🤖 AI Summary
This study addresses critical challenges in Security Operations Centers, including overwhelming threat alerts, heterogeneous SIEM platforms, and inefficient manual analysis. To overcome these issues, the authors propose SQM, an end-to-end large language model framework that innovatively integrates syntax-constrained prompting, ensemble-based threat detection, and retrieval-augmented generation to automatically produce executable queries and high-accuracy response recommendations. Experimental results demonstrate that SQM achieves a threat detection accuracy of 82.8% with a false positive rate of 0.120 across mainstream SIEM platforms. The framework attains a BLEU score of 0.384 and ROUGE-L of 0.731 for query generation, while boosting response recommendation accuracy to 90.0% and reducing average analyst triage time from several hours to under 10 minutes.
📝 Abstract
Security Operations Centers (SOCs) face mounting operational challenges. These challenges come from increasing threat volumes, heterogeneous SIEM platforms, and time-consuming manual triage workflows. We present an end-to-end threat management framework that integrates ensemble-based detection, syntax-constrained query generation, and retrieval-augmented resolution support to automate critical security workflows. Our detection module evaluates both traditional machine learning classifiers and large language models (LLMs), then combines the three best-performing LLMs to create an ensemble model, achieving 82.8% accuracy while maintaining 0.120 false positive rate on SIEM logs. We introduce the SQM (Syntax Query Metadata) architecture for automated evidence collection. It uses platform-specific syntax constraints, metadata-based retrieval, and documentation-grounded prompting to generate executable queries for IBM QRadar and Google SecOps. SQM achieves a BLEU score of 0.384 and a ROUGE-L score of 0.731. These results are more than twice as good as the baseline LLM performance. For incident resolution and recommendation generation, we demonstrate that integrating SQM-derived evidence improves resolution code prediction accuracy from 78.3% to 90.0%, with an overall recommendation quality score of 8.70. In production SOC environments, our framework reduces average incident triage time from hours to under 10 minutes. This work demonstrates that domain-constrained LLM architectures with retrieval augmentation can meet the strict reliability and efficiency requirements of operational security environments at scale.