pith. machine review for the scientific record. sign in

arxiv: 2605.08316 · v1 · submitted 2026-05-08 · 💻 cs.CR

Recognition: no theorem link

AI-Driven Security Alert Screening and Alert Fatigue Mitigation in Security Operations Centers: A Comprehensive Survey

Samuel Ndichu , Akira Yamada , Tao Ban , Seiichi Ozawa , Takeshi Takahashi , Daisuke Inoue
Authors on Pith no claims yet

Pith reviewed 2026-05-12 00:46 UTC · model grok-4.3

classification 💻 cs.CR
keywords security alert screeningalert fatiguesecurity operations centersAI in cybersecurityworkflow taxonomyadversarial robustnessfalse positive reductiondeployment gaps
0
0 comments X

The pith

AI methods for security alerts can be grouped into four workflow stages but lack realistic testing and resistance to attacks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This survey collects and organizes research on using artificial intelligence to screen and prioritize security alerts so that analysts in operations centers are not overwhelmed by false alarms. It reviews 119 records and distills them into a clear sequence of filtering, triage, correlation, and generative steps that together aim to reduce alert fatigue. The authors show that while these techniques exist, most studies stop short of proving they work under real conditions or against determined adversaries. They close by outlining steps needed to build more dependable AI support for security teams.

Core claim

The paper claims that synthesizing the literature produces a four-stage workflow taxonomy—filtering, triage, correlation, and generative augmentation—that captures how AI is applied to alert screening, while simultaneously revealing consistent shortfalls in deployment realism, adversarial robustness, cross-environment validation, and evaluation practice across the reviewed studies.

What carries the argument

Four-stage workflow taxonomy that sequences filtering, triage, correlation, and generative augmentation to structure the alert-screening process.

If this is right

  • Future AI systems for alert screening should incorporate explicit tests for adversarial robustness to remain effective against targeted attacks.
  • Research must move beyond simulated data to include cross-environment validation before methods can be trusted in operational centers.
  • Improved evaluation standards would allow direct comparison of filtering and correlation techniques across different security settings.
  • Generative augmentation approaches need integration with human analyst workflows to realize the goal of cognitive security operations centers.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The taxonomy offers a ready checklist for practitioners evaluating commercial alert-screening tools.
  • Persistent gaps in deployment realism suggest that close collaboration between researchers and operational centers could accelerate progress.
  • Addressing evaluation shortfalls might enable standardized benchmarks that speed adoption of reliable AI components.
  • The survey's call for trustworthy systems points to a need for ongoing monitoring of AI decision quality after initial deployment.

Load-bearing premise

The literature search captured a representative sample of work and the four-stage taxonomy usefully organizes both the existing research and its remaining gaps.

What would settle it

A broader or later literature search that identifies a large body of studies that cannot be placed into the four stages or that demonstrates consistent real-world deployment success contradicting the reported gaps.

Figures

Figures reproduced from arXiv: 2605.08316 by Akira Yamada, Daisuke Inoue, Samuel Ndichu, Seiichi Ozawa, Takeshi Takahashi, Tao Ban.

Figure 1
Figure 1. Figure 1: PRISMA-2020 flow diagram of the systematic literature selection process. Solid arrows mark progression through identification, [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Architecture of a modern SOC, separating the upstream detection layer from the downstream screening layer that is the [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Workflow-aligned four-dimensional taxonomy of AI-driven alert screening with representative study families drawn from [PITH_FULL_IMAGE:figures/full_fig_p006_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Editorial coverage assessment of dataset orientation against the four taxonomic categories. Cells encode Good/Partial/Poor [PITH_FULL_IMAGE:figures/full_fig_p022_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Research-direction priority view. Row shading marks horizon: green = near-term, orange = medium-term, blue = longer-term. [PITH_FULL_IMAGE:figures/full_fig_p026_5.png] view at source ↗
read the original abstract

Security alert screening is the downstream task of filtering, prioritizing, correlating, and contextualizing alerts for analyst attention in Security Operations Centers. This survey reviews artificial-intelligence-driven alert screening and alert-fatigue mitigation from 2015 to 2026. We synthesize 119 records, including 87 core studies, into a four-stage workflow taxonomy covering filtering, triage, correlation, and generative augmentation. We find persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practice. The survey concludes with a research agenda toward trustworthy Cognitive Security Operations Centers.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

2 major / 2 minor

Summary. The paper is a survey of AI-driven security alert screening and alert fatigue mitigation in Security Operations Centers. It reviews literature from 2015 to 2026, synthesizes 119 records (87 core studies) into a four-stage workflow taxonomy of filtering, triage, correlation, and generative augmentation, identifies persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practice, and concludes with a research agenda for trustworthy Cognitive Security Operations Centers.

