Towards the Application of GraphRAG to Network Security

Abstract

The adoption of large language models (LLMs) has facilitated significant advancements in natural language processing. In a short space of time, LLMs have permeated a wide array of disciplines including healthcare, finance, education, etc. However, in their native form, LLMs retain information in their parameters, which sometimes causes the underlying models to produce inaccurate results or hallucinations. To that end, Retrieval-Augmented Generation (RAG) has been proposed to address some of the challenges of LLMs by referencing an external knowledge base while formulating a response to queries. Still, traditional RAG fails to handle the complex structure of relationships among different entities in structured data such as knowledge graphs. GraphRAG, a successor of basic RAG, leverages structural information contained in graphs to enable more precise and comprehensive retrieval thereby facilitating more accurate, context-aware responses. GraphRAG has been applied in many domains, but its use in a cybersecurity context has not been widely explored. In this research, we propose a framework that applies GraphRAG to network security monitoring. By generating knowledge graphs from network logs, we provide LLMs with more structured data, backed by an ontology, that enables the models to perform high-level reasoning to answer questions regarding the security posture of an organization more accurately.