In the relentless race between digital innovation and cyber defense, it can often feel like we’re playing catch-up. Now, Generative AI has entered the field, proving to be as potent a tool for attackers as it is for us. How, then, do we move from a reactive posture to one of strategic resilience?
A compelling new study from a team of researchers at Kaunas University of Technology and Vilnius University offers a fascinating glimpse into a potential future. Published in the journal Electronics, their paper tackles one of the most fundamental challenges in modern security: the fragmented nature of our own evidence. They propose a new way of thinking, powered by GenAI, designed to bring a cohesive narrative to the chaos of a cyber incident.
The Fractured Story of Modern Forensics
The researchers from the Departments of Computer Science and Information Systems begin by identifying a critical weakness in our current methods, especially with the rise of wearables and IoT. When an incident occurs, they argue, our investigation is often split. Network forensics and application forensics operate in separate worlds. The result is a collection of disconnected clues rather than a single, coherent story of what happened. This fragmentation, the researchers contend, leaves dangerous blind spots that prevent a full understanding of malicious events.
To solve this, the research team conceptualized a novel framework built on Generative AI. Their goal was to create a system that could see the entire battlefield. The core of their proposed solution is a methodology they call “cross-layering evidence,” which synthesizes data from every level of a device: from network traffic and system logs to user behavior and application events, into a single, unified view.
Building a Cohesive Narrative with the 5Ws
The brilliance of their approach, as detailed by the interdisciplinary team, lies in its elegant structure. Their GenAI model is trained to pursue the fundamental questions of any investigation: Who, What, When, Where, and Why.
In their framework, these aren’t just abstract concepts. The GenAI is tasked with finding concrete answers from the digital breadcrumbs:
- Who is the device owner? Who interacted with it?
- What specific events were recorded, from GPS tracks to privilege escalations?
- When did key activities occur, according to timestamps?
- Where was the device located during the incident?
- Why does the device’s behavior deviate from the user’s typical patterns?
This transforms a flood of raw data into a structured narrative, allowing an analyst to truly reconstruct the sequence of events.
The Power of Context: From a Park to a Crime Scene
But the research team didn’t stop there. They recognized that internal data tells only half the story. Their framework dramatically enhances its insights by integrating Open Source Intelligence (OSINT), using public information to add crucial external context.
Their experimental validation tells a powerful story. In one scenario, a wearable’s GPS data placed a user in a city park. To a traditional system, this is just a location. But the team’s GenAI correlated this time and place with public news reports and uncovered two significant events: a man admitting to planting a “bomb” and, on a different date, a protest involving vandalism. As the researchers demonstrate, this is the quantum leap from isolated data to actionable intelligence.
A Practical Tool for the CISO: The Incident Score
Understanding the immense pressure on security leaders to prioritize, the team from Kaunas University of Technology designed their framework to produce a tangible output: a dynamic incident score. By mathematically weighting the different 5W factors and the strength of their dependencies, the model evaluates the severity of an event.
This, the researchers propose, could be a game-changer for resource allocation. Instead of facing a wall of undifferentiated alerts, a CISO and their team could be presented with a scored, contextualized incident, enabling them to focus their finite resources on the threats that truly matter.
The Researchers’ Vision and Sobering Caveats
The researchers, with insights from collaborators at the Vilnius University Faculty of Law, present this framework as a transformative approach to building cyber resilience. They envision a future where Security Operations Centers (SOCs) can leverage this technology to enhance real-time threat detection and automate forensic investigations.
However, they are also clear-eyed about the challenges. They caution that such a framework is heavily dependent on accurate data and immense computational power. They specifically highlight the critical risk of GenAI “hallucinations” (fabricated or misleading results) which could erode trust and severely undermine an investigation, raising legal and ethical concerns.
Their conclusion for leaders is clear: GenAI is a powerful co-pilot, but it requires constant human supervision and validation. It is a tool to augment, not replace, the expertise and judgment of your security professionals. Ultimately, the work from this research team provides more than just a technical blueprint; it offers a new strategic mindset for navigating the complexities of our time.
For Further Reading:
This article is based on: Grigaliūnas, Š., Brūzgienė, R., Driaunys, K., Danielienė, R., Veitaitė, I., et al. (2025). Navigating the CISO’s Mind by Integrating GenAI for Strategic Cyber Resilience. Electronics, 14(7), 1342. DOI:10.3390/electronics14071342.