Significance. If the literature synthesis proves representative, the work provides a useful organizing framework for the field of AI in SOC alert management. The explicit taxonomy and gap analysis could help direct research toward more realistic, robust, and well-evaluated systems, supporting progress in practical security operations.

major comments (2)
  1. [§2] §2 (Literature Search and Selection): The synthesis of 119 records and 87 core studies is presented without exact Boolean search strings, deduplication procedures, explicit inclusion/exclusion criteria, or a PRISMA-style flow diagram. Only high-level database names and year ranges are supplied. This directly undermines verification of sample representativeness and therefore the reliability of the four-stage taxonomy and the gap analysis that rests upon it.
  2. [§4] §4 (Taxonomy): The four-stage taxonomy is claimed to organize the field, yet no table or figure maps the 87 core studies to the stages or reports coverage counts per stage. Without this, it is impossible to assess whether the taxonomy is balanced or whether the identified gaps (e.g., adversarial robustness) are supported by the actual distribution of studies.
minor comments (2)
  1. [Abstract] Abstract: The review window is stated as '2015 to 2026'. Clarify whether this includes projected or forthcoming work or is intended to run only through the submission date.
  2. [Throughout] Notation and figures: Ensure every acronym is defined on first use and that all tables/figures are explicitly referenced in the body text.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments identify important areas for improving the transparency and verifiability of our survey methodology and taxonomy. We address each point below and will revise the manuscript accordingly.

read point-by-point responses

  1. Referee: [§2] §2 (Literature Search and Selection): The synthesis of 119 records and 87 core studies is presented without exact Boolean search strings, deduplication procedures, explicit inclusion/exclusion criteria, or a PRISMA-style flow diagram. Only high-level database names and year ranges are supplied. This directly undermines verification of sample representativeness and therefore the reliability of the four-stage taxonomy and the gap analysis that rests upon it.

    Authors: We acknowledge that §2 provides only high-level information on the search process and lacks the specific details needed for full reproducibility. In the revised version, we will add the exact Boolean search strings employed for each database, describe the deduplication steps and tools used, state the explicit inclusion/exclusion criteria applied to arrive at the 119 records and 87 core studies, and include a PRISMA-style flow diagram. These changes will directly address the concern about verifying representativeness and thereby support the reliability of the taxonomy and gap analysis. revision: yes

  2. Referee: [§4] §4 (Taxonomy): The four-stage taxonomy is claimed to organize the field, yet no table or figure maps the 87 core studies to the stages or reports coverage counts per stage. Without this, it is impossible to assess whether the taxonomy is balanced or whether the identified gaps (e.g., adversarial robustness) are supported by the actual distribution of studies.

    Authors: We agree that the absence of an explicit mapping limits the ability to evaluate the taxonomy's balance and the evidentiary basis for the gaps. We will introduce a new table (or supplementary figure) in §4 that assigns each of the 87 core studies to one or more of the four stages (filtering, triage, correlation, generative augmentation), reports the count of studies per stage and major subcategory, and highlights the distribution of topics such as adversarial robustness. This addition will allow readers to assess coverage and confirm that the identified gaps reflect actual under-representation in the literature. revision: yes

Circularity Check

0 steps flagged

No circularity: survey synthesizes external studies without self-referential derivations

full rationale

This survey paper reviews and organizes 119 external records (87 core studies) into a four-stage taxonomy of filtering, triage, correlation, and generative augmentation. No equations, fitted parameters, predictions, or uniqueness theorems appear in the provided abstract or description. The central claims rest on synthesis of independent prior literature rather than any reduction of outputs to the paper's own inputs by construction. Self-citations, if present, are not load-bearing for the taxonomy or gap analysis, which derive from the reviewed studies themselves. The literature search process raises reproducibility questions but does not match any enumerated circularity pattern.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

This is a literature survey with no new mathematical derivations, fitted parameters, or postulated entities. The central contribution rests on assumptions about literature completeness and taxonomy utility.

axioms (1)
  • domain assumption The 119 selected records from 2015-2026 provide a representative view of AI-driven alert screening research.
    Survey methodology depends on search completeness and unbiased selection of core studies.

pith-pipeline@v0.9.0 · 5399 in / 1166 out tokens · 44167 ms · 2026-05-12T00:46:36.738751+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

173 extracted references · 173 canonical work pages · 2 internal anchors

  1. [1]

    Sri Abhijit, Y

    C. Sri Abhijit, Y. Annie Jerusha, S. P. Syed Ibrahim, and V. Varadharajan. 2025. Federated transfer learning for rare attack class detection in network intrusion detection systems.Scientific Reports15, 1 (2025), 33797. doi:10.1038/s41598-025-02068-x

    work page doi:10.1038/s41598-025-02068-x 2025

  2. [2]

    Agyepong, Y

    E. Agyepong, Y. Cherdantseva, P. Reinecke, and P. Burnap. 2023. A systematic method for measuring the performance of a cyber security operations centre analyst.Comput. Secur.124 (2023), 102959. doi:10.1016/j.cose.2022.102959

    work page doi:10.1016/j.cose.2022.102959 2023

  3. [3]

