Summary

CTI-RAG is a Retrieval-Augmented Generation (RAG) framework for Cyber Threat Intelligence (CTI), integrating knowledge graph construction and causal reasoning. It provides security analysts with an intelligent analysis tool to enhance CTI comprehension and actionable insights.

How It Works

The framework comprises a RAG module (LangChain, PgSQL for text, vector DBs like FAISS) for document retrieval/generation; a KG module for LLM-based entity-relation extraction and Neo4j storage; and a Causal Reasoning module using discrete-time topological Hawkes processes and RL for inference. A FastAPI backend serves these functionalities.

Quick Start & Requirements

Clone the repo and pip install -r requirements.txt. Configure environment variables in .env for LLM models (e.g., deepseek-ai/DeepSeek-V2.5), API keys (SiliconFlow, optional OpenAI), and Neo4j credentials. Prerequisites include a running Neo4j instance (http://localhost:7474/browser/) and Milvus (milvus-server --data ./milvus_lite). Launch with python ./main.py. Frontend: https://github.com/rstarall/br-cti-chat.

Highlighted Details

• RAG supports PDF, TXT, DOCX and uses FAISS for vector search.
• LLM-based NER/RE extracts CTI entities/relations into Neo4j.
• Causal inference leverages discrete-time topological Hawkes processes and RL for relationship prediction.
• Features a streaming dialogue interface.

Maintenance & Community

Contributions follow a standard fork/branch/PR workflow. A frontend repository is linked. No specific community channels are detailed.

Licensing & Compatibility

Licensed under the MIT License, permitting broad use, including commercial applications.

Limitations & Caveats

Setup complexity arises from managing external services (Neo4j, Milvus) and configuring API keys. Reliance on specific LLM models and external APIs may introduce dependencies and cost considerations.