pith. sign in

arxiv: 2605.15889 · v1 · pith:E7Z5VL5Snew · submitted 2026-05-15 · 💻 cs.CR · cs.LG

A Multi-Layer Cloud-IDS Pipeline with LLM and Adaptive Q-Learning Calibration

Syed Waqas Ali , Ibrar Ali Shah , Farzana Zahid , Daniyal Munir , Hans D. Schotten This is my paper

Pith reviewed 2026-05-20 18:33 UTC · model grok-4.3

classification 💻 cs.CR cs.LG
keywords cloud intrusion detectionmulti-layer IDSadaptive thresholdsQ-learning calibrationLLM escalationconfidence-aware detectionmemory matchingzero-day handling
0
0 comments X

The pith

A multi-layer cloud IDS learns adaptive thresholds via Q-learning to cut LLM escalations by 58.78 percent while holding 88.68 percent accuracy.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper describes a confidence-aware intrusion detection system built for the layered and dynamic nature of cloud environments. Machine learning models at the network, host, and hypervisor layers handle known attack patterns, but low-confidence predictions route through a sequence of gates that apply learned thresholds first, then memory matching, before any escalation to large language model analysis. Q-learning adjusts those thresholds during operation, which the authors show reduces the frequency of LLM calls by more than half relative to a static-threshold baseline. This setup keeps overall accuracy at 88.68 percent, precision at 85.29 percent, and layer accuracies as high as 98.02 percent at the network level. The design addresses the practical gap between lab performance and sustained operation where both cost and exposure to unseen threats are real constraints.

Core claim

The system secures network, host, and hypervisor layers with per-layer machine learning models that distinguish reliable detections from uncertain ones. Low-confidence events enter a multi-gate flow: Gate-1 applies a Q-learning calibrated confidence threshold, Gate-2 performs Chroma memory matching, and unresolved cases escalate to an LLM for semantic analysis and explanation at Gate-3, which uses calibrated LLM confidence or weighted fusion. Uncertain outcomes fall into a review bucket rather than forced labels. Explanations and confirmed knowledge are stored in ChromaDB to support later matching and retraining. Evaluation against a static-threshold baseline shows the adaptive version cuts

What carries the argument

The multi-gate escalation pipeline whose thresholds are calibrated by Q-learning, allowing most uncertain events to be resolved by memory matching before any large language model is invoked.

If this is right

  • Network-layer detection reaches 98.02 percent accuracy.
  • Hypervisor-layer detection reaches 97.08 percent accuracy.
  • Overall detection maintains 85.00 percent F1 score with substantially fewer LLM invocations.
  • Explanations and resolved cases are stored for future memory matching and model retraining.
  • Events that remain uncertain after all gates enter a review bucket instead of receiving forced labels.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same gate-and-calibration structure could be reused in other security pipelines where large language model calls are the dominant cost, such as automated log triage or malware triage.
  • Storing semantic explanations in a vector store may gradually improve coverage of zero-day patterns as the memory grows.
  • Measuring end-to-end latency under sustained high-volume traffic would reveal whether the added gates offset the reported cost savings in practice.

Load-bearing premise

The combination of learned thresholds, memory matching, and LLM analysis will correctly resolve most low-confidence events in real cloud traffic without unacceptable added latency or new vulnerabilities.

What would settle it

Deploy the pipeline on live cloud traffic containing both known and novel attacks and measure whether the LLM escalation rate stays near the reported 58.78 percent reduction while layer and overall accuracies remain within a few points of the stated figures.

Figures

Figures reproduced from arXiv: 2605.15889 by Daniyal Munir, Farzana Zahid, Hans D. Schotten, Ibrar Ali Shah, Syed Waqas Ali.

Figure 1
Figure 1. Figure 1: High-level Architecture of Proposed Multi-Layer Cloud IDS [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: Proposed Q-learning-calibrated IDS pipeline with three adaptive decision gates, Chroma vector memory, LLM analysis (Ollama), and a periodic retraining feedback loop. [PITH_FULL_IMAGE:figures/full_fig_p005_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: Static thresholding baseline IDS pipeline using a fixed 85% XGBoost confidence [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Distribution of prediction confidence scores produced by the NIDS component. [PITH_FULL_IMAGE:figures/full_fig_p008_4.png] view at source ↗
Figure 5
Figure 5. Figure 5: Distribution of prediction confidence scores produced by the HIDS [PITH_FULL_IMAGE:figures/full_fig_p008_5.png] view at source ↗
Figure 6
Figure 6. Figure 6: confidence-aware distribution at the hypervisor layer. [PITH_FULL_IMAGE:figures/full_fig_p009_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Distribution of prediction confidence scores produced by the Proposed NIDS [PITH_FULL_IMAGE:figures/full_fig_p010_7.png] view at source ↗
Figure 8
Figure 8. Figure 8: Distribution of prediction confidence scores produced by the Proposed HIDS [PITH_FULL_IMAGE:figures/full_fig_p010_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Distribution of prediction confidence scores produced by the Proposed Hypervisor [PITH_FULL_IMAGE:figures/full_fig_p011_9.png] view at source ↗
read the original abstract

Security in cloud computing has become a major concern due to several factors such as layered cloud architectures, dynamic environments, and exposure to unseen or zero-day attacks. Moreover, intrusion detection systems (IDS) typically operate at specific layers and rely heavily on machine learning models, which often perform well in experimental settings but fail to sustain performance in real cloud deployments. In this work, we implement a confidence-aware multilevel intrusion detection system using reinforcement learning tailored for cloud environments. The system secures three distinct layers: network, host, and hypervisor. Machine learning models at each layer detect known attack patterns, while prediction confidence distinguishes reliable decisions from uncertain outcomes. Within the multi-gate flow, low-confidence events pass through a learned-threshold confidence gate (Gate-1), followed by a Chroma memory-matching gate (Gate-2), with unresolved events escalated to a large language model (LLM) for semantic analysis and explanation. Final attack promotion at Gate-3 uses calibrated LLM confidence or weighted-fusion fallback, while uncertain events are retained in a review bucket to avoid forced classification. Generated explanations and confirmed knowledge are stored in ChromaDB to support future analysis and retraining. The approach is first evaluated using static thresholds, establishing a baseline for comparison. Results show that the proposed system learns adaptive thresholds and reduces LLM escalation by 58.78%, lowering cost while maintaining strong performance (88.68% accuracy, 85.29% precision, 84.72% recall, 85.00% F1). The network and hypervisor layers achieve 98.02% and 97.08% accuracy, demonstrating a balanced and efficient detection system.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 2 minor

Summary. The manuscript describes a multi-layer cloud IDS that applies ML classifiers at network, host, and hypervisor layers, routes low-confidence predictions through a learned-threshold Gate-1 and a Chroma memory-matching Gate-2, and escalates unresolved cases to an LLM. Adaptive Q-Learning is used to tune the Gate-1 threshold; the system stores explanations in ChromaDB and claims an overall accuracy of 88.68 % together with a 58.78 % reduction in LLM escalations relative to a static-threshold baseline.

Significance. If the Q-Learning calibration and evaluation are shown to be sound, the work would demonstrate a practical way to limit expensive LLM calls in production IDS while preserving detection quality, which is relevant for cost-sensitive cloud deployments. The hybrid pipeline (ML + vector memory + LLM) addresses both known attacks and uncertain cases in a layered architecture.

major comments (3)
  1. [Methods (Q-Learning Calibration)] The state representation, action space, and reward function of the Q-Learning agent that learns the adaptive Gate-1 threshold are never defined. Without these elements the reported 58.78 % reduction cannot be attributed to the RL component rather than to the Chroma gate or the test distribution.
  2. [Evaluation / Results] No datasets, training/validation splits, baseline implementations, or statistical significance tests are described for the headline metrics (88.68 % accuracy, 85.29 % precision, 84.72 % recall, 85.00 % F1). The central performance claims therefore lack visible empirical support.
  3. [Results] Layer-wise accuracies (network 98.02 %, hypervisor 97.08 %) are given without confusion matrices, class distributions, or dataset sizes, so it is impossible to check consistency with the aggregate 88.68 % figure or to assess whether the overall result is driven by one dominant layer.
minor comments (2)
  1. [Abstract] The abstract refers to 'static thresholds' as the baseline but does not state the numerical values or selection procedure used for that comparison.
  2. [System Architecture] A flowchart or pseudocode for the multi-gate decision sequence (Gate-1, Gate-2, Gate-3, review bucket) would improve readability of the pipeline description.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the detailed and constructive comments on our manuscript. We address each of the major comments point by point below, indicating the revisions we plan to make.

