Saved in:
Bibliographic Details
Main Authors: Arrus, Aurora, di Gisi, Maria, Lilli, Sara, Quadrini, Marco
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2602.22244
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866915817513287680
author Arrus, Aurora
di Gisi, Maria
Lilli, Sara
Quadrini, Marco
author_facet Arrus, Aurora
di Gisi, Maria
Lilli, Sara
Quadrini, Marco
contents The General Data Protection Regulation (GDPR) requires organisations to notify supervisory authorities of personal data breaches within 72 hours of discovery. Meeting this strict deadline is challenging because incident responders must manually translate low-level forensic artefacts such as malware traces, system-call logs, and network captures into the structured, legally framed information required by data-protection authorities. This gap between technical evidence and regulatory reporting often results in delays, incomplete notifications, and a high cognitive burden on analysts. We propose a hybrid malware analysis pipeline that automates the extraction and organisation of breach-relevant information, with a particular focus on exfiltration-oriented Linux/ARM malware, which is rapidly increasing in prevalence due to the widespread adoption of IoT and embedded devices. The system combines static analysis to identify potential exfiltrators with dynamic analysis to reconstruct their behaviour. It employs a Large Language Model (LLM) constrained by a formal JSON schema aligned with the official Italian Garante Privacy notification form. The LLM transforms heterogeneous forensic artefacts into a structured, compliance-ready report that a human operator can rapidly validate.
format Preprint
id arxiv_https___arxiv_org_abs_2602_22244
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle Accelerating Incident Response: A Hybrid Approach for Data Breach Reporting
Arrus, Aurora
di Gisi, Maria
Lilli, Sara
Quadrini, Marco
Cryptography and Security
The General Data Protection Regulation (GDPR) requires organisations to notify supervisory authorities of personal data breaches within 72 hours of discovery. Meeting this strict deadline is challenging because incident responders must manually translate low-level forensic artefacts such as malware traces, system-call logs, and network captures into the structured, legally framed information required by data-protection authorities. This gap between technical evidence and regulatory reporting often results in delays, incomplete notifications, and a high cognitive burden on analysts. We propose a hybrid malware analysis pipeline that automates the extraction and organisation of breach-relevant information, with a particular focus on exfiltration-oriented Linux/ARM malware, which is rapidly increasing in prevalence due to the widespread adoption of IoT and embedded devices. The system combines static analysis to identify potential exfiltrators with dynamic analysis to reconstruct their behaviour. It employs a Large Language Model (LLM) constrained by a formal JSON schema aligned with the official Italian Garante Privacy notification form. The LLM transforms heterogeneous forensic artefacts into a structured, compliance-ready report that a human operator can rapidly validate.
title Accelerating Incident Response: A Hybrid Approach for Data Breach Reporting
topic Cryptography and Security
url https://arxiv.org/abs/2602.22244