RACONTEUR: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer
Jiangyi Deng
Network and Distributed System Security (NDSS) Symposium 2025 · Day 2 · Software Security: Vulnerability Detection
In the evolving landscape of cyber threats, understanding the true intent and capabilities of malicious shell commands is a critical yet often challenging task for security analysts. The "RACONTEUR: A Knowledgeable, Insightful, and Portable LLM-Powered Shell Command Explainer" talk, presented by Jiangyi Deng at the NDSS Symposium, introduces an innovative system designed to demystify these complex command-line instructions. Raconteur leverages the power of large language models (LLMs) to provide detailed, step-by-step explanations, identify the underlying behavior, and map these actions to the standardized **MITRE ATT&CK** framework, thereby significantly aiding **Security Operations Center (SOC)** personnel in threat identification and response.
AI review
Competent applied-ML security paper dressed up as a conference talk — fine-tuned LLM plus RAG for shell command explanation and MITRE ATT&CK mapping. The engineering is real, the problem is genuine, but the contribution is incremental: fine-tuning + RAG is a well-worn recipe by 2024, and the evaluation relies on NLP metrics and an undergrad user study rather than red-team or SOC deployment data.