    Al-Shaer et al

    A. Al-Shaer et al . 2024. CyberPal.AI: Empowering LLMs with Expert-Driven Cybersecurity Instructions. https://arxiv.org/abs/2408.18084 arXiv:2408.18084. Manuscript submitted to ACM AI-Driven Alert Screening in SOCs 29

    work page arXiv 2024

  4. [4]

    Alahmadi, Louise Axon, and Ivan Martinovic

    Bushra A. Alahmadi, Louise Axon, and Ivan Martinovic. 2022. 99% False Positives: A Qualitative Study of SOC Analysts’ Perspectives on Security Alarms. In31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 2783–2800. https://www.usenix.org/ conference/usenixsecurity22/presentation/alahmadi

    work page 2022

  5. [5]

    Ali and P

    T. Ali and P. Kostakos. 2023. HuntGPT: Integrating ML Anomaly Detection and XAI with LLMs (A User Study). https://arxiv.org/abs/2309.16021 arXiv:2309.16021

    work page arXiv 2023

  6. [6]

    Alotaibi and M

    R. Alotaibi and M. A. Rassam. 2023. Adversarial Machine Learning Attacks against Intrusion Detection Systems: A Survey on Strategies and Defense.Future Internet15, 2 (2023), 62. doi:10.3390/fi15020062

    work page doi:10.3390/fi15020062 2023

  7. [7]

    Berkay Celik, Xiangyu Zhang, and Dongyan Xu

    Abdulellah Alsaheel, Yuhong Nan, Shiqing Ma, Le Yu, Gregory Walkup, Z. Berkay Celik, Xiangyu Zhang, and Dongyan Xu. 2021. ATLAS: A Sequence-based Learning Approach for Attack Investigation. In30th USENIX Security Symposium (USENIX Security 21). USENIX Association, Berkeley, CA, 3005–3022. https://www.usenix.org/conference/usenixsecurity21/presentation/alsaheel

    work page 2021

  8. [8]

    Amazon Web Services. 2025. Detect and Analyze. https://docs.aws.amazon.com/security-ir/latest/userguide/prepare.html AWS Security Incident Response User Guide, 2025

    work page 2025

  9. [9]

    M. E. Aminanto, T. Ban, R. Isawa, T. Takahashi, and D. Inoue. 2020. Threat Alert Prioritization Using Isolation Forest and Stacked Autoencoder with Day-Forward-Chaining Analysis.IEEE Access8 (2020), 217977–217986. doi:10.1109/ACCESS.2020.3041282

    work page doi:10.1109/access.2020.3041282 2020

  10. [10]

    Muhamad Erza Aminanto, Lei Zhu, Tao Ban, Ryoichi Isawa, Takeshi Takahashi, and Daisuke Inoue. 2019. Combating Threat-Alert Fatigue with Online Anomaly Detection Using Isolation Forest. InNeural Information Processing: 26th International Conference, ICONIP 2019, Sydney, NSW, Australia, December 12–15, 2019, Proceedings, Part I(Sydney, NSW, Australia). Spri...

    work page doi:10.1007/978-3-030-36708-4_62 2019

  11. [11]

    R. W. Andrews, J. M. Lilly, D. Srivastava, and K. M. Feigh. 2023. The role of shared mental models in human-AI teams: a theoretical review.Theor. Issues Ergon. Sci.24, 2 (2023), 129–175. doi:10.1080/1463922X.2022.2061080

    work page doi:10.1080/1463922x.2022.2061080 2023

  12. [12]

    SoK: Pragmatic Assess- ment of Machine Learning for Network Intrusion Detection, in: Pro- ceedings of the IEEE European Symposium on Security and Privacy, IEEE, Delft, Netherlands

    G. Apruzzese, P. Laskov, and J. Schneider. 2023. SoK: Pragmatic Assessment of Machine Learning for Network Intrusion Detection. doi:10.1109/ EuroSP57164.2023.00042 IEEE EuroS&P, 2023

    work page arXiv 2023

  13. [13]

    Daniel Arp, Erwin Quiring, Feargus Pendlebury, Alexander Warnecke, Fabio Pierazzi, Christian Wressnegger, Lorenzo Cavallaro, and Konrad Rieck

    work page

  14. [14]

    In31st USENIX Security Symposium (USENIX Security 22)

    Dos and don’ts of machine learning in computer security. In31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 3971–3988. https://www.usenix.org/conference/usenixsecurity22/presentation/arp

    work page

  15. [15]

    Axelsson

    S. Axelsson. 2000. The Base-Rate Fallacy and the Difficulty of Intrusion Detection.ACM Trans. Inf. Syst. Secur.3, 3 (2000), 186–205. doi:10.1145/ 357830.357849

    work page arXiv 2000

  16. [16]