read point-by-point responses

  1. Referee: [Methods (Q-Learning Calibration)] The state representation, action space, and reward function of the Q-Learning agent that learns the adaptive Gate-1 threshold are never defined. Without these elements the reported 58.78 % reduction cannot be attributed to the RL component rather than to the Chroma gate or the test distribution.

    Authors: We agree that the state representation, action space, and reward function of the Q-Learning agent were not explicitly defined in the submitted manuscript. In the revised version, we will add a new subsection in the Methods section that clearly specifies these elements. The state will be defined as a tuple consisting of the current Gate-1 threshold and key performance metrics from recent batches (e.g., accuracy and escalation rate). The action space will consist of discrete adjustments to the threshold (increase, decrease, or maintain by a fixed step size). The reward function will be a weighted combination of improved detection performance and reduced LLM escalation costs. These details will allow proper attribution of the performance gains to the adaptive Q-Learning calibration. revision: yes

  2. Referee: [Evaluation / Results] No datasets, training/validation splits, baseline implementations, or statistical significance tests are described for the headline metrics (88.68 % accuracy, 85.29 % precision, 84.72 % recall, 85.00 % F1). The central performance claims therefore lack visible empirical support.

    Authors: We acknowledge that the manuscript does not provide sufficient details on the experimental setup. We will revise the Evaluation and Results sections to include descriptions of the datasets used, the training and validation splits, the specific baseline implementations (including how the static-threshold baseline was constructed), and statistical significance tests (e.g., using bootstrap methods or standard hypothesis tests) for the reported metrics. This will provide the necessary empirical support and transparency for the performance claims. revision: yes

  3. Referee: [Results] Layer-wise accuracies (network 98.02 %, hypervisor 97.08 %) are given without confusion matrices, class distributions, or dataset sizes, so it is impossible to check consistency with the aggregate 88.68 % figure or to assess whether the overall result is driven by one dominant layer.

    Authors: We appreciate this point. To address it, we will include in the revised manuscript the confusion matrices for the network and hypervisor layers, the class distributions within the evaluation datasets for each layer, and the exact dataset sizes. These additions will allow verification of consistency with the overall accuracy and assessment of each layer's contribution. revision: yes

Circularity Check

0 steps flagged

No significant circularity; empirical results from RL calibration do not reduce to inputs by construction.

full rationale

The paper describes an empirical multi-layer IDS pipeline evaluated on static vs. adaptive thresholds, reporting measured accuracy, precision, recall, F1, and a 58.78% reduction in LLM escalations as direct experimental outcomes. No equations, derivation steps, or self-referential definitions appear in the abstract or methods summary that would make any claimed prediction equivalent to its inputs by construction. The Q-Learning component is presented as a learning process whose state/action/reward details are not supplied, but this absence does not create circularity; it simply leaves the mechanism under-specified. No load-bearing self-citations, ansatz smuggling, or renaming of known results are evident. The central performance claims therefore remain independent experimental findings rather than tautological restatements.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

Abstract-only review yields no explicit free parameters, axioms, or invented entities; the work appears to rely on standard machine-learning and reinforcement-learning assumptions whose details would appear in a full methods section.

pith-pipeline@v0.9.0 · 5848 in / 1387 out tokens · 56720 ms · 2026-05-20T18:33:08.229563+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Lean theorems connected to this paper

Citations machine-checked in the Pith Canon. Every link opens the source theorem in the public Lean library.

What do these tags mean?
matches
The paper's claim is directly supported by a theorem in the formal canon.
supports
The theorem supports part of the paper's argument, but the paper may add assumptions or extra steps.
extends
The paper goes beyond the formal theorem; the theorem is a base layer rather than the whole result.
uses
The paper appears to rely on the theorem as machinery.
contradicts
The paper's claim conflicts with a theorem or certificate in the canon.
unclear
Pith found a possible connection, but the passage is too broad, indirect, or ambiguous to say the theorem truly supports the claim.

Reference graph

Works this paper leans on

64 extracted references · 64 canonical work pages

  1. [1]

    The role of software developers in transition- ing on-premises applications to cloud platforms: Strate- gies and challenges,

    V . Baladari, “The role of software developers in transition- ing on-premises applications to cloud platforms: Strate- gies and challenges,”Journal of Scientific and Engineering Research, vol. 8, no. 1, pp. 270–278, 2021

    work page 2021

  2. [2]

    Survey of intrusion detection techniques in cloud comput- ing,

    S. M. Othman, A. Y . Al-mutawkkil, and A. M. Alnashi, “Survey of intrusion detection techniques in cloud comput- ing,”Journal of Applied Sciences and Technology, vol. 2, no. 4, pp. 363–374, 2024

    work page 2024

  3. [3]

    Virtualization revolution: Transforming cloud computing with scalability and agility,

    O. R. Arogundade and K. Palla, “Virtualization revolution: Transforming cloud computing with scalability and agility,” IARJSET, 2023

    work page 2023

  4. [4]

    A comprehensive overview of privacy and data secu- rity for cloud storage,

    N. Akhtar, B. Kerim, Y . Perwej, A. Tiwari, and S. Praveen, “A comprehensive overview of privacy and data secu- rity for cloud storage,” International Journal of Scientific Research in Science Engineering and Technology, 2021

    work page 2021

  5. [5]

    Machine learning-based intrusion detection systems for cloud envi- ronments: Challenges and future directions,

    A. Alzahrani, M. Alenezi, and S. Alshamrani, “Machine learning-based intrusion detection systems for cloud envi- ronments: Challenges and future directions,” Computers & Security, vol. 137, p. 103530, 2024

    work page 2024

  6. [6]

    Examining the impact of cloud computing on organizational perfor- mance: A systematic literature review,

    V . Donat, C. Haertel, D. Staegemann, C. Daase, M. Pohl, D. Dreschel, D. S. Walia, and K. Turowski, “Examining the impact of cloud computing on organizational perfor- mance: A systematic literature review,” in ICEIS 2025, vol. 1, pp. 375–386, 2025

    work page 2025

  7. [7]

    Securing cloud computing environments: An analysis of multi-tenancy vulnerabilities and countermeasures,

    W. Hashim and N. A.-H. K. Hussein, “Securing cloud computing environments: An analysis of multi-tenancy vulnerabilities and countermeasures,” SHIFRA, vol. 2024, pp. 8–16, 2024

    work page 2024

  8. [8]

    A survey of network and host-based intrusion detection systems for cloud computing,

    M. Ahmed, A. N. Mahmood, and J. Hu, “A survey of network and host-based intrusion detection systems for cloud computing,” Journal of Cloud Computing, vol. 12, p. 127, 2023

    work page 2023

  9. [9]

    Systematic literature review on cloud comput- ing security: Threats and mitigation strategies,

    S. Ahmadi, “Systematic literature review on cloud comput- ing security: Threats and mitigation strategies,” Journal of Information Security, vol. 15, no. 2, pp. 148–167, 2024

    work page 2024

  10. [10]

    Security threats and detec- tion techniques in virtualized cloud environments,

    J. Li, P. Wang, and L. Xu, “Security threats and detec- tion techniques in virtualized cloud environments,”IEEE Access, vol. 11, pp. 84532–84547, 2023

    work page 2023

  11. [11]

    Machine learning and deep learn- ing methods for intrusion detection systems: A survey,

    H. Liu and B. Lang, “Machine learning and deep learn- ing methods for intrusion detection systems: A survey,” applied sciences, vol. 9, no. 20, p. 4396, 2019

    work page 2019

  12. [12]

    Network intrusion detection system: A systematic study of machine learning and deep learning approaches,

