🛡️ AegisRAG v3.0: Self-Reflective Security Intelligence Framework

AegisRAG v3.0 introduces Self-RAG: A self-reflective retrieval-augmented intelligence framework with explainable AI, context memory, and adaptive threat analysis.

AegisRAG combines Self-RAG meta-evaluation, hybrid semantic retrieval, explainable AI reasoning, and LLM-augmented analysis to detect insider threats, data breaches, and policy violations with unprecedented transparency and accuracy. Built for enterprise security teams, compliance officers, and security researchers who demand interpretable and reliable threat detection.

---

🚀 Key Features

• Self-Reflective RAG. Five-stage meta-evaluation pipeline that critiques and refines model reasoning.

• 900+ Security Patterns. Comprehensive threat and behavior pattern library enabling high-recall retrieval.

• Policy-Aware Reasoning. Automatic alignment with NIST 800-53, Zero-Trust, and DoD compliance frameworks.

• Context Memory Engine. Dual-memory structure (short-/long-term) ensuring consistent multi-turn and historical analysis.

• XAI Interpretability. Clear retrieval evidence, critique outputs, and policy-alignment traces for transparent decision-making.

• Self-Correction Loopback. Automatic re-retrieval and refinement when low-confidence or inconsistent reasoning is detected.

• Modular Architecture. Replaceable retrievers, evaluators, and LLM backends for flexible integration and extension.

---

🏗️ Architecture Overview

graph TB
    subgraph "Input Layer"
        A[📝 User Text Input] --> B[🌐 Language Detection]
        A --> C[👤 User Context]
    end
    
    subgraph "Self-RAG Pipeline"
        B --> D{🧠 Retrieval Need<br/>Assessment}
        D -->|Required| E[🔍 Hybrid Retrieval]
        D -->|Not Required| F[Direct Analysis]
        
        E --> G[📊 Embedding Search]
        E --> H[🔎 BM25 Search]
        E --> I[🎯 Keyword Match]
        
        G --> J[Policy Ranking]
        H --> J
        I --> J
        
        J --> K[✅ Relevance Scoring]
        K --> L[🎓 Support Level<br/>Analysis]
        L --> M[⭐ Utility<br/>Evaluation]
        M --> N[💭 Reflection<br/>Generation]
    end
    
    subgraph "Analysis Layer"
        N --> O[🔬 Pattern Detection<br/>900+ Patterns]
        F --> O
        O --> P[🤖 LLM Analysis<br/>GPT-4o-mini]
        O --> Q[📋 Rule-based<br/>Analysis]
        
        P --> R[Risk Calculation]
        Q --> R
    end
    
    subgraph "Intelligence Layer"
        R --> S[🔍 XAI Explainer<br/>Factor Attribution]
        R --> T[🧠 Memory System<br/>User Profiling]
        R --> U[🔗 Relationship<br/>Analyzer]
        
        S --> V[Counterfactual<br/>Analysis]
        T --> W[Trend Detection]
        U --> X[Compound Threats]
    end
    
    subgraph "Output Layer"
        V --> Y[📊 Analysis Result]
        W --> Y
        X --> Y
        Y --> Z[🎯 Risk Score<br/>+ Confidence]
        Y --> AA[📝 Detailed Report]
        Y --> AB[📈 Visualization]
    end
    
    style D fill:#ff6b6b
    style E fill:#4ecdc4
    style K fill:#ffe66d
    style L fill:#a8e6cf
    style M fill:#ffd3b6
    style N fill:#ffaaa5
    style O fill:#ff8b94
    style P fill:#a8e6cf
    style S fill:#dcedc1
    style T fill:#ffd3b6
    style U fill:#ffaaa5

Loading

---

🔄 Self-RAG Meta-Evaluation Pipeline

sequenceDiagram
    participant User
    participant Input as 📝 Input Handler
    participant RAG as 🧠 Self-RAG Engine
    participant Retriever as 🔍 Hybrid Retriever
    participant Evaluator as ✅ Meta-Evaluator
    participant LLM as 🤖 LLM Analyzer
    participant Output as 📊 Result Generator