    Bagui, Dustin Mink, Subhash C

    Sikha S. Bagui, Dustin Mink, Subhash C. Bagui, Tirthankar Ghosh, Russel Plenkers, Tom McElroy, Stephan Dulaney, and Sajida Shabanali. 2023. Introducing UWF-ZeekData22: A Comprehensive Network Traffic Dataset Based on the MITRE ATT&CK Framework.Data8, 1 (2023), 1–18. doi:10.3390/data8010018

    work page doi:10.3390/data8010018 2023

  17. [17]

    Balasubramanian et al

    V. Balasubramanian et al. 2025. Generative AI for cyber threat intelligence: applications, challenges, and analysis of real-world case studies. doi:10.1007/s10462-025-11338-z Artif. Intell. Rev., 2025

    work page doi:10.1007/s10462-025-11338-z 2025

  18. [18]

    Tao Ban, Ndichu Samuel, Takeshi Takahashi, and Daisuke Inoue. 2021. Combat Security Alert Fatigue with AI-Assisted Techniques. InProceedings of the 14th Cyber Security Experimentation and Test Workshop(Virtual, CA, USA)(CSET ’21). Association for Computing Machinery, New York, NY, USA, 9–16. doi:10.1145/3474718.3474723

    work page doi:10.1145/3474718.3474723 2021

  19. [19]

    T. Ban, T. Takahashi, S. Ndichu, and D. Inoue. 2023. Breaking Alert Fatigue: AI-Assisted SIEM Framework for Effective Incident Response.Appl. Sci. 13, 11 (2023), 6610. doi:10.3390/app13116610

    work page doi:10.3390/app13116610 2023

  20. [20]

    Kritan Banstola, Faayed Al Faisal, and Xinming Ou. 2026. Experiences of Using Agentic AI to Fill Tooling Gaps in a Security Operations Center. doi:10.14722/wosoc.2026.23016 Workshop on Security Operations Center (WOSOC), 2026

    work page doi:10.14722/wosoc.2026.23016 2026

  21. [21]

    CyberSecEval 2: A wide-ranging cybersecurity evaluation suite for large language models.arXiv preprint arXiv:2404.13161, 2024

    N. Bhatt et al. 2024. CyberSecEval 2: A Wide-Ranging Cybersecurity Evaluation Suite for Large Language Models. https://arxiv.org/abs/2404.13161 Meta AI, 2024

    work page arXiv 2024

  22. [22]

    Bhatt, P

    S. Bhatt, P. K. Manadhata, and L. Zomlot. 2014. The Operational Role of Security Information and Event Management Systems.IEEE Secur. Privacy 12, 5 (2014), 35–41. doi:10.1109/MSP.2014.103

    work page doi:10.1109/msp.2014.103 2014

  23. [23]

    Tristan Bilot, Baoxiang Jiang, Zefeng Li, Nour El Madhoun, Khaldoun Al Agha, Anis Zouaoui, and Thomas Pasquier. 2025. Sometimes simpler is better: a comprehensive analysis of state-of-the-art provenance-based intrusion detection systems. InProceedings of the 34th USENIX Security Symposium(Seattle, WA, USA)(SEC ’25). USENIX Association, USA, Article 369, 2...

    work page 2025

  24. [24]

    Binbeshr, M

    F. Binbeshr, M. Imam, M. Ghaleb, M. Hamdan, M. A. Rahim, and M. Hammoudeh. 2025. The Rise of Cognitive SOCs: A Systematic Literature Review on AI Approaches.IEEE Open Journal of the Computer Society6 (2025), 360–379. doi:10.1109/OJCS.2025.3536800

    work page doi:10.1109/ojcs.2025.3536800 2025

  25. [25]

    A. L. Buczak and E. Guven. 2016. A Survey of Data Mining and Machine Learning Methods for Cyber Security Intrusion Detection.IEEE Commun. Surv. Tutor.18, 2 (2016), 1153–1176. doi:10.1109/COMST.2015.2494502

    work page doi:10.1109/comst.2015.2494502 2016

  26. [26]

    Qizhi Cai, Lingzhi Wang, Yao Zhu, Zhipeng Chen, Xiangmin Shen, and Zhenyuan Li. 2026. Building Next-Generation Datasets for Provenance-Based Intrusion Detection. doi:10.14722/prism.2026.23021 Workshop on Predictive and Robust Intrusion System Modeling (PRISM), 2026

    work page doi:10.14722/prism.2026.23021 2026

  27. [27]

    Lalitha Chavali, Tanay Gupta, and Paresh Saxena. 2022. SAC-AP: Soft Actor Critic based Deep Reinforcement Learning for Alert Prioritization. doi:10.1109/CEC55065.2022.9870423 2022 IEEE Congress on Evolutionary Computation (CEC), 2022

    work page doi:10.1109/cec55065.2022.9870423 2022

  28. [28]

