Login
Register
Submit a Paper
Propose a Special lssue
Open Access
ARTICLE
Retrieval-Augmented Large Language Model for AWS Cloud Threat Detection and Modelling: Cloudtrail Mitre ATT&CK Mapping
1 Department of Computer Science, Birmingham City University, Birmingham, UK
2 School of Computer Science and Informatics, De Montfort University, Leicester, UK
* Corresponding Author: Yussuf Ahmed. Email:
Computers, Materials & Continua 2026, 87(2), 100 https://doi.org/10.32604/cmc.2026.077606
Received 13 December 2025; Accepted 14 February 2026; Issue published 12 March 2026
View Full Text
Download PDFAbstract
Amazon Web Services (AWS) CloudTrail auditing service provides detailed records of operational and security events, enabling cloud administrators to monitor user activity and manage compliance. Although signature-based threat detection methods have been enhanced with machine learning and Large Language Models (LLMs), these approaches remain limited in addressing emerging threats. This study evaluates a two-step Retrieval Augmented Generation (RAG) approach using Gemini 2.5 Pro to enhance threat detection accuracy and contextual relevance. The RAG system integrates external cybersecurity knowledge sources including the MITRE ATT&CK framework, AWS Threat Technique Catalogue, and threat reports to overcome limitations of static pre-trained LLMs. We constructed an evaluation dataset of 200 unique CloudTrail events (122 malicious, 78 benign) using the Stratus Red Team adversary emulation framework, covering 9 MITRE ATT&CK techniques across 8 tactics. Events were sampled from 1724 total events using stratified sampling. Ground truth labels were created through systematic expert annotation with 90% inter-annotator agreement. The RAG-enabled model achieved estimated 78% accuracy, 85% precision, and 79% F1-score, representing 70.5% accuracy improvement and 76.4% F1-score improvement over baseline Gemini 2.5 Pro (46% accuracy, 45% F1-score). Performance are based on evaluation results on 200-event dataset. Cost-latency analysis revealed processing time of 4.1 s and cost of $0.00376 per event, comparable to commercial SIEM solutions while providing superior MITRE ATT&CK attribution. The findings demonstrate that RAG substantially enhances context-aware threat detection, providing actionable insights for cloud security operations.Keywords
Retrieval-augmented generation; Amazon web services; LLM; cloud service provider; threat detection; threat modelling; MITRE ATT&CK; RAG-enabled model; RAG-enabled LLM system
Cite This Article
APA Style
Adediran, G., Awuson-David, K., Ahmed, Y. (2026). Retrieval-Augmented Large Language Model for AWS Cloud Threat Detection and Modelling: Cloudtrail Mitre ATT&CK Mapping. Computers, Materials & Continua, 87(2), 100. https://doi.org/10.32604/cmc.2026.077606
Vancouver Style
Adediran G, Awuson-David K, Ahmed Y. Retrieval-Augmented Large Language Model for AWS Cloud Threat Detection and Modelling: Cloudtrail Mitre ATT&CK Mapping. Comput Mater Contin. 2026;87(2):100. https://doi.org/10.32604/cmc.2026.077606
IEEE Style
G. Adediran, K. Awuson-David, and Y. Ahmed, “Retrieval-Augmented Large Language Model for AWS Cloud Threat Detection and Modelling: Cloudtrail Mitre ATT&CK Mapping,” Comput. Mater. Contin., vol. 87, no. 2, pp. 100, 2026. https://doi.org/10.32604/cmc.2026.077606
Copyright © 2026 The Author(s). Published by Tech Science Press.This work is licensed under a Creative Commons Attribution 4.0 International License , which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.
Downloads
Citation Tools
