Framework for Incident Identification Based on LLMs and Cybersecurity Ontologies

Accurate and immediate incident identification is essential in the cybersecurity area, as it allows the timely detection of threats, along with countermeasures and mitigation, ensuring security for organizations and individuals. This reduces false positives and enables efforts to be concentrated on real risks. This paper presents a framework that integrates ontologies and Large Language Models (LLMs) to identify incidents from events within the context of security threats. Ontology rules are employed to infer probable incidents, resulting in an initial set of incidents for analysis. Furthermore, ontologies provide contextual information, which is combined with event data to formulate queries for LLMs. These interactions with LLMs produce a second set of probable incidents. The outputs from ontol-ogy-based inferences and LLM-driven responses are then compared, and the discrepancies are leveraged to refine ontology rules and adjust LLM responses. Experimental results, focusing on context generation and incident detection, demonstrate that the integration of ontologies and LLMs significantly enhances the accuracy of incident identification when compared to using only LLMs.