Spaces:
Sleeping
Sleeping
title: Soc Llm Assistant | |
emoji: ⚡ | |
colorFrom: gray | |
colorTo: gray | |
sdk: gradio | |
sdk_version: 5.42.0 | |
app_file: app.py | |
pinned: false | |
# 🛡️ SOC LLM Assistant - Proof of Concept | |
**Large Language Model-based Assistant for Security Operations Center (SOC) Analysts** | |
## 🎯 Project Overview | |
This Proof-of-Concept demonstrates how Large Language Models can enhance Security Operations Center (SOC) analyst capabilities across different expertise levels (L1, L2, L3). The system provides intelligent analysis and actionable recommendations for cybersecurity threats. | |
## 🚀 Features | |
- **Multi-Level Analysis**: Tailored responses for L1 (triage), L2 (investigation), and L3 (expert) analysts | |
- **Attack Simulation**: Realistic cybersecurity scenarios including: | |
- Lateral Movement attacks | |
- Phishing campaigns | |
- Ransomware incidents | |
- **Contextual Intelligence**: Incorporates threat intelligence and historical patterns | |
- **Real-time Processing**: Immediate analysis and recommendations | |
- **Actionable Insights**: Specific next steps for investigation and response | |
## 🏗️ Architecture | |
``` | |
Alert Data → LLM Processing → Level-Specific Analysis → Actionable Recommendations | |
↓ ↓ ↓ ↓ | |
Raw Logs Context Building L1/L2/L3 Focus Investigation Steps | |
``` | |
## 🔧 Technology Stack | |
- **LLM Framework**: Hugging Face Transformers | |
- **Interface**: Gradio | |
- **Language**: Python 3.8+ | |
- **Model**: Microsoft DialoGPT (demo) / OpenAI GPT-OSS-20B (production) | |
## 📋 Use Cases | |
### L1 Analyst (First Response) | |
- Initial alert triage and prioritization | |
- Basic threat identification | |
- Escalation recommendations | |
### L2 Analyst (Investigation) | |
- Detailed threat analysis | |
- Correlation with other security events | |
- Investigation methodology guidance | |
### L3 Analyst (Expert Analysis) | |
- Advanced threat hunting | |
- Attribution and campaign analysis | |
- Executive reporting and strategic recommendations | