Volume 2 - Issue 1, January - February 2026

The escalating sophistication of cyberattacks necessitates advanced intrusion detection systems beyond traditional rule-based approaches. This paper presents a proof-of-concept dual-system architecture leveraging Large Language Models (LLMs) for both retrospective forensic analysis and real-time network threat detection. Our architectural contribution integrates: (1) an Offline RAG Forensic System utilizing Retrieval-Augmented Generation with ChromaDB vector storage for semantic querying of historical incidents, and (2) a Real-Time Hybrid Heuristic-LLM IDS combining lightweight rule-based pre-filtering with selective LLM analysis for ambiguous cases. The offline system demonstrates 90% recall on forensic queries, while the real-time system achieves 91% accuracy in controlled validation. Critically, heuristic rules handle most attack detections (port scans, floods), with LLM reasoning reserved for complex reconnaissance patterns. We evaluate on UNSW-NB15 benchmark data and synthetically generated attack flows, explicitly acknowledging these as controlled proof-of-concept validations rather than production evaluations. The primary contribution is the novel complementary architecture addressing both forensic investigation and active defense, a gap in existing unified frameworks, with future validation on live traffic and modern datasets identified as essential next steps.

Smrity K Dinesh, Yashika Pal, Sajal Kumar,"Integrating RAG-Based Forensics and Real-Time Detection: A Dual LLM Framework for Network Intrusion Analysis" International Journal of Scientific Research and Engineering Development, V2(1): Page(170-176) Jan-Feb 2026. ISSN: 3107-6513. www.ijamred.com. Published by Scientific and Academic Research Publishing.