Information-Dense Reasoning for Efficient and Auditable Security Alert Triage
By: Guangze Zhao , Yongzheng Zhang , Changbo Tian and more
Security Operations Centers face massive, heterogeneous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps--minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while minimizing complexity. We construct compact datasets by distilling alerts into 3-5 high-information bullets (68% token reduction), train domain-specialized experts via LoRA, and deploy a cloud-edge architecture: a cloud LLM routes alerts to on-premises experts generating SOAR-ready JSON. Experiments demonstrate AIDR achieves higher accuracy and 40.6% latency reduction versus Chain-of-Thought, with robustness to data corruption and out-of-distribution generalization, enabling auditable and efficient SOC triage with full data residency compliance.
Similar Papers
Think Fast: Real-Time IoT Intrusion Reasoning Using IDS and LLMs at the Edge Gateway
Cryptography and Security
Finds computer attacks on small devices.
Advancing Autonomous Incident Response: Leveraging LLMs and Cyber Threat Intelligence
Cryptography and Security
Helps computers fight cyber threats faster.
Efficient Thought Space Exploration through Strategic Intervention
Artificial Intelligence
Makes AI think smarter with less effort.