metadata

title: Soc Llm Assistant
emoji: ⚡
colorFrom: gray
colorTo: gray
sdk: gradio
sdk_version: 5.42.0
app_file: app.py
pinned: false

🛡️ SOC LLM Assistant - Proof of Concept

Large Language Model-based Assistant for Security Operations Center (SOC) Analysts

🎯 Project Overview

This Proof-of-Concept demonstrates how Large Language Models can enhance Security Operations Center (SOC) analyst capabilities across different expertise levels (L1, L2, L3). The system provides intelligent analysis and actionable recommendations for cybersecurity threats.

🚀 Features

Multi-Level Analysis: Tailored responses for L1 (triage), L2 (investigation), and L3 (expert) analysts
Attack Simulation: Realistic cybersecurity scenarios including:
- Lateral Movement attacks
- Phishing campaigns
- Ransomware incidents
Contextual Intelligence: Incorporates threat intelligence and historical patterns
Real-time Processing: Immediate analysis and recommendations
Actionable Insights: Specific next steps for investigation and response

🏗️ Architecture

Alert Data → LLM Processing → Level-Specific Analysis → Actionable Recommendations
     ↓              ↓                    ↓                        ↓
Raw Logs    Context Building    L1/L2/L3 Focus         Investigation Steps

🔧 Technology Stack

LLM Framework: Hugging Face Transformers
Interface: Gradio
Language: Python 3.8+
Model: Microsoft DialoGPT (demo) / OpenAI GPT-OSS-20B (production)

📋 Use Cases

L1 Analyst (First Response)

Initial alert triage and prioritization
Basic threat identification
Escalation recommendations

L2 Analyst (Investigation)

Detailed threat analysis
Correlation with other security events
Investigation methodology guidance

L3 Analyst (Expert Analysis)

Advanced threat hunting
Attribution and campaign analysis
Executive reporting and strategic recommendations

🎮 Demo Scenarios

Lateral Movement: Post-breach attacker movement through network
Phishing Campaign: Email-based credential theft attack
Ransomware Attack: File encryption with extortion demands

🛠️ Installation & Usage

Local Setup

pip install -r requirements.txt
python app.py

Hugging Face Spaces

This app is deployed on Hugging Face Spaces for easy access and demonstration.

📊 Sample Analysis Output

L2 Investigation Analysis:

🔍 DETAILED ANALYSIS:
• ATTACK VECTOR: Suspicious PowerShell execution with encoded commands
• TECHNICAL DETAILS: powershell.exe -enc ZXhlYyBjYWxjLmV4ZQ==
• CORRELATION: Check for related activities on 192.168.1.100
• INVESTIGATION STEPS:
  1. Examine process tree and parent processes
  2. Check network connections from source host
  3. Review user login history
  4. Scan for similar indicators across environment
• THREAT INTEL: Similar pattern observed in APT29 campaigns
• RECOMMENDATION: Monitor for lateral movement indicators

🎯 Research Applications

This PoC supports research in:

Human-AI Collaboration in cybersecurity
Multi-modal Learning for threat detection
Explainable AI in security operations
Automated Incident Response workflows

🔮 Future Enhancements

Integration with real SIEM systems
Advanced threat correlation algorithms
Automated response orchestration
Multi-language support
Custom model fine-tuning for specific environments

👥 Research Team

Abdullah Alanazi - PhD Candidate
Prof. Ali Shoker - Project Supervisor
KAUST - Computer, Electrical and Mathematical Sciences and Engineering

📚 Related Work

This project builds upon research in:

Multi-modal learning for cybersecurity
Automated alert triage systems
Human-computer interaction in SOCs
Large language models for domain-specific applications

🤝 Contributing

This is a research prototype developed for academic purposes. For collaboration opportunities or research partnerships, please contact the development team.

📄 License

This project is developed for research and educational purposes at KAUST.

🎓 Academic Purpose: This Proof-of-Concept demonstrates the feasibility of LLM-based SOC assistance for cybersecurity research and education.