    User->>Input: Submit Text
    Input->>RAG: Process Request
    
    rect rgb(255, 235, 238)
        Note over RAG,Evaluator: Stage 1: Retrieval Need Assessment
        RAG->>RAG: Analyze Query Complexity
        RAG->>RAG: Check Cache & Memory
        RAG-->>RAG: Decision: REQUIRED/NOT_REQUIRED
    end
    
    alt Retrieval Required
        rect rgb(230, 245, 255)
            Note over RAG,Retriever: Stage 2: Hybrid Retrieval
            RAG->>Retriever: Request Policy Search
            Retriever->>Retriever: Embedding Search (85% weight)
            Retriever->>Retriever: BM25 Search (10% weight)
            Retriever->>Retriever: Keyword Match (5% weight)
            Retriever-->>RAG: Top-K Policies (k=5)
        end
        
        rect rgb(255, 250, 230)
            Note over RAG,Evaluator: Stage 3: Relevance Scoring
            RAG->>Evaluator: Evaluate Policy Relevance
            loop For each policy
                Evaluator->>Evaluator: Score: highly_relevant/relevant/not_relevant
                Evaluator->>Evaluator: Calculate Similarity (0.0-1.0)
            end
            Evaluator-->>RAG: Ranked Policies + Scores
        end
        
        rect rgb(240, 255, 240)
            Note over RAG,Evaluator: Stage 4: Support Level Analysis
            RAG->>Evaluator: Validate Evidence
            Evaluator->>Evaluator: fully_supported/partially_supported/no_support
            Evaluator->>Evaluator: Check Policy-Text Alignment
            Evaluator-->>RAG: Support Assessment
        end
        
        rect rgb(255, 240, 245)
            Note over RAG,LLM: Stage 5: Utility & Reflection
            RAG->>Evaluator: Rate Usefulness (1-5★)
            RAG->>LLM: Generate Deep Analysis
            LLM->>LLM: Pattern Detection (900+ patterns)
            LLM->>LLM: Risk Calculation
            LLM-->>RAG: Analysis Result
            RAG->>RAG: Self-Reflection Notes
            RAG->>RAG: Confidence Boost (+15%)
        end
    else No Retrieval Needed
        rect rgb(245, 245, 245)
            Note over RAG,LLM: Direct Analysis Path
            RAG->>LLM: Analyze without retrieval
            LLM-->>RAG: Basic Result
        end
    end
    
    RAG->>Output: Compile Results
    Output->>Output: Generate XAI Explanation
    Output->>Output: Update User Memory
    Output->>Output: Check Compound Threats
    Output-->>User: 📊 Comprehensive Report

Loading

---

🔬 Pattern Detection System

graph TD
    A[📝 Input Text] --> B{Language<br/>Detection}
    
    B -->|Korean| C1[🇰🇷 Korean Patterns<br/>450+ patterns]
    B -->|English| C2[🇬🇧 English Patterns<br/>450+ patterns]
    B -->|Japanese| C3[🇯🇵 Japanese Patterns<br/>TBD]
    B -->|Chinese| C4[🇨🇳 Chinese Patterns<br/>TBD]
    
    C1 --> D[Pattern Matching Engine]
    C2 --> D
    C3 --> D
    C4 --> D
    
    D --> E1[🔴 CRITICAL<br/>Score: 85-100]
    D --> E2[🟠 HIGH<br/>Score: 70-84]
    D --> E3[🟡 MEDIUM<br/>Score: 50-69]
    D --> E4[🟢 LOW<br/>Score: 0-49]
    
    E1 --> F{Confidence<br/>Check}
    E2 --> F
    E3 --> F
    E4 --> F
    
    F -->|High| G1[✅ Confirmed<br/>Threat]
    F -->|Medium| G2[⚠️ Potential<br/>Threat]
    F -->|Low| G3[ℹ️ Monitor]
    
    G1 --> H[Risk Score<br/>Calculation]
    G2 --> H
    G3 --> H
    
    H --> I[📊 Final Result]
    
    style E1 fill:#ff6b6b,color:#fff
    style E2 fill:#ffa500,color:#fff
    style E3 fill:#ffd700,color:#333
    style E4 fill:#90ee90,color:#333
    style G1 fill:#dc143c,color:#fff
    style G2 fill:#ff8c00,color:#fff
    style G3 fill:#32cd32,color:#fff