    Zijun Cheng, Qiujian Lv, Jinyuan Liang, Yan Wang, Degang Sun, Thomas Pasquier, and Xueyuan Han. 2024. Kairos: Practical Intrusion Detection and Investigation using Whole-system Provenance. In2024 IEEE Symposium on Security and Privacy (SP). IEEE Computer Society, Los Alamitos, Manuscript submitted to ACM 30 Samuel Ndichu, Akira Yamada, Tao Ban, Seiichi Oz...

    work page doi:10.1109/sp54263.2024.00005 2024

  29. [29]

    M. B. Chhetri, S. Tariq, R. Singh, F. Jalalvand, C. Paris, and S. Nepal. 2024. Towards Human-AI Teaming to Mitigate Alert Fatigue in Security Operations Centres.ACM Trans. Internet Technol.24, 3 (2024), 1–22. doi:10.1145/3670009

    work page doi:10.1145/3670009 2024

  30. [30]

    Frédéric Cuppens and Alexandre Miège. 2002. Alert Correlation in a Cooperative Intrusion Detection Framework. doi:10.1109/SECPRI.2002.1004372 IEEE Symposium on Security and Privacy, pp. 202–215, 2002. IEEE

    work page doi:10.1109/secpri.2002.1004372 2002

  31. [31]

    D3 Security. 2025. The AI SOC Market Landscape 2025. https://d3security.com/resources/the-ai-soc-market-landscape-2025/ D3 Security report, 2025

    work page 2025

  32. [32]

    Hervé Debar and Andreas Wespi. 2001. Aggregation and Correlation of Intrusion-Detection Alerts. doi:10.1007/3-540-45474-8_6 Recent Advances in Intrusion Detection (RAID), Lecture Notes in Computer Science, vol. 2212, pp. 85–103, 2001. Springer

    work page doi:10.1007/3-540-45474-8_6 2001

  33. [33]

    Gelei Deng, Yi Liu, Víctor Mayoral-Vilches, Peng Liu, Yuekang Li, Yuan Xu, Tianwei Zhang, Yang Liu, Martin Pinzger, and Stefan Rass. 2024. PentestGPT: Evaluating and Harnessing Large Language Models for Automated Penetration Testing. In33rd USENIX Security Symposium (USENIX Security 24). USENIX Association, Philadelphia, PA, 847–864. https://www.usenix.or...

    work page 2024

  34. [34]

    Min Du, Feifei Li, Guineng Zheng, and Vivek Srikumar. 2017. DeepLog: Anomaly Detection and Diagnosis from System Logs through Deep Learning. InProceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security(Dallas, Texas, USA)(CCS ’17). Association for Computing Machinery, New York, NY, USA, 1285–1298. doi:10.1145/3133956.3134015

    work page doi:10.1145/3133956.3134015 2017

  35. [35]

    Thijs van Ede, Hojjat Aghakhani, Noah Spahn, Riccardo Bortolameotti, Marco Cova, Andrea Continella, Maarten van Steen, Andreas Peter, Christopher Kruegel, and Giovanni Vigna. 2022. DEEPCASE: Semi-Supervised Contextual Analysis of Security Events. In2022 IEEE Symposium on Security and Privacy (SP). IEEE, Piscataway, NJ, USA, 522–539. doi:10.1109/SP46214.20...

    work page doi:10.1109/sp46214.2022.9833671 2022

  36. [36]

    Edelman, S

    B. Edelman, S. Peng, R. Rodriguez, and S. Ho. 2023. Randomized Controlled Trials for Microsoft Copilot for Security. doi:10.2139/ssrn.4648700 SSRN Working Paper 4648700; updated March 29, 2024

    work page doi:10.2139/ssrn.4648700 2023

  37. [37]

    Elastic. 2025. How to reduce alert overload in defence SOCs. https://www.elastic.co/blog/reduce-alert-fatigue-with-ai-defence-soc Elastic blog, 2025

    work page 2025

  38. [38]

    Pengcheng Fang, Peng Gao, Changlin Liu, Erman Ayday, Kangkook Jee, Ting Wang, Yanfang (Fanny) Ye, Zhuotao Liu, and Xusheng Xiao

    work page

  39. [39]

    In31st USENIX Security Symposium (USENIX Security 22)

    Back-Propagating System Dependency Impact for Attack Investigation. In31st USENIX Security Symposium (USENIX Security 22). USENIX Association, Boston, MA, 2461–2478. https://www.usenix.org/conference/usenixsecurity22/presentation/fang

    work page

  40. [40]

    R. Fang, R. Bindu, A. Gupta, Q. Zhan, and D. Kang. 2024. LLM Agents Can Autonomously Hack Websites. https://arxiv.org/abs/2402.06664 arXiv:2402.06664

    work page arXiv 2024

  41. [41]

    M. A. Ferrag, A. Battah, N. Tihanyi, M. Debbah, T. Lestable, and L. C. Cordeiro. 2025. SecureFalcon: Are We There Yet in Automated Software Vulnerability Detection with LLMs?IEEE Trans. Softw. Eng.51, 4 (2025), 1248–1265. doi:10.1109/TSE.2025.3548168

    work page doi:10.1109/tse.2025.3548168 2025

  42. [42]

