🤖 AI Summary
Large language models (LLMs) face significant limitations in cybersecurity defense due to hallucination, weak temporal reasoning, and shallow contextual understanding, hindering their ability to support reliable decision-making in high-stakes, dynamic adversarial scenarios. To address these challenges, this work proposes DEFENGRAPH, a novel static-dynamic dual-layer knowledge graph framework tailored for blue team operations. By integrating graph-based path retrieval, LLM-guided context filtering, and reasoning re-ranking mechanisms, DEFENGRAPH enables temporally aware and contextually faithful inference. The approach fuses multi-source data—including SIEM alerts, system topology, and attacker behavior—and demonstrates substantial performance gains in real-world red-team/blue-team engagements. Evaluated on mainstream models such as GPT-4o, it achieves a defense-action recall of up to 50 items—surpassing the baseline of 36—while maintaining a low error rate.
📝 Abstract
Large Language Models (LLMs) show promise for supporting decision-making in cybersecurity, but their reliability in high-stakes, time-evolving environments remains limited due to hallucinations, poor temporal reasoning, and shallow grounding in system context. We introduce DEFENGRAPH, an LLM-driven assistant designed to support human defenders during cybersecurity incidents. DEFENGRAPH improves contextual reasoning by integrating a dual-layer Static-Dynamic Knowledge Graph (KG) with graph-based path retrieval, LLM-driven contextual filtering, and reasoning-based re-ranking. The framework grounds LLM outputs in both long-term domain knowledge and evolving event context, enabling faithful and temporally aware decision support. We evaluate DEFENGRAPH in a cyber defense setting using knowledge graphs constructed from heterogeneous security artifacts, including SIEM alerts, system topology, attacker behaviors, and prior defensive actions. The evaluation uses data collected during live Red vs. Blue team cyber range exercises simulating attacks on critical infrastructure, which generate realistic and noisy datasets reflecting real-world defender workflows and system dynamics. Evaluations across four prevalent LLMs show that DEFENGRAPH sets a new state-of-the-art: on GPT-4o it boosts reasoning-recall from 61.45\% to 73.49\% and ticket-action recall from 52.17% to 72.46% (precision 24.49\% to 29.24\%), with similar gains on LLaMA-3 (46.99\% to 61.45\%), DeepSeek-R1 (45.78\% to 56.63\%) and QWen-3 (51.81\% to 59.04\%), while surfacing up to 50 correct defense actions versus 36 for the next best baseline and holding fault rates steady.