Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CyberAlly: Leveraging LLMs and Knowledge Graphs to Empower Cyber Defenders

Minjune Kim, Jeff Wang, Kristen Moore, Diksha Goel, Derui Wang, Ahmad Mohsin, Ahmed Ibrahim, Robin Doss, Seyit Camtepe, Helge Janicke

TL;DR

This paper tackles alert fatigue and lack of contextual guidance in security operations by proposing CyberAlly, a knowledge-graph–augmented AI assistant for incident response within a secure cyber range. It combines duplicate-alert elimination, KG-RAG-driven dynamic prompting, and Slack-based interaction to deliver context-rich mitigation recommendations and ticketing support. The system is trained on a large, curator dataset from Red vs. Blue exercises and validated through demonstrations with Wazuh SIEM integration, static/dynamic graphs, and Cydarm ticketing. Findings suggest that CyberAlly can reduce analyst workload and improve decision accuracy in evolving threats, demonstrating practical benefits for cyber defense training and real-world operations.

Abstract

The increasing frequency and sophistication of cyberattacks demand innovative approaches to strengthen defense capabilities. Training on live infrastructure poses significant risks to organizations, making secure, isolated cyber ranges an essential tool for conducting Red vs. Blue Team training events. These events enable security teams to refine their skills without impacting operational environments. While such training provides a strong foundation, the ever-evolving nature of cyber threats necessitates additional support for effective defense. To address this challenge, we introduce CyberAlly, a knowledge graph-enhanced AI assistant designed to enhance the efficiency and effectiveness of Blue Teams during incident response. Integrated into our cyber range alongside an open-source SIEM platform, CyberAlly monitors alerts, tracks Blue Team actions, and suggests tailored mitigation recommendations based on insights from prior Red vs. Blue Team exercises. This demonstration highlights the feasibility and impact of CyberAlly in augmenting incident response and equipping defenders to tackle evolving threats with greater precision and confidence.

CyberAlly: Leveraging LLMs and Knowledge Graphs to Empower Cyber Defenders

TL;DR

This paper tackles alert fatigue and lack of contextual guidance in security operations by proposing CyberAlly, a knowledge-graph–augmented AI assistant for incident response within a secure cyber range. It combines duplicate-alert elimination, KG-RAG-driven dynamic prompting, and Slack-based interaction to deliver context-rich mitigation recommendations and ticketing support. The system is trained on a large, curator dataset from Red vs. Blue exercises and validated through demonstrations with Wazuh SIEM integration, static/dynamic graphs, and Cydarm ticketing. Findings suggest that CyberAlly can reduce analyst workload and improve decision accuracy in evolving threats, demonstrating practical benefits for cyber defense training and real-world operations.

Abstract

The increasing frequency and sophistication of cyberattacks demand innovative approaches to strengthen defense capabilities. Training on live infrastructure poses significant risks to organizations, making secure, isolated cyber ranges an essential tool for conducting Red vs. Blue Team training events. These events enable security teams to refine their skills without impacting operational environments. While such training provides a strong foundation, the ever-evolving nature of cyber threats necessitates additional support for effective defense. To address this challenge, we introduce CyberAlly, a knowledge graph-enhanced AI assistant designed to enhance the efficiency and effectiveness of Blue Teams during incident response. Integrated into our cyber range alongside an open-source SIEM platform, CyberAlly monitors alerts, tracks Blue Team actions, and suggests tailored mitigation recommendations based on insights from prior Red vs. Blue Team exercises. This demonstration highlights the feasibility and impact of CyberAlly in augmenting incident response and equipping defenders to tackle evolving threats with greater precision and confidence.

Paper Structure

This paper contains 8 sections, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Methodologies and System Design
  3. Alert Filtering and Classification
  4. Dynamic Prompting using KG-RAG
  5. Slack Integration
  6. Demonstration
  7. Ethics
  8. Conclusion

Figures (3)

  • Figure 1: CyberAlly Workflow: The system automatically analyses a high volume of incoming alert messages for the Wazuh SIEM via Slack, generating intelligent suggestions for the Blue Team based on static and dynamic graph knowledge, and automates case ticket creation in Cydarm.
  • Figure 2: LLM with KG-RAG - Knowledge Graphs capture the relationships between past and present events and enhance contextual understanding.
  • Figure 3: CyberAlly in Slack. CyberAlly demo follows these steps: 1) monitor Wazuh alerts, 2) generate descriptions and suggest actions, 3) provide reasoning, 4) support decision-making, 5) create tickets in the Cydarm case management system, and 6) collect feedback.