    Fast and power efficient GPU-based explicit elastic wave propagation analysis by low- ordered orthogonal voxel finite element with INT8 tensor cores

    J. Forsberg and T. Frantti. 2023. Technical performance metrics of a security operations center.Comput. Secur.135 (2023), 103529. doi:10.1016/J. COSE.2023.103529

    work page doi:10.1016/j 2023

  43. [43]

    Scott Freitas, Jovan Kalajdjieski, Amir Gharib, and Robert McCann. 2024. AI-Driven Guided Response for Security Operation Centers with Microsoft Copilot for Security. arXiv preprint arXiv:2407.09017. https://arxiv.org/abs/2407.09017 Introduces GUIDE: 13M+ evidence items, 1.6M alerts, 1M+ triage-annotated incidents (TP/BP/FP) from 6,100+ organizations. CDL...

    work page arXiv 2024

  44. [44]

    García, M

    S. García, M. Grill, J. Stiborek, and A. Zunino. 2014. An empirical comparison of botnet detection methods.Comput. Secur.45 (Sept. 2014), 100–123. doi:10.1016/j.cose.2014.05.011

    work page doi:10.1016/j.cose.2014.05.011 2014

  45. [45]

    Garcia-Teodoro, J

    P. Garcia-Teodoro, J. Diaz-Verdejo, G. Macía-Fernández, and E. Vázquez. 2009. Anomaly-Based Network Intrusion Detection: Techniques, Systems and Challenges.Comput. Secur.28 (2009), 18–28. doi:10.1016/j.cose.2008.08.003

    work page doi:10.1016/j.cose.2008.08.003 2009

  46. [46]

    Ghadermazi, A

    J. Ghadermazi, A. Shah, and S. Jajodia. 2024. A Machine Learning and Optimization Framework for Efficient Alert Management in a Cybersecurity Operations Center.Digital Threats: Research and Practice5, 2 (2024), 19:1–19:23. doi:10.1145/3644393

    work page doi:10.1145/3644393 2024

  47. [47]

    Goldenberg and A

    N. Goldenberg and A. Wool. 2013. Accurate Modeling of Modbus/TCP for Intrusion Detection in SCADA Systems.Int. J. Crit. Infrastruct. Prot.6, 2 (2013), 63–75. doi:10.1016/j.ijcip.2013.05.001

    work page doi:10.1016/j.ijcip.2013.05.001 2013

  48. [48]

    Akul Goyal, Gang Wang, and Adam Bates. 2024. R-CAID: Embedding Root Cause Analysis within Provenance-based Intrusion Detection. In2024 IEEE Symposium on Security and Privacy (SP). IEEE, Piscataway, NJ, USA, 3515–3532. doi:10.1109/SP54263.2024.00253

    work page doi:10.1109/sp54263.2024.00253 2024

  49. [49]

    Wei Guan, Jian Cao, Shiyou Qian, Jianqi Gao, and Chun Ouyang. 2024. LogLLM: Log-based Anomaly Detection Using Large Language Models. https://arxiv.org/abs/2411.08561 arXiv:2411.08561 [cs.SE]

    work page arXiv 2024

  50. [50]

    Haixuan Guo, Shuhan Yuan, and Xintao Wu. 2021. LogBERT: Log Anomaly Detection via BERT. In2021 International Joint Conference on Neural Networks (IJCNN). IEEE, Piscataway, NJ, USA, 1–8. doi:10.1109/IJCNN52387.2021.9534113

    work page doi:10.1109/ijcnn52387.2021.9534113 2021

  51. [51]

    Habibzadeh et al

    A. Habibzadeh et al. 2025. Large Language Models for Security Operations Centers: A Comprehensive Survey. https://arxiv.org/abs/2509.10858 arXiv:2509.10858

    work page arXiv 2025

  52. [52]

    Bardas, Michael Collins, Jaclyn Lauren Dudek, Daniel Lende, Xinming Ou, and S

    Francis Hahn, Mohd Mamoon, Alexandru G. Bardas, Michael Collins, Jaclyn Lauren Dudek, Daniel Lende, Xinming Ou, and S. Raj Rajagopalan

    work page

  53. [53]

    doi:10.14722/wosoc.2026.23015 Workshop on Security Operations Center (WOSOC), 2026

    Non-Disruptive Disruption: An Empirical Experience of Introducing LLMs in the SOC. doi:10.14722/wosoc.2026.23015 Workshop on Security Operations Center (WOSOC), 2026

    work page doi:10.14722/wosoc.2026.23015 2026

  54. [54]

    X. Han, T. F. J.-M. Pasquier, A. Bates, J. Mickens, and M. Seltzer. 2020. UNICORN: Runtime Provenance-Based Detector for Advanced Persistent Threats. https://www.ndss-symposium.org/ndss-paper/unicorn-runtime-provenance-based-detector-for-advanced-persistent-threats/ NDSS, 2020.. Manuscript submitted to ACM AI-Driven Alert Screening in SOCs 31

    work page 2020

  55. [55]

