Automating Cloud Security and Forensics Through a Secure-by-Design Generative AI Framework

Abstract

As cloud environments become increasingly complex, cybersecurity and forensic investigations must evolve to meet emerging threats. Large Language Models (LLMs) have shown promise in automating log analysis and reasoning tasks, yet they remain vulnerable to prompt injection attacks and lack forensic rigor. To address these dual challenges, we propose a unified, secure-by-design GenAI framework that integrates PromptShield and the Cloud Investigation Automation Framework (CIAF). PromptShield proactively defends LLMs against adversarial prompts using ontology-driven validation that standardizes user inputs and mitigates manipulation. CIAF streamlines cloud forensic investigations through structured, ontology-based reasoning across all six phases of the forensic process. We evaluate our system on real-world datasets from AWS and Microsoft Azure, demonstrating substantial improvements in both LLM security and forensic accuracy. Experimental results show PromptShield boosts classification performance under attack conditions, achieving precision, recall, and F1 scores above 93%, while CIAF enhances ransomware detection accuracy in cloud logs using Likert-transformed performance features. Our integrated framework advances the automation, interpretability, and trustworthiness of cloud forensics and LLM-based systems, offering a scalable foundation for real-time, AI-driven incident response across diverse cloud infrastructures.

Figures (6)

• Figure 1: Two-part visualization of the system architecture. Part (a) demonstrates how prompt injection attacks can occur in LLM-based systems, where a malicious user manipulates input prompts to deceive the model into producing unintended responses. Part (b) introduces the PromptShield solution, an ontology-driven framework designed to validate and transform user inputs before they reach the LLM. This proactive mechanism ensures semantic consistency, mitigates injection threats, and standardizes prompts for safer and more reliable model interaction.
• Figure 2: Illustration of the core components of the PromptShield ontology. It defines structured relationships among key elements such as the User Prompt, System Prompt, Model, Attributes, and Function. This formalized representation enables automated validation of prompts based on expert-defined templates and cybersecurity semantics. By embedding this ontology into the LLM workflow, PromptShield enhances interpretability and security against adversarial manipulations by ontology capabilities, such as prompt replacing.
• Figure 3: Flow diagram that outlines the implementation of the proposed framework, aligning it with the six phases of cloud forensics: event identification, evidence identification, evidence collection, analysis, interpretation, and presentation. This diagram emphasizes how automation is embedded at each stage, transforming traditional manual processes into a streamlined, LLM-assisted pipeline. The figure highlights the integration of PromptShield and CIAF (Cloud Investigation Automation Framework), showcasing a cohesive and secure methodology for incident detection and investigation in cloud environments.
• Figure 4: Confusion Matrix for different scenarios. a) Simple prompts are used to predict the behavior of AWS event logs. b) Results of the prompts under prompt injection attack. c) Prompt carefully pre-trained from PromptShield.
• Figure 5: Timeline of Working Set, Working Set - Private, Committed Bytes, and Available Bytes feature behaviors.