Leveraging AI for Confident Classification and Prioritization of Intrusion Detection System Alerts

Abstract

The increasing complexity and volume of cybersecurity alerts significantly challenge threat detection efforts, particularly within Security Operations Centers (SOCs), where the high rate of false positives can obscure real and dangerous threats. This burden not only strains resources but also increases the risk of overlooking genuine security breaches. Leveraging advanced machine learning techniques, particularly Large Language Models (LLMs), this thesis introduces a novel methodology aimed at enhancing the precision of alert classifications from Windows endpoints’ security logs. This study extracted approximately 700 false and real threat cases from a real enterprise network. The proposed approach involves creating an Execution Graph for each alerting Windows process, which is then processed by a "Graph Contextualizer" block. This block transforms complex process interactions into structured, analyzable formats suitable for training and inference in large language models. The transformed data points are subsequently fed into several locally fine-tuned LLMs designed to classify the alerts accurately. Preliminary evaluation of this pipeline shows excellent metrics, achieving high levels of precision and recall, thereby substantiating the effectiveness of our approach. The methodology not only improves the operational efficiency of SOCs by reducing the investigative overhead of false threats and assisting in the detection of real threats but also contributes significantly to the broader field of cybersecurity, offering a scalable model for integrating machine learning into existing security infrastructures.