    Z. Ahmad, S. Khan, et al., “Network intrusion detection system: A systematic study of machine learning and deep learning approaches,”IEEE Access, 2021. 13

    work page 2021

  13. [13]

    Machine learning-based intrusion detection systems for cloud computing: A survey,

    A. Alzahrani and M. Alenazi, “Machine learning-based intrusion detection systems for cloud computing: A survey,” Journal of Cloud Computing, 2022

    work page 2022

  14. [14]

    Deep learning-based intrusion detection system for cloud computing environments,

    Y . Zhanget al., “Deep learning-based intrusion detection system for cloud computing environments,”IEEE Access, 2023

    work page 2023

  15. [15]

    Security for cloud, iot and edge computing: A survey of intrusion detection systems,

    M. A. Ferrag and L. Maglaras, “Security for cloud, iot and edge computing: A survey of intrusion detection systems,” Computer Networks, vol. 223, p. 109560, 2023

    work page 2023

  16. [16]

    Overfitting, underfitting and general model overconfidence and under-performance pitfalls and best practices in machine learning and ai,

    C. Aliferis and G. Simon, “Overfitting, underfitting and general model overconfidence and under-performance pitfalls and best practices in machine learning and ai,” Artificial intelligence and machine learning in health care and medical sciences: Best practices and pitfalls, pp. 477– 524, 2024

    work page 2024

  17. [17]

    In-context learning in large language models (llms): Mechanisms, capabilities, and implications for advanced knowledge rep- resentation and reasoning,

    A. M. Basiouni, M. El Rashid, and K. Shaalan, “In-context learning in large language models (llms): Mechanisms, capabilities, and implications for advanced knowledge rep- resentation and reasoning,”IEEE Access, 2025

    work page 2025

  18. [18]

    Large language models for cyber security: A systematic literature review,

    H. Xu, S. Wang, N. Li, K. Wang, Y . Zhao, K. Chen, T. Yu, Y . Liu, and H. Wang, “Large language models for cyber security: A systematic literature review,” 2024

    work page 2024

  19. [19]

    Large language models in cybersecurity: A survey of applica- tions, vulnerabilities, and defense techniques,

    N. O. Jaffal, M. Alkhanafseh, and D. Mohaisen, “Large language models in cybersecurity: A survey of applica- tions, vulnerabilities, and defense techniques,”AI, vol. 6, no. 9, p. 216, 2025

    work page 2025

  20. [20]

    A survey of agentic ai and cybersecurity: Challenges, opportunities and use-case prototypes,

    “A survey of agentic ai and cybersecurity: Challenges, opportunities and use-case prototypes,” 2026

    work page 2026

  21. [21]

    When LLMs meet cyber- security: A systematic literature review,

    J. Zhang, H. Bu, H. Wen, Y . Liu, H. Fei, R. Xi, L. Li, Y . Yang, H. Zhu, and D. Meng, “When LLMs meet cyber- security: A systematic literature review,” Cybersecurity, vol. 8, no. 1, pp. 1–41, 2025

    work page 2025

  22. [22]

    Cloud SecNavigator: RAG approach to bridge gaps and strengthen cloud security practices with RAGAS assess- ment,

    R. Watanabe, S. Okada, K. Watarai, and T. Mitsunaga, “Cloud SecNavigator: RAG approach to bridge gaps and strengthen cloud security practices with RAGAS assess- ment,” inIEEE ICEET, pp. 1–6, IEEE, Dec. 2024

    work page 2024

  23. [23]

    Enhancing intrusion detection systems with reinforcement learning: A compre- hensive survey of rl-based approaches and techniques,

    F. Louati, F. Ktata, and I. Amous, “Enhancing intrusion detection systems with reinforcement learning: A compre- hensive survey of rl-based approaches and techniques,”SN Computer Science, 2024

    work page 2024

  24. [24]

    Deep q-learning based reinforcement learning approach for net- work intrusion detection,

    H. Alavizadeh, H. Alavizadeh, and J. Jang-Jaccard, “Deep q-learning based reinforcement learning approach for net- work intrusion detection,” Computers, vol. 11, no. 3, p. 41, 2022

    work page 2022

  25. [25]

