Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Information-Dense Reasoning for Efficient and Auditable Security Alert Triage

Guangze Zhao, Yongzheng Zhang, Changbo Tian, Dan Xie, Hongri Liu, Bailing Wang

TL;DR

The paper tackles the SOC alert triage bottleneck by proposing AIDR, a hybrid cloud-edge framework that compresses reasoning into 3–5 information-dense bullets via gradient-informed relevance. It formalizes a constrained information-density optimization to retain decision-critical steps under latency and token budgets, and trains domain-specialized LoRA experts while routing alerts with a lightweight cloud classifier. Empirical results show superior risk and threat accuracy with substantial latency and token reductions, plus strong cross-domain transfer and data residency compliance. This approach delivers auditable, privacy-preserving, and scalable security triage suitable for real-time SOC operations. Overall, AIDR demonstrates that carefully compressed, domain-aware reasoning can achieve high performance without sacrificing transparency or privacy in security operations.

Abstract

Security Operations Centers face massive, heterogeneous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps--minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while minimizing complexity. We construct compact datasets by distilling alerts into 3-5 high-information bullets (68% token reduction), train domain-specialized experts via LoRA, and deploy a cloud-edge architecture: a cloud LLM routes alerts to on-premises experts generating SOAR-ready JSON. Experiments demonstrate AIDR achieves higher accuracy and 40.6% latency reduction versus Chain-of-Thought, with robustness to data corruption and out-of-distribution generalization, enabling auditable and efficient SOC triage with full data residency compliance.

Information-Dense Reasoning for Efficient and Auditable Security Alert Triage

TL;DR

The paper tackles the SOC alert triage bottleneck by proposing AIDR, a hybrid cloud-edge framework that compresses reasoning into 3–5 information-dense bullets via gradient-informed relevance. It formalizes a constrained information-density optimization to retain decision-critical steps under latency and token budgets, and trains domain-specialized LoRA experts while routing alerts with a lightweight cloud classifier. Empirical results show superior risk and threat accuracy with substantial latency and token reductions, plus strong cross-domain transfer and data residency compliance. This approach delivers auditable, privacy-preserving, and scalable security triage suitable for real-time SOC operations. Overall, AIDR demonstrates that carefully compressed, domain-aware reasoning can achieve high performance without sacrificing transparency or privacy in security operations.

Abstract

Security Operations Centers face massive, heterogeneous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps--minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while minimizing complexity. We construct compact datasets by distilling alerts into 3-5 high-information bullets (68% token reduction), train domain-specialized experts via LoRA, and deploy a cloud-edge architecture: a cloud LLM routes alerts to on-premises experts generating SOAR-ready JSON. Experiments demonstrate AIDR achieves higher accuracy and 40.6% latency reduction versus Chain-of-Thought, with robustness to data corruption and out-of-distribution generalization, enabling auditable and efficient SOC triage with full data residency compliance.

Paper Structure

This paper contains 47 sections, 20 equations, 9 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Alert Triage Evolution and LLM-Assisted Security Analysis
  4. Efficient Reasoning and Parameter-Efficient Adaptation
  5. Cloud-Edge Collaboration and Compliance-Preserving ML Deployment
  6. Methodology
  7. Problem Formulation
  8. Formal Problem Definition
  9. The Latency-Accuracy Trade-off
  10. Verbose Chain-of-Thought (CoT).
  11. Direct Prediction.
  12. The Operational Impasse.
  13. Constrained Information Density Optimization
  14. Information Density Definition
  15. Optimization Problem
  16. ...and 32 more sections

Figures (9)

  • Figure 1: The pipeline of AIDR. The framework consists of three phases: (1) Dataset Construction: Raw security telemetry is normalized and mapped to a unified ontology. Verbose reasoning chains are compressed via gradient-based relevance selection into information-dense CoD tuples, reducing token overhead. (2) Domain-Specialized Expert Model: The dataset is partitioned by threat category. Base LLMs are then fine-tuned using LoRA to create domain-specific experts. (3) Hybrid Cloud-Edge Collaborative Triage Architecture: A lightweight Cloud Router performs zero-shot classification to route alerts to the appropriate on-premises Edge Expert. The selected expert generates a SOAR-ready JSON output.
  • Figure 2: Distribution of Level 1 and Level 2 Alert Types (Attack Log). The hierarchical structure shows primary threat categories and their sub-types, with Exploitation and Reconnaissance dominating the distribution.
  • Figure 3: Distribution of Level 1 Alert Types (Attack Log). Exploitation (35%) and Reconnaissance (20%) account for the majority of alerts, contrasting with traditional rule-based SIEM deployments.
  • Figure 4: Threat Name and Attack Result (Attack Log). Correlation between specific threat types and attack outcomes, informing the mapping to the unified security ontology.
  • Figure 5: Distribution of Data Risk Levels (Attack Log). The dataset exhibits a concentration of High and Critical events within exploitation and malware categories, with Low-risk events dominated by reconnaissance and scanning.
  • ...and 4 more figures

Theorems & Definitions (1)

  • Remark 3.1: Gradient-based Relevance Computation