    Wajih Ul Hassan, Adam Bates, and Daniel Marino. 2020. Tactical Provenance Analysis for Endpoint Detection and Response Systems. In2020 IEEE Symposium on Security and Privacy (SP). IEEE, Piscataway, NJ, USA, 1172–1189. doi:10.1109/SP40000.2020.00096

    work page doi:10.1109/sp40000.2020.00096 2020

  56. [56]

    W. U. Hassan, M. A. Noureddine, P. Datta, and A. Bates. 2019. NoDoze: Combatting Threat Alert Fatigue with Automated Provenance Triage. https://www.ndss-symposium.org/ndss-paper/nodoze-combatting-threat-alert-fatigue-with-automated-provenance-triage/ NDSS, 2019

    work page 2019

  57. [57]

    W. U. Hassan, M. A. Noureddine, P. Datta, and A. Bates. 2020. OmegaLog: High-Fidelity Attack Investigation via Transparent Multi-Layer Log Analysis. doi:10.14722/ndss.2020.24270 NDSS, 2020

    work page doi:10.14722/ndss.2020.24270 2020

  58. [58]

    Hassanin and N

    M. Hassanin and N. Moustafa. 2024. A Comprehensive Overview of Large Language Models (LLMs) for Cyber Defences: Opportunities and Directions. https://arxiv.org/abs/2405.14487 arXiv:2405.14487

    work page arXiv 2024

  59. [59]

    Seth Hastings and Tyler Moore. 2025. Authentication-Event Processing for Enhanced SOC Investigations. doi:10.14722/wosoc.2025.23016 Workshop on Security Operations Center (WOSOC), 2025

    work page doi:10.14722/wosoc.2025.23016 2025

  60. [60]

    Hawash, U

    B. Hawash, U. Asma’ Mokhtar, J. J. Jeong, S. B. Maynard, Z. Shukur, S. N. H. Sheikh Abdullah, R. Razali, J. S. Lim, and A. Ahmad. 2024. Cyber Situational Awareness in Security Operation Centres. https://aisel.aisnet.org/pacis2024/track07_secprivacy/track07_secprivacy/8/ Pacific Asia Conf. Information Systems (PACIS), 2024

    work page 2024

  61. [61]

    Pinjia He, Jieming Zhu, Zibin Zheng, and Michael R. Lyu. 2017. Drain: An Online Log Parsing Approach with Fixed Depth Tree. In2017 IEEE International Conference on Web Services (ICWS). IEEE, Piscataway, NJ, USA, 33–40. doi:10.1109/ICWS.2017.13

    work page doi:10.1109/icws.2017.13 2017

  62. [62]

    Jennings

    Kate Highnam, Kai Arulkumaran, Zachary Hanif, and Nicholas R. Jennings. 2021. BETH Dataset: Real Cybersecurity Data for Anomaly Detection Research. doi:10.14469/hpc/9422 Imperial College London dataset record

    work page doi:10.14469/hpc/9422 2021

  63. [63]

    Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R

    Md Nahid Hossain, Sadegh M. Milajerdi, Junao Wang, Birhanu Eshete, Rigel Gjomemo, R. Sekar, Scott Stoller, and V.N. Venkatakrishnan. 2017. SLEUTH: Real-time Attack Scenario Reconstruction from COTS Audit Data. In26th USENIX Security Symposium (USENIX Security 17). USENIX Association, Vancouver, BC, 487–504. https://www.usenix.org/conference/usenixsecurity...

    work page 2017

  64. [64]

    Martin Husák, Martin Žádník, Václav Bartoš, and Pavol Sokol. 2020. Dataset of intrusion detection alerts from a sharing platform.Data in Brief33 (2020), 106530. doi:10.1016/j.dib.2020.106530

    work page doi:10.1016/j.dib.2020.106530 2020

  65. [65]

    IBM Security. 2024. Cost of a Data Breach Report 2024. https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption- pushes-costs-to-new-highs IBM, 2024

    work page 2024

  66. [66]

    M. A. Inam et al. 2023. SoK: History is a Vast Early Warning System: Auditing the Provenance of System Intrusions. doi:10.1109/SP46215.2023. 10179405 IEEE S&P, 2023

    work page doi:10.1109/sp46215.2023 2023

  67. [67]

    Jaffal et al

    R. Jaffal et al. 2025. Large Language Models in Cybersecurity: A Survey of Applications, Vulnerabilities, and Defense Techniques.AI6, 9 (2025),

    work page 2025

  68. [68]

    doi:10.3390/ai6090216

    work page doi:10.3390/ai6090216

  69. [69]