    A compara- tive analysis of self-aware reinforcement learning models for real-time intrusion detection in fog networks,

    N. Tamuka, T. E. Mathonsi, T. O. Olwal, S. Maswikaneng, T. Muchenje, and T. M. Tshilongamulenzhe, “A compara- tive analysis of self-aware reinforcement learning models for real-time intrusion detection in fog networks,”Future Internet, vol. 18, p. 100, Feb. 2026

    work page 2026

  26. [26]

    A transformer-based network intrusion detection approach for cloud security,

    Z. Long, H. Yan, G. Shen, X. Zhang, H. He, and L. Cheng, “A transformer-based network intrusion detection approach for cloud security,”Journal of Cloud Computing, vol. 13, Jan. 2024

    work page 2024

  27. [27]

    Dl-hids: Deep learning-based host intrusion detection system using sys- tem calls-to-image for containerized cloud environment,

    N. Joraviya, B. N. Gohil, and U. P. Rao, “Dl-hids: Deep learning-based host intrusion detection system using sys- tem calls-to-image for containerized cloud environment,” The Journal of Supercomputing, vol. 80, pp. 12218–12246, 2024

    work page 2024

  28. [28]

    Improving ids performance with xgboost hyperparameter optimization and real-time analysis,

    A. Zatika and J. Coffman, “Improving ids performance with xgboost hyperparameter optimization and real-time analysis,” inIEEE/ACM 17th UCC, IEEE, 2024

    work page 2024

  29. [29]

    Effective intrusion detection system using XGBoost,

    S. S. Dhaliwal, A.-A. Nahid, and R. Abbas, “Effective intrusion detection system using XGBoost,”Information, vol. 9, p. 149, June 2018

    work page 2018

  30. [30]

    A new deep learning based intrusion detection system for cloud security,

    S. Hizal, E. ÇA VU¸ SO˘GLU, and D. AKGÜN, “A new deep learning based intrusion detection system for cloud security,” in 2021 3rd International Congress on Human-Computer Interaction, Optimization and Robotic Applications (HORA), pp. 1–4, 2021

    work page 2021

  31. [31]

    Deep learning method for efficient cloud ids utilizing combined behavior and flow-based features,

    T. V . Geetha, A. J. Deepa, and M. M. Linda, “Deep learning method for efficient cloud ids utilizing combined behavior and flow-based features,” Applied Intelligence, vol. 54, no. 8, pp. 6738–6759, 2024

    work page 2024

  32. [32]

    Lrdadf: An ai enabled framework for detecting low-rate ddos attacks in cloud computing environments,

    V . Venkateshwarlu, D. Ranjith, and A. Raju, “Lrdadf: An ai enabled framework for detecting low-rate ddos attacks in cloud computing environments,” in 5th International Conference on Electrical, Computer and Communication Technologies (ICECCT), pp. 1–8, 2023

    work page 2023

  33. [33]

    Two-tier intrusion detection with lightweight statistical monitoring and on-demand llm-based traffic anal- ysis,

    S. Kalafatidis, N. Papageorgopoulos, A. Kartakoullis, and G. Ledakis, “Two-tier intrusion detection with lightweight statistical monitoring and on-demand llm-based traffic anal- ysis,” inAvailability,Reliability and Security (ARES 2025 Workshops), vol. 15998, pp. 55–73, Springer, 2025

    work page 2025

  34. [34]

    Llm-based continuous intrusion detection framework for next-gen networks,

    F. Adjewa, M. Esseghir, L. Merghem-Boulahia, and C. Kac- fah, “Llm-based continuous intrusion detection framework for next-gen networks,” inIEEE IWCMC, pp. 1198–1203, IEEE, 2025

    work page 2025

  35. [35]

    Machine learning-enabled hybrid in- trusion detection system with host data transformation and an advanced two-stage classifier,

    M. Tavallaeeet al., “Machine learning-enabled hybrid in- trusion detection system with host data transformation and an advanced two-stage classifier,” Computer Networks, vol. 249, 2024

    work page 2024

  36. [36]

    Enhanc- ing federated intrusion detection through llm-driven alert enrichment and collaborative threat information sharing,

