本研究提出一個整合大型語言模型(LLM)與流程樹解析的惡意行為偵測系統,專為Windows Sysmon 事件記錄進行設計。Sysmon 日誌記錄豐富的系統活動資訊,包含程序建立與命令執行等,然而其結構龐大且上下文複雜,傳統基於規則的分析方法難以應對新型態攻擊。本系統結合流程樹重建、向量語意比對、RAG(檢索增強生成)與語言模型推理,可自動偵測可疑事件流程,並以自然語言說明異常原因與建議因應措施。為驗證系統效能,本研究分別在有無使用RAG 的情況下進行比較,並測試三種不同規模與參數量的開源LLM(Mistral-7B、phi-2、TinyLlama-1.1B)。評估指標包含 Precision、F1-score 與誤判率,測試資料涵蓋開源攻擊樣本與模擬正常流程樹。實驗結果顯示,RAG 可在三種模型中平均提升Precision 與 F1-score 約14%~17%,並將誤判率降低10% 以上,其中對輕量模型的幫助尤為明顯。此結果證實本系統在多種運算資源條件下皆具備實用性與可解釋性。;This thesis presents an LLM-based system for malicious behavior detection from Windows Sysmon event logs. While Sysmon provides rich process-level telemetry, the complexity and context ambiguity of logs hinder traditional rule-based analysis. Our system integrates process tree reconstruction, semantic vector matching, Retrieval-Augmented Generation (RAG), and in-context LLM analysis. It automatically detects suspicious patterns, provides natural-language explanations, and recommends mitigation strategies. To evaluate the system, we conducted experiments comparing scenarios with and without RAG, using three open-source LLMs of different sizes and capacities (Mistral-7B, phi-2, TinyLlama-1.1B). The evaluation metrics included Precision, F1-score, and False Positive Rate, with test data comprising both open- source attack samples and simulated benign process trees. Results show that RAG improves Precision and F1-score by an average of 14%- 17% across all models, while reducing false positives by over 10%. The improvement is particularly significant for smaller models, demonstrating that our approach maintains practicality and explainability across diverse computational environments.