    Jalalvand, M

    F. Jalalvand, M. B. Chhetri, S. Nepal, and C. Paris. 2024. Alert Prioritisation in Security Operations Centres: A Systematic Survey on Criteria and Methods.ACM Comput. Surv.57, 2 (2024), 1–36. doi:10.1145/3695462

    work page doi:10.1145/3695462 2024

  70. [70]

    Jalalvand, E

    F. Jalalvand, E. Torkzadehmahani, G. Kesidis, and S. E. Kahou. 2025. Adaptive alert prioritisation in security operations centres via learning to defer with human feedback. https://arxiv.org/abs/2506.18462 arXiv:2506.18462

    work page arXiv 2025

  71. [71]

    Woohyuk Jang, Hyunmin Kim, Hyungbin Seo, Minsong Kim, and Myungkeun Yoon. 2023. SELID: Selective Event Labeling for Intrusion Detection Datasets.Sensors23, 13, Article 6105 (2023), 11 pages. doi:10.3390/s23136105

    work page doi:10.3390/s23136105 2023

  72. [72]

    Z. Jia, Q. Lin, Y. Shan, J. Liang, Z. Li, T. Wang, and Y. Liu. 2024. MAGIC: Detecting Advanced Persistent Threats via Masked Graph Representation Learning. https://www.usenix.org/conference/usenixsecurity24/presentation/jia-zian USENIX Security, 2024

    work page 2024

  73. [73]

    Baoxiang Jiang, Tristan Bilot, Nour El Madhoun, Khaldoun Al Agha, Anis Zouaoui, Shahrear Iqbal, Xueyuan Han, and Thomas Pasquier. 2025. ORTHRUS: achieving high quality of attribution in provenance-based intrusion detection systems. InProceedings of the 34th USENIX Security Symposium(Seattle, WA, USA)(SEC ’25). USENIX Association, USA, Article 368, 20 page...

    work page 2025

  74. [74]

    K. Julisch. 2003. Clustering Intrusion Detection Alarms to Support Root Cause Analysis.ACM Trans. Inf. Syst. Secur.6, 4 (2003), 443–471. doi:10.1145/950191.950192

    work page doi:10.1145/950191.950192 2003

  75. [75]

    Takeshi Kaneko, Hiroyuki Okada, Rashi Sharma, Tatsumi Oba, and Naoto Yanai. 2026. PAIEL: Protocol-Aware and Context-Integrated Protocol Explanation Using LLMs for SOCs. doi:10.14722/wosoc.2026.23013 Workshop on Security Operations Center Operations and Construction (WOSOC), 2026

    work page doi:10.14722/wosoc.2026.23013 2026

  76. [76]

    Karunasingha, Mohan Baruwal Chhetri, Surya Nepal, Cécile Paris, and Salil S

    Navodika M. Karunasingha, Mohan Baruwal Chhetri, Surya Nepal, Cécile Paris, and Salil S. Kanhere. 2025. SoK: AI Support for Analyst Situation Awareness in Security Operation Centres. In2025 European Symposium on Usable Security (EuroUSEC). ACM, New York, NY, USA, 151–163. doi:10.1145/3697926.3697939

    work page doi:10.1145/3697926.3697939 2025

  77. [77]

    Leon Kersten, Kim Beelen, Emmanuele Zambon, Chris Snijders, and Luca Allodi. 2025. A Field Study to Uncover and a Tool to Support the Alert Investigation Process of Tier-1 Analysts. doi:10.14722/usec.2025.23034 Workshop on Usable Security (USEC), 2025

    work page doi:10.14722/usec.2025.23034 2025

  78. [78]

    Leon Kersten, Tom Mulders, Emmanuele Zambon, Chris Snijders, and Luca Allodi. 2023. ’Give Me Structure’: Synthesis and Evaluation of a (Network) Threat Analysis Process Supporting Tier 1 Investigations in a Security Operation Center. InNineteenth Symposium on Usable Privacy and Security (SOUPS 2023). USENIX Association, Anaheim, CA, 97–111. https://www.us...

    work page 2023

  79. [79]

    Khayat, E

    M. Khayat, E. Barka, M. A. Serhani, F. M. Sallabi, K. Shuaib, and H. M. Khater. 2025. Empowering Security Operation Center With Artificial Intelligence and Machine Learning - A Systematic Literature Review.IEEE Access13 (2025), 19162–19197. doi:10.1109/ACCESS.2025.3532951 Manuscript submitted to ACM 32 Samuel Ndichu, Akira Yamada, Tao Ban, Seiichi Ozawa, ...

    work page doi:10.1109/access.2025.3532951 2025

  80. [80]

    Khraisat, I

    A. Khraisat, I. Gondal, P. Vamplew, and J. Kamruzzaman. 2019. Survey of Intrusion Detection Systems: Techniques, Datasets and Challenges. Cybersecurity2, 1 (2019), 1–22. doi:10.1186/s42400-019-0038-7

    work page doi:10.1186/s42400-019-0038-7 2019

Showing first 80 references.