    P. F. Saura, J. B. Bernabé, and A. S. Gómez, “Enhanc- ing federated intrusion detection through llm-driven alert enrichment and collaborative threat information sharing,” Future Generation Computer Systems, vol. 178, p. 108319, 2026

    work page 2026

  37. [37]

    Cyberrag: An agentic rag cyber attack classification and reporting tool,

    F. Blefari, C. Cosentino, F. Pironti, A. Furfaro, and F. Marozzo, “Cyberrag: An agentic rag cyber attack classification and reporting tool,” 2025. arXiv preprint (arXiv:2507.02424v2). 14

    work page arXiv 2025

  38. [38]

    Fcm–svm based intru- sion detection system for cloud computing environment,

    A. N. Jaber and S. U. Rehman, “Fcm–svm based intru- sion detection system for cloud computing environment,” Cluster Computing, vol. 23, no. 4, p. 3221–3231, 2020

    work page 2020

  39. [39]

    Adaptive protocols for hypervisor security in cloud infrastructure using federated learning- based anomaly detection,

    M. Alazab, A. Awajan, A. Obeidat, N. Faruqui, A. Bere, S. Ali, and W. Wei, “Adaptive protocols for hypervisor security in cloud infrastructure using federated learning- based anomaly detection,” Engineering Applications of Artificial Intelligence, vol. 152, p. 110750, 2025

    work page 2025

  40. [40]

    Hypervisor based intrusion detection using enhanced ra- dial basis neural network on cloud environment,

    N. S. K. Anumukonda, R. K. Yadav, and N. S. Raghava, “Hypervisor based intrusion detection using enhanced ra- dial basis neural network on cloud environment,” inIEEE IATMSI, vol. 2, pp. 1–6, 2024

    work page 2024

  41. [41]

    Reinforcement learning driven self- adaptation in hypervisor-based cloud intrusion detection systems (rldac-ids),

    A. A. Qaffas, “Reinforcement learning driven self- adaptation in hypervisor-based cloud intrusion detection systems (rldac-ids),” International Journal of Advanced Computer Science and Applications, vol. 15, no. 7, 2024

    work page 2024

  42. [42]

    Deep Q-learning intrusion detection sys- tem (DQ-IDS): A novel reinforcement learning approach for adaptive and self-learning cybersecurity,

    M. A. Hossain, “Deep Q-learning intrusion detection sys- tem (DQ-IDS): A novel reinforcement learning approach for adaptive and self-learning cybersecurity,”ICT Express, vol. 11, pp. 875–880, 2025

    work page 2025

  43. [43]

    Reinforcement learn- ing for the optimization of adaptive intrusion detection systems,

    Ó. Mogollón-Gutiérrez, D. Escudero García, J. C. San- cho Núñez, and N. DeCastro-García, “Reinforcement learn- ing for the optimization of adaptive intrusion detection systems,” Engineering Proceedings, vol. 123, no. 1, p. 2, 2026

    work page 2026

  44. [44]

    Network intrusion detection with xgboost,

    A. Gouveia and M. Correia, “Network intrusion detection with xgboost,” inDistributed, Parallel and Secure Systems, INESC-ID, Universidade de Lisboa, 2020

    work page 2020

  45. [45]

    Tabular data: Deep learn- ing is not all you need,

    R. Shwartz-Ziv and A. Armon, “Tabular data: Deep learn- ing is not all you need,” Information Fusion, vol. 81, pp. 84–90, 2022

    work page 2022

  46. [46]

    R. S. Sutton and A. G. Barto,Reinforcement Learning: An Introduction. Cambridge, MA: MIT Press, 2 ed., 2018

    work page 2018

  47. [47]

    Q-learning,

    C. J. C. H. Watkins and P. Dayan, “Q-learning,”Machine Learning, vol. 8, no. 3–4, pp. 279–292, 1992

    work page 1992

  48. [48]

    Use of k-nearest neighbor classifier for intrusion detection,

    Y . Liao and V . R. Vemuri, “Use of k-nearest neighbor classifier for intrusion detection,” Computers & security, vol. 21, no. 5, pp. 439–448, 2002

    work page 2002

  49. [49]

