Saved in:
Bibliographic Details
Main Authors: Zhao, Guangze, Zhang, Yongzheng, Tian, Changbo, Xie, Dan, Liu, Hongri, Wang, Bailing
Format: Preprint
Published: 2025
Subjects:
Online Access:https://arxiv.org/abs/2512.08169
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917133811712000
author Zhao, Guangze
Zhang, Yongzheng
Tian, Changbo
Xie, Dan
Liu, Hongri
Wang, Bailing
author_facet Zhao, Guangze
Zhang, Yongzheng
Tian, Changbo
Xie, Dan
Liu, Hongri
Wang, Bailing
contents Security Operations Centers face massive, heterogeneous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps--minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while minimizing complexity. We construct compact datasets by distilling alerts into 3-5 high-information bullets (68% token reduction), train domain-specialized experts via LoRA, and deploy a cloud-edge architecture: a cloud LLM routes alerts to on-premises experts generating SOAR-ready JSON. Experiments demonstrate AIDR achieves higher accuracy and 40.6% latency reduction versus Chain-of-Thought, with robustness to data corruption and out-of-distribution generalization, enabling auditable and efficient SOC triage with full data residency compliance.
format Preprint
id arxiv_https___arxiv_org_abs_2512_08169
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Information-Dense Reasoning for Efficient and Auditable Security Alert Triage
Zhao, Guangze
Zhang, Yongzheng
Tian, Changbo
Xie, Dan
Liu, Hongri
Wang, Bailing
Cryptography and Security
Artificial Intelligence
Security Operations Centers face massive, heterogeneous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps--minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while minimizing complexity. We construct compact datasets by distilling alerts into 3-5 high-information bullets (68% token reduction), train domain-specialized experts via LoRA, and deploy a cloud-edge architecture: a cloud LLM routes alerts to on-premises experts generating SOAR-ready JSON. Experiments demonstrate AIDR achieves higher accuracy and 40.6% latency reduction versus Chain-of-Thought, with robustness to data corruption and out-of-distribution generalization, enabling auditable and efficient SOC triage with full data residency compliance.
title Information-Dense Reasoning for Efficient and Auditable Security Alert Triage
topic Cryptography and Security
Artificial Intelligence
url https://arxiv.org/abs/2512.08169