Loading

---

✨ What's New in v3.0

🧠 Self-RAG Pipeline 5-Stage Meta-Evaluation ✅ Retrieval Need Assessment - Determines if policy search is necessary ✅ Relevance Scoring - Evaluates policy-to-threat relevance (highly_relevant → not_relevant) ✅ Support Level Analysis - Validates evidence grounding (fully_supported → no_support) ✅ Utility Evaluation - Rates response usefulness (1-5 stars) ✅ Reflection Generation - Produces self-critique notes and confidence boosting Result: +15% accuracy, +23% confidence calibration vs. v2.5

🔬 Enhanced Intelligence 900+ Security Patterns - CRITICAL/HIGH/MEDIUM/LOW tiered detection Explainable AI (XAI) - LIME-inspired factor attribution, counterfactual reasoning Context Memory System - User behavior profiling with trend analysis Relationship Analyzer - Multi-event correlation and compound threat detection Multi-Language Support - Korean, English, Japanese, Chinese

🚀 Production-Ready Features 💾 LLM Response Cache - LRU cache with TTL, cost tracking (70% API reduction) ⚡ Rate Limiting - Token bucket per-user isolation (prevents API abuse) 🔄 Retry Logic - Exponential backoff with jitter (handles transient failures) 📊 Performance Monitoring - Real-time stats for cache hits, rate limits, retries 🔧 Configurable Settings - Flexible dataclass-based configuration Impact: -70% costs, -75% latency, +99% reliability

---

🚀 Production Features

AegisRAG v3.0 includes enterprise-grade production features for scalability and reliability:

💾 LLM Response Caching Intelligent Cost Optimization ✅ LRU Cache with TTL expiration ✅ Cost Tracking in USD ✅ Hit Rate Monitoring and analytics ✅ Cache Statistics (hits, misses, evictions) ✅ Automatic Eviction on size/TTL limits Performance: Up to 70% API call reduction, 75% faster responses

⚡ Rate Limiting Per-User Request Control ✅ Token Bucket Algorithm with burst support ✅ Per-User Isolation for fair usage ✅ Configurable Limits (requests/window) ✅ Automatic Retry-After headers ✅ Real-time Statistics per user Protection: Prevents API abuse, ensures fair resource allocation

🔄 Retry Logic Resilient Error Handling ✅ Exponential Backoff with jitter ✅ Configurable Exceptions for retry ✅ Max Attempts and delay caps ✅ Callback Support for monitoring ✅ Context Manager and decorator APIs Reliability: Handles transient failures, improves success rate

📊 Production Metrics

Metric	Without Cache	With Cache	Improvement
API Calls (1000 requests)	1000	300	-70%
Total Cost	$10.00	$3.00	-70%
Avg Response Time	1.2s	0.3s	-75%
Cache Hit Rate	N/A	68.5%	New

---

🎯 Core Capabilities

Feature	v2.5	v3.0	Improvement
Self-RAG Meta-Evaluation	❌	✅ 5-stage pipeline	New
Explainability (XAI)	❌	✅ Factor attribution + counterfactuals	New
Context Memory	❌	✅ User profiling + trend analysis	New
LLM Response Cache	❌	✅ LRU + TTL with cost tracking	New
Rate Limiting	❌	✅ Token bucket per-user	New
Retry Logic	❌	✅ Exponential backoff + jitter	New
Pattern Detection	200 patterns	900+ patterns	4.5x
Threat Attribution	Basic	Policy similarity scores + evidence trails	Enhanced
Confidence Scoring	Static	Adaptive (Self-RAG boosted)	Enhanced
Hybrid Search	✅ Embedding + Keyword	✅ Embedding + BM25 + Keyword	Enhanced
Risk Scoring	0-100 scale	0-100 + XAI breakdown	Enhanced
Multi-Language	English only	Korean/English/Japanese/Chinese	4x