    Retrieval-augmented generation for knowledge-intensive nlp tasks,

    P. Lewis, E. Perez, A. Piktus, F. Petroni, Karpukhin,et al., “Retrieval-augmented generation for knowledge-intensive nlp tasks,” Advances in neural information processing systems, vol. 33, pp. 9459–9474, 2020

    work page 2020

  50. [50]

    The base-rate fallacy and the difficulty of intrusion detection,

    S. Axelsson, “The base-rate fallacy and the difficulty of intrusion detection,” ACM Transactions on Information and System Security, vol. 3, no. 3, pp. 186–205, 2000

    work page 2000

  51. [51]

    Alert fatigue in security operations centres: Research challenges and opportunities,

    A. Adebiyi et al., “Alert fatigue in security operations centres: Research challenges and opportunities,” ACM Computing Surveys, 2025

    work page 2025

  52. [52]

    On cali- bration of modern neural networks,

    C. Guo, G. Pleiss, Y . Sun, and K. Q. Weinberger, “On cali- bration of modern neural networks,” in34th International Conference on Machine Learning, vol. 70, pp. 1321–1330, 2017

    work page 2017

  53. [53]

    On com- bining classifiers,

    J. Kittler, M. Hatef, R. P. W. Duin, and J. Matas, “On com- bining classifiers,”IEEE Transactions on Pattern Analysis and Machine Intelligence, vol. 20, no. 3, pp. 226–239, 1998

    work page 1998

  54. [54]

    Adaptive weighted fusion: A novel fu- sion approach for image classification,

    Y . Xu and Y . Lu, “Adaptive weighted fusion: A novel fu- sion approach for image classification,”Neurocomputing, vol. 168, pp. 566–574, 2015

    work page 2015

  55. [55]

    Ensemble selection based on classifier predic- tion confidence,

    T. T. Nguyen, A. V . Luong, M. T. Dang, A. W.-C. Liew, and J. McCall, “Ensemble selection based on classifier predic- tion confidence,”Pattern Recognition, vol. 100, p. 107104, 2020

    work page 2020

  56. [56]

    A taxonomy for threat actors’ persistence techniques,

    A. Ortega, P. Villegas, D. Auge, E. Marcos, and M. Bel- tran, “A taxonomy for threat actors’ persistence techniques,” Computers & Security, vol. 120, p. 102820, 2022

    work page 2022

  57. [57]

    A review of uncertainty quantification in deep learning: Techniques, applications and challenges,

    M. Abdar, F. Pourpanah, S. Hussain, D. Rezazadegan, L. Liu, et al., “A review of uncertainty quantification in deep learning: Techniques, applications and challenges,” Information Fusion, vol. 76, pp. 243–297, 2021

    work page 2021

  58. [58]

    To- ward generating a new intrusion detection dataset and intrusion traffic characterization,

    I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, “To- ward generating a new intrusion detection dataset and intrusion traffic characterization,” in 4th International Conference on Information Systems Security and Privacy (ICISSP), pp. 108–116, 2018

    work page 2018

  59. [59]

    A modern and sophisticated host based intrusion detection data set,

    D. Grimm, M. Grimm, T. Krebs, M. Kreuter, and A. Hotho, “A modern and sophisticated host based intrusion detection data set,” in CD-MAKE 2019 – Machine Learning and Knowledge Extraction, 2019

    work page 2019

  60. [60]

    API pricing

    OpenAI, “API pricing.” https://openai.com/ pricing, 2024. Accessed: March 2026

    work page 2024

  61. [61]

    Claude API pricing

    Anthropic, “Claude API pricing.” https://docs. anthropic.com/en/docs/about-claude/pricing,

    work page

  62. [62]

    Accessed: March 2026

    work page 2026

  63. [63]

    LLM API pricing comparison (2025): OpenAI, Gemini, Claude

    IntuitionLabs, “LLM API pricing comparison (2025): OpenAI, Gemini, Claude.” https://intuitionlabs. ai/articles/llm-api-pricing-comparison-2025 ,

    work page 2025

  64. [64]

    Accessed: March 2026. 15

    work page 2026