Retrieval-Augmented Generation (RAG) has emerged as the dominant architectural pattern to operationalize Large Language Model (LLM) usage in Cyber Threat Intelligence (CTI) systems. However, this design is susceptible to poisoning attacks, and previously proposed defenses can fail for CTI contexts as cyber threat information is often completely new for emerging attacks, and sophisticated threat actors can mimic legitimate formats, terminology, and stylistic conventions. To address this issue, we propose that the robustness of modern RAG defenses can be accelerated by applying source credibility algorithms on corpora, using PageRank as an example. In our experiments, we demonstrate quantitatively that our algorithm applies a lower authority score to malicious documents while promoting trusted content, using the standardized MS MARCO dataset. We also demonstrate proof-of-concept performance of our algorithm on CTI documents and feeds.

翻译：检索增强生成（RAG）已成为在网络威胁情报（CTI）系统中应用大语言模型（LLM）的主流架构范式。然而，该设计易受投毒攻击，且先前提出的防御方案在CTI场景中可能失效，原因在于新兴攻击相关的网络威胁信息常属全新内容，而复杂的威胁行为者能够模仿合法的格式、术语与行文规范。为解决此问题，我们提出通过在语料库上应用来源可信度算法（以PageRank为例）来增强现代RAG防御机制的鲁棒性。实验中，我们基于标准化MS MARCO数据集定量验证了所提算法能够有效降低恶意文档的权威性评分，同时提升可信内容的权重。此外，我们在CTI文档与数据流上验证了该算法的概念可行性。