mediumexperimentalLinuxAI/MLT1005

Unexpected Access To Retrieval Cache Or Memory Store

Detects LLM service processes accessing cache, memory, retrieval, or RAG directories at unusual times or with unusual frequency. Anomalous access to these components may indicate probing of the retrieval layer for vulnerability assessment or data extraction.

Updated Jan 15, 2025 · Detection Engineering Team

llmvector-embeddinglinuxragowasp-llm08

Problem Statement

Anomalous access patterns to the retrieval cache or RAG memory store indicate probing or bulk extraction of the knowledge base that powers model responses.

Sample Logs

{"timestamp":"2025-01-15T13:07:55Z","computer_name":"llm-host-03","user":"llm_svc","image":"/opt/llm/app/rag_engine.py","target_filename":"/opt/llm/rag/document_cache/doc_001.pkl","access_type":"read"}

Required Fields

image

target_filename

user

computer_name

False Positives

·Normal RAG retrieval operations that access cache files during inference

Tuning Guidance

Use a frequency threshold and time-of-day baseline. Alert on access volumes significantly above the normal inference workload, or on access outside business hours.