3,"locations":[{"id":"doi:10.3390/computers14020067","is_oa":true,"landing_page_url":"https://doi.org/10.3390/computers14020067","pdf_url":"https://www.mdpi.com/2073-431X/14/2/67/pdf?version=1739466261","source":{"id":"https://openalex.org/S4210228075","display_name":"Computers","issn_l":"2073-431X","issn":["2073-431X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers","raw_type":"journal-article"},{"id":"pmh:oai:repository.londonmet.ac.uk:10080","is_oa":true,"landing_page_url":null,"pdf_url":"https://repository.londonmet.ac.uk/10080/7/computers-14-00067.pdf","source":{"id":"https://openalex.org/S4306400140","display_name":"London Met Repository (London Metropolitan University)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I126193024","host_organization_name":"London Metropolitan University","host_organization_lineage":["https://openalex.org/I126193024"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"PeerReviewed"},{"id":"pmh:oai:doaj.org/article:bf10caf136d24086b51806423bb11af2","is_oa":true,"landing_page_url":"https://doaj.org/article/bf10caf136d24086b51806423bb11af2","pdf_url":null,"source":{"id":"https://openalex.org/S112646816","display_name":"SHILAP Revista de lepidopterolog\u00eda","issn_l":"0300-5267","issn":["0300-5267","2340-4078"],"is_oa":true,"is_in_doaj":true,"is_core":false,"host_organization":null,"host_organization_name":null,"host_organization_lineage":[],"host_organization_lineage_names":[],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"Computers, Vol 14, Iss 2, p 67 (2025)","raw_type":"article"}],"best_oa_location":{"id":"doi:10.3390/computers14020067","is_oa":true,"landing_page_url":"https://doi.org/10.3390/computers14020067","pdf_url":"https://www.mdpi.com/2073-431X/14/2/67/pdf?version=1739466261","source":{"id":"https://openalex.org/S4210228075","display_name":"Computers","issn_l":"2073-431X","issn":["2073-431X"],"is_oa":true,"is_in_doaj":true,"is_core":true,"host_organization":"https://openalex.org/P4310310987","host_organization_name":"Multidisciplinary Digital Publishing Institute","host_organization_lineage":["https://openalex.org/P4310310987"],"host_organization_lineage_names":["Multidisciplinary Digital Publishing Institute"],"type":"journal"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Computers","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[],"funders":[],"has_content":{"pdf":true,"grobid_xml":true},"content_urls":{"pdf":"https://content.openalex.org/works/W4407509125.pdf","grobid_xml":"https://content.openalex.org/works/W4407509125.grobid-xml"},"referenced_works_count":42,"referenced_works":["https://openalex.org/W1988932279","https://openalex.org/W2009229022","https://openalex.org/W2628759714","https://openalex.org/W2996791554","https://openalex.org/W3085967635","https://openalex.org/W4317748910","https://openalex.org/W4367309809","https://openalex.org/W4386701652","https://openalex.org/W4388676551","https://openalex.org/W4390585076","https://openalex.org/W4391136507","https://openalex.org/W4391857513","https://openalex.org/W4392452933","https://openalex.org/W4394579450","https://openalex.org/W4394619840","https://openalex.org/W4399039363","https://openalex.org/W4399268971","https://openalex.org/W4399338566","https://openalex.org/W4400113208","https://openalex.org/W4400578969","https://openalex.org/W4402036612","https://openalex.org/W4402371950","https://openalex.org/W4402474736","https://openalex.org/W4402811916","https://openalex.org/W4403024522","https://openalex.org/W4403585381","https://openalex.org/W4403792159","https://openalex.org/W4403904079","https://openalex.org/W4403937515","https://openalex.org/W4404181035","https://openalex.org/W4404782883","https://openalex.org/W4404783788","https://openalex.org/W4405980221","https://openalex.org/W4406563968","https://openalex.org/W4407099782","https://openalex.org/W6739901393","https://openalex.org/W6854330873","https://openalex.org/W6855655376","https://openalex.org/W6860039412","https://openalex.org