{"id":"https://openalex.org/W7139930256","doi":"https://doi.org/10.48550/arxiv.2603.18196","title":"Retrieval-Augmented LLMs for Security Incident Analysis","display_name":"Retrieval-Augmented LLMs for Security Incident Analysis","publication_year":2026,"publication_date":"2026-03-18","ids":{"openalex":"https://openalex.org/W7139930256","doi":"https://doi.org/10.48550/arxiv.2603.18196"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2603.18196","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18196","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2603.18196","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5004171682","display_name":"Xavier F. Cadet","orcid":"https://orcid.org/0000-0002-8545-0371"},"institutions":[],"countries":[],"is_corresponding":true,"raw_author_name":"Cadet, Xavier","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130247958","display_name":"Aditya Vikram Singh","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Singh, Aditya Vikram","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130234860","display_name":"Harsh Mamania","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Mamania, Harsh","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130221058","display_name":"Edward Koh","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Koh, Edward","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5017804259","display_name":"Alex Fitts","orcid":"https://orcid.org/0000-0002-8928-6011"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Fitts, Alex","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5037901627","display_name":"Dirk Van Bruggen","orcid":"https://orcid.org/0000-0001-9436-5200"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Van Bruggen, Dirk","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5025677911","display_name":"Simona Boboila","orcid":"https://orcid.org/0009-0003-3411-8912"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Boboila, Simona","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"middle","author":{"id":"https://openalex.org/A5130247480","display_name":"Peter Chin","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Chin, Peter","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5130226261","display_name":"Alina Oprea","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Oprea, Alina","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":9,"corresponding_author_ids":["https://openalex.org/A5004171682"],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.6169000267982483,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12127","display_name":"Software System Performance and Reliability","score":0.6169000267982483,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10400","display_name":"Network Security and Intrusion Detection","score":0.24160000681877136,"subfield":{"id":"https://openalex.org/subfields/1705","display_name":"Computer Networks and Communications"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10734","display_name":"Information and Cyber Security","score":0.03709999844431877,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.7124999761581421},{"id":"https://openalex.org/keywords/context","display_name":"Context (archaeology)","score":0.6585999727249146},{"id":"https://openalex.org/keywords/directory","display_name":"Directory","score":0.5831000208854675},{"id":"https://openalex.org/keywords/intrusion-detection-system","display_name":"Intrusion detection system","score":0.5564000010490417},{"id":"https://openalex.org/keywords/authentication","display_name":"Authentication (law)","score":0.5194000005722046},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.39629998803138733},{"id":"https://openalex.org/keywords/security-analysis","display_name":"Security analysis","score":0.3813999891281128}],"concepts":[{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7311999797821045},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.7124999761581421},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.6690999865531921},{"id":"https://openalex.org/C2779343474","wikidata":"https://www.wikidata.org/wiki/Q3109175","display_name":"Context (archaeology)","level":2,"score":0.6585999727249146},{"id":"https://openalex.org/C2777683733","wikidata":"https://www.wikidata.org/wiki/Q201456","display_name":"Directory","level":2,"score":0.5831000208854675},{"id":"https://openalex.org/C35525427","wikidata":"https://www.wikidata.org/wiki/Q745881","display_name":"Intrusion detection system","level":2,"score":0.5564000010490417},{"id":"https://openalex.org/C148417208","wikidata":"https://www.wikidata.org/wiki/Q4825882","display_name":"Authentication (law)","level":2,"score":0.5194000005722046},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.39629998803138733},{"id":"https://openalex.org/C38369872","wikidata":"https://www.wikidata.org/wiki/Q7445009","display_name":"Security analysis","level":2,"score":0.3813999891281128},{"id":"https://openalex.org/C182590292","wikidata":"https://www.wikidata.org/wiki/Q989632","display_name":"Network security","level":2,"score":0.3102000057697296},{"id":"https://openalex.org/C71745522","wikidata":"https://www.wikidata.org/wiki/Q2476929","display_name":"Confidentiality","level":2,"score":0.299699991941452},{"id":"https://openalex.org/C2781251061","wikidata":"https://www.wikidata.org/wiki/Q5416089","display_name":"Evasion (ethics)","level":3,"score":0.2955999970436096},{"id":"https://openalex.org/C2781345505","wikidata":"https://www.wikidata.org/wiki/Q2535979","display_name":"Blacklist","level":2,"score":0.2727000117301941},{"id":"https://openalex.org/C132964779","wikidata":"https://www.wikidata.org/wiki/Q2110223","display_name":"Raw data","level":2,"score":0.2720000147819519},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.265500009059906},{"id":"https://openalex.org/C2781317605","wikidata":"https://www.wikidata.org/wiki/Q7832483","display_name":"Traffic analysis","level":2,"score":0.26339998841285706},{"id":"https://openalex.org/C138338577","wikidata":"https://www.wikidata.org/wiki/Q756230","display_name":"Directory service","level":3,"score":0.2615000009536743},{"id":"https://openalex.org/C158251709","wikidata":"https://www.wikidata.org/wiki/Q354025","display_name":"Intrusion","level":2,"score":0.25429999828338623}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2603.18196","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18196","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2603.18196","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2603.18196","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"id":"https://metadata.un.org/sdg/9","display_name":"Industry, innovation and infrastructure","score":0.4697347581386566}],"awards":[],"funders":[],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Investigating":[0],"cybersecurity":[1],"incidents":[2,101],"requires":[3],"collecting":[4],"and":[5,19,38,57,86,102,115,123,143,165],"analyzing":[6],"evidence":[7],"from":[8,75],"multiple":[9],"log":[10],"sources,":[11],"including":[12],"intrusion":[13],"detection":[14,156],"alerts,":[15],"network":[16],"traffic":[17,100],"records,":[18],"authentication":[20],"events.":[21],"This":[22],"process":[23],"is":[24],"labor-intensive:":[25],"analysts":[26],"must":[27],"sift":[28],"through":[29,53],"large":[30],"volumes":[31],"of":[32],"data":[33],"to":[34,72,82,167],"identify":[35],"relevant":[36,80],"indicators":[37,74],"piece":[39],"together":[40],"what":[41],"happened.":[42],"We":[43,90,108],"present":[44],"a":[45,64,103],"RAG-based":[46,183],"system":[47,62,93],"that":[48,110,177],"performs":[49],"security":[50,195],"incident":[51],"analysis":[52,196],"targeted":[54,179],"query-based":[55,180],"filtering":[56,181],"LLM":[58,96,198],"semantic":[59],"reasoning.":[60],"The":[61],"uses":[63],"query":[65],"library":[66],"with":[67,94,117,170,182],"associated":[68],"MITRE":[69],"ATT&amp;CK":[70],"techniques":[71],"extract":[73],"raw":[76],"logs,":[77],"then":[78],"retrieves":[79],"context":[81,199],"answer":[83],"forensic":[84],"questions":[85],"reconstruct":[87],"attack":[88],"sequences.":[89],"evaluate":[91],"the":[92,158],"eight":[95],"configurations":[97],"on":[98,157],"malware":[99,132],"multi-stage":[104],"Active":[105,159],"Directory":[106,160],"attack.":[107],"find":[109],"LLMs":[111],"have":[112],"different":[113],"performance":[114],"tradeoffs,":[116],"Claude":[118,140],"Sonnet":[119],"4":[120],"achieving":[121,126],"94%":[122],"DeepSeek":[124,135],"V3":[125],"89%":[127],"average":[128],"recall":[129,149,169],"across":[130],"17":[131],"scenarios,":[133],"while":[134],"costs":[136],"15$\\times$":[137],"less":[138],"than":[139],"per":[141],"analysis,":[142],"locally-deployed":[144],"Llama":[145],"3.1:70b":[146],"achieves":[147],"81%":[148],"at":[150],"zero":[151],"per-query":[152],"cost.":[153],"Attack":[154],"step":[155],"scenario":[161],"reaches":[162],"100%":[163],"precision":[164],"up":[166],"96%":[168],"an":[171],"enumeration":[172],"prompt.":[173],"These":[174],"results":[175],"demonstrate":[176],"combining":[178],"retrieval":[184],"--":[185,191],"confirmed":[186],"essential":[187],"by":[188],"ablation":[189],"studies":[190],"enables":[192],"accurate,":[193],"cost-effective":[194],"within":[197],"limits.":[200]},"counts_by_year":[],"updated_date":"2026-05-06T06:03:25.996018","created_date":"2026-03-21T00:00:00"}