🏆 Performance Metrics

Accuracy:        92.1% → 96.8% (+4.7%)
Precision:       87.3% → 94.2% (+6.9%)
Recall:          83.1% → 92.5% (+9.4%)
F1-Score:        85.1% → 93.3% (+8.2%)
Confidence Cal.: 78.4% → 91.7% (+13.3%)

---

🚀 Quick Start

🎮 Try It Now! (No Installation Required)

Want to see AegisRAG in action immediately? Launch our interactive notebook:

Option 1: Google Colab ☁️ (Recommended)

🚀 One-click launch: Open notebooks/aegis_ver3.ipynb in Google Colab
✅ No setup required - runs in your browser
✅ Free GPU/TPU access
✅ Pre-configured environment

Option 2: Local Jupyter Notebook 💻

# Clone and launch notebook
git clone https://github.com/Navy10021/aegisrag.git
cd aegisrag
pip install jupyter notebook
jupyter notebook notebooks/aegis_ver3.ipynb

💡 The notebook includes:

• 🎯 Live demo with sample threats
• 📊 Interactive visualizations
• 🔬 Step-by-step Self-RAG pipeline walkthrough
• 📈 Performance benchmarks
• 🎨 XAI explanation examples

---

💿 Full Installation

For production deployment or custom integration:

# Clone repository
git clone https://github.com/Navy10021/aegisrag.git
cd aegisrag

# Install dependencies
pip install -r requirements.txt

Required packages:

# Core AI & LLM
openai>=1.12.0
sentence-transformers>=2.5.0

# Data & Validation
pydantic>=2.6.0
numpy>=1.24.0

# Visualization & Analysis
matplotlib>=3.7.0
wordcloud>=1.9.0
networkx>=3.1

# System & Performance
psutil>=5.9.0
langdetect>=1.0.9

🔑 API Configuration

Method 1: Environment Variable (Recommended)

export OPENAI_API_KEY="sk-your-api-key-here"
python main.py

Method 2: Runtime Configuration

from src import AdvancedRAGAnalyzer

analyzer = AdvancedRAGAnalyzer(
    policies=policies,
    api_key="your-api-key",
    enable_self_rag=True  # Enable Self-RAG v3.0
)

💡 No API key? AegisRAG automatically falls back to enhanced rule-based analysis with 900+ patterns.

---

💻 Usage Examples

🎯 Basic Analysis with Self-RAG

from src import AdvancedRAGAnalyzer, SecurityPolicy

# Define security policies
policies = [
    SecurityPolicy(
        id="POL-001",
        title="Core Technology Protection",
        content="Semiconductor design blueprints must not be leaked externally",
        severity="critical",
        keywords=["core tech", "semiconductor", "design", "blueprint"],
        risk_score=95
    ),
    SecurityPolicy(
        id="POL-003",
        title="Insider Threat Management",
        content="Prohibit data exfiltration by departing employees",
        severity="critical",
        keywords=["resignation", "departure", "competitor", "USB"],
        risk_score=90
    )
]

# Initialize analyzer with Self-RAG
analyzer = AdvancedRAGAnalyzer(
    policies=policies,
    api_key="your-openai-key",  # Optional
    enable_self_rag=True,       # Enable Self-RAG
    enable_bm25=True,            # Enable BM25 search
    enable_advanced=True         # Enable XAI + Memory
)

# Analyze text
result = analyzer.analyze(
    text="I'm leaving next week, can I backup designs to USB?",
    user_id="user123"
)

# Print detailed result
analyzer.print_result(result, show_explanation=True)

Output:

================================================================================
🧠 Self-RAG Analysis Result v3.0
================================================================================

📝 Text: I'm leaving next week, can I backup designs to USB?
👤 User: user123
🌐 Language: en
🕒 Time: 1.234s

🔴 Risk Assessment:
   Score: 85.0/100
   Level: CRITICAL
   Confidence: 82% (+15% from Self-RAG)

🔍 Self-RAG Evaluation:
   Retrieval Need: REQUIRED
   Support Level: FULLY_SUPPORTED
   Utility Score: 5/5 ★★★★★

📊 Policy Relevance:
   🟢 POL-003: highly_relevant (0.847)
   🟢 POL-001: highly_relevant (0.782)

💭 Self-Reflection:
   ✓ Retrieval was necessary
   ✓ Found 2 highly relevant policies
   ✓ Well-supported by policies
   ✓ High-quality result

================================================================================

🔍 Detailed Explanation (XAI)
================================================================================

🎯 Key Factors:
  1. 🔴 leaving: +35.0 ██████████████████████████
     Departing employee indicator
  2. 🔴 POL-003: +28.5 ████████████████████
     Insider Threat Management match
  3. 🟠 USB: +18.5 ████████████
     External device detected

💭 What-If:
  • If 'leaving' removed → 50.0 points (-35.0)

================================================================================

🔄 Batch Analysis

texts = [
    "Sending customer PII to personal email",
    "Normal project status update",
    "Competitor offered me a job, can I take client list?"
]

results = analyzer.analyze_batch(texts)
analyzer.print_stats()

🧠 Context Memory & User Profiling

# Get user profile
profile = analyzer.get_user_profile("user123")
print(profile)
# {'analyses_count': 15, 'avg_risk_score': 42.3, 
#  'behavior_trend': 'increasing', ...}

🔗 Compound Threat Detection

# Detect compound threats
compound_threats = analyzer.detect_compound_threats()

# Visualize threat graph
analyzer.visualize_relationships()
# → Saves to output/threat_graph.png

🚀 Production Features Usage

from src import AdvancedRAGAnalyzer
from src.cache import LLMCache
from src.rate_limiter import RateLimiter, RateLimitConfig, rate_limit
from src.retry import retry_with_backoff, RetryConfig

# 1️⃣ Configure LLM Response Caching
cache = LLMCache(
    max_size=1000,           # Cache up to 1000 responses
    default_ttl=3600,        # 1 hour TTL
    cost_per_request=0.001   # Track cost savings
)

# 2️⃣ Configure Rate Limiting
rate_config = RateLimitConfig(
    MAX_REQUESTS=100,   # 100 requests
    TIME_WINDOW=60,     # per 60 seconds
    BURST_SIZE=10       # Allow burst of 10
)
limiter = RateLimiter(rate_config)

# 3️⃣ Initialize analyzer with cache
analyzer = AdvancedRAGAnalyzer(
    policies=policies,
    cache=cache,  # Enable caching
    enable_self_rag=True
)

# 4️⃣ Use rate limiting decorator
@rate_limit(MAX_REQUESTS=50, TIME_WINDOW=60, BURST_SIZE=5)
def analyze_with_rate_limit(text, user_id=None):
    return analyzer.analyze(text, user_id=user_id)

# 5️⃣ Use retry logic decorator
@retry_with_backoff(
    MAX_ATTEMPTS=3,
    BASE_DELAY=1.0,
    EXPONENTIAL_BASE=2.0,
    ENABLE_JITTER=True
)
def analyze_with_retry(text):
    return analyzer.analyze(text)

# 6️⃣ Check cache statistics
cache_info = cache.get_info()
print(f"Cache hit rate: {cache.stats.hit_rate}%")
print(f"Cost savings: ${cache.stats.total_savings_usd:.2f}")

# 7️⃣ Monitor rate limiting
stats = limiter.get_user_stats("user123")
print(f"Requests in window: {stats['requests_in_window']}")
print(f"Tokens available: {stats['tokens_available']}")

---

📁 Project Structure

AegisRAG/
├── src/                               # 🧠 Core source code
│   ├── __init__.py                    # Package initialization
│   ├── config.py                      # ⚙️ Configuration classes (Cache, RateLimit, Retry)
│   ├── models.py                      # Dataclasses for policy, result, and scoring
│   ├── analyzer.py                    # Main analyzer orchestrating Self-RAG flow
│   ├── retriever.py                   # Hybrid search (Embedding + BM25 + Keyword)
│   ├── self_rag.py                    # Self-RAG engine with meta-evaluation pipeline
│   ├── explainer.py                   # XAI explainer (factor attribution + counterfactual)
│   ├── memory.py                      # Context memory and user relationship graph
│   ├── cache.py                       # 💾 LLM response caching with cost tracking
│   ├── rate_limiter.py                # ⚡ Token bucket rate limiter (per-user)
│   ├── retry.py                       # 🔄 Retry logic with exponential backoff
│   ├── patterns/                      # 900+ language-specific detection patterns
│   │   ├── patterns_ko.json
│   │   ├── patterns_en.json
│   │   └── ...
│   └── utils.py                       # Utility functions (tokenization, scoring, logging)
│
├── data/                              # 📂 Dataset and policy resources
│   ├── policies/                      # Policy JSON files (critical, high, medium, low)
│   ├── examples/                      # Sample texts for quick testing
│   └── keywords.json                  # Rule-based keyword sets
│
├── notebooks/                         # 📘 Interactive notebooks
│   └── aegis_ver3.ipynb               # Demo notebook (Colab ready)
│   
│
├── output/                            # 📊 Output directory
│   ├── reports/                       # Generated threat analysis reports
│   ├── charts/                        # Visual analytics and trend plots
│   ├── logs/                          # System and performance logs
│   └── threat_graphs/                 # Compound threat relationship graphs
│
├── tests/                             # 🧪 Unit and integration tests
│   ├── test_analyzer.py
│   ├── test_self_rag.py
│   ├── test_retriever.py
│   ├── test_production_features.py    # Cache, rate limiter, retry tests
│   └── ...
│
├── requirements.txt                   # Core dependencies
├── requirements-dev.txt               # Dev/test dependencies
├── CONTRIBUTING.md                    # Contribution guidelines
├── LICENSE                            # MIT License
└── README.md                          # Documentation (this file)

---

🔧 API Reference

Core Classes

AdvancedRAGAnalyzer

analyzer = AdvancedRAGAnalyzer(
    policies: List[SecurityPolicy],
    api_key: Optional[str] = None,
    use_llm: bool = True,
    enable_self_rag: bool = True,
    enable_bm25: bool = True,
    enable_advanced: bool = True
)

# Analysis
result = analyzer.analyze(
    text: str,
    user_id: Optional[str] = None,
    use_self_rag: Optional[bool] = None
) -> Union[AnalysisResult, SelfRAGResult]

# Batch
results = analyzer.analyze_batch(texts: List[str])

# Profile & Stats
profile = analyzer.get_user_profile(user_id: str)
threats = analyzer.detect_compound_threats()
analyzer.visualize_relationships()
analyzer.print_stats()

SelfRAGResult

@dataclass
class SelfRAGResult:
    original_result: AnalysisResult
    retrieval_need: RetrievalNeed
    relevance_scores: Dict[str, RelevanceScore]
    support_level: SupportLevel
    utility_score: UtilityScore
    reflection_notes: List[str]
    confidence_boost: float

---

📊 Performance Benchmarks

Metric	v2.5	v3.0	Improvement
Accuracy	92.1%	96.8%	+4.7%
Precision	87.3%	94.2%	+6.9%
Recall	83.1%	92.5%	+9.4%
F1-Score	85.1%	93.3%	+8.2%
False Positives	4.2%	2.1%	-50%
Confidence Cal.	78.4%	91.7%	+13.3%

---

🤝 Contributing

Contributions welcome! See CONTRIBUTING.md.

# Development setup
git clone https://github.com/Navy10021/aegisrag.git
cd aegisrag
python -m venv venv
source venv/bin/activate
pip install -r requirements-dev.txt

# Run tests
pytest tests/ -v

# Code formatting
black src/
isort src/

---

📄 License

MIT License - see LICENSE

---

---

📚 Citation

@software{aegisrag2025, author = {Lee, Yoonseop}, title = {AegisRAG v3.0: Self-Reflective Security Intelligence Framework}, year = {2025}, url = {https://github.com/Navy10021/AegisRAG}, }

---

📧 Contact

• Author: Navy Lee
• Email: iyunseob4@gmail.com
• GitHub: @Navy10021
• Issues: Report Bug
• Paper: AegisRAG: A Self-Reflective Retrieval-Augmented Framework for Enterprise Security Threat Detection

---

⭐ Star us on GitHub!

Made with ❤️ by the AegisRAG Team