/W6868526924","https://openalex.org/W6871351606","https://openalex.org/W7006660887"],"related_works":["https://openalex.org/W4391375266","https://openalex.org/W2899084033","https://openalex.org/W2748952813","https://openalex.org/W1858249912","https://openalex.org/W2114034199","https://openalex.org/W4391249598","https://openalex.org/W2317428717","https://openalex.org/W2734259032","https://openalex.org/W3094038556","https://openalex.org/W2014772881"],"abstract_inverted_index":{"Cyber":[0],"timeline":[1,5,63,232],"analysis":[2,6],"or":[3],"forensic":[4],"is":[7],"critical":[8],"in":[9,91,185,226],"digital":[10],"forensics":[11],"and":[12,21,25,32,50,62,118,143,172,203,213,249,257],"incident":[13,120,151,183,258],"response":[14],"(DFIR)":[15],"investigations.":[16],"It":[17],"involves":[18],"examining":[19],"artefacts":[20],"events\u2014particularly":[22],"their":[23],"timestamps":[24],"associated":[26],"metadata\u2014to":[27],"detect":[28],"anomalies,":[29],"establish":[30],"correlations,":[31],"reconstruct":[33],"a":[34,72,104,129,133,146,169,186,234],"detailed":[35,170],"sequence":[36],"of":[37,87,137,215,224,230,244],"the":[38,85,138,154,164,199,211,216,221,228,242],"incident.":[39,139],"Traditional":[40],"approaches":[41],"rely":[42],"on":[43,158,180],"processing":[44],"structured":[45],"artefacts,":[46],"such":[47],"as":[48,123],"logs":[49],"filesystem":[51],"metadata,":[52],"using":[53,192],"multiple":[54],"specialised":[55],"tools":[56],"for":[57,94,253],"evidence":[58],"identification,":[59],"feature":[60],"extraction,":[61],"reconstruction.":[64,259],"This":[65,238],"paper":[66],"introduces":[67],"an":[68],"innovative":[69],"framework,":[70],"GenDFIR,":[71],"context-specific":[73,194],"approach":[74,110],"powered":[75],"via":[76],"large":[77],"language":[78],"model":[79],"(LLM)":[80],"capabilities.":[81],"Specifically,":[82],"it":[83],"proposes":[84],"use":[86],"Llama":[88],"3.1":[89],"8B":[90],"zero-shot,":[92],"selected":[93],"its":[95],"ability":[96],"to":[97,197,209],"understand":[98],"cyber":[99,182],"threat":[100,255],"nuances,":[101],"integrated":[102],"with":[103,189],"retrieval-augmented":[105],"generation":[106],"(RAG)":[107],"agent.":[108],"Our":[109,218],"comprises":[111],"two":[112],"main":[113],"stages:":[114],"(1)":[115],"Data":[116],"preprocessing":[117],"structuring:":[119],"events,":[121],"represented":[122],"textual":[124],"data,":[125],"are":[126],"transformed":[127],"into":[128],"well-structured":[130],"document,":[131],"forming":[132],"comprehensive":[134],"knowledge":[135,155],"base":[136,156],"(2)":[140],"Context":[141],"retrieval":[142],"semantic":[144,173],"enrichment:":[145],"RAG":[147],"agent":[148],"retrieves":[149],"relevant":[150],"events":[152,184],"from":[153],"based":[157],"user":[159],"prompts.":[160],"The":[161,175],"LLM":[162],"processes":[163],"pertinent":[165],"retrieved":[166],"context,":[167],"enabling":[168],"interpretation":[171],"enhancement.":[174],"proposed":[176],"framework":[177],"was":[178],"tested":[179],"synthetic":[181],"controlled":[187],"environment,":[188],"results":[190],"assessed":[191],"DFIR-tailored,":[193],"metrics":[195],"designed":[196],"evaluate":[198],"framework\u2019s":[200],"performance,":[201],"reliability,":[202],"robustness,":[204],"supported":[205],"by":[206],"human":[207],"evaluation":[208],"validate":[210],"accuracy":[212],"reliability":[214],"outcomes.":[217],"findings":[219],"demonstrate":[220],"practical":[222],"power":[223],"LLMs":[225],"advancing":[227],"automation":[229],"cyber-incident":[231],"analysis,":[233],"subfield":[235],"within":[236],"DFIR.":[237],"research":[239],"also":[240],"highlights":[241],"potential":[243],"generative":[245],"AI,":[246],"particularly":[247],"LLMs,":[248],"opens":[250],"new":[251],"possibilities":[252],"advanced":[254],"detection":[256]},"counts_by_year":[{"year":2026,"cited_by_count":5},{"year":2025,"cited_by_count":10}],"updated_date":"2026-03-29T08:15:47.926485","created_date":"2025-02-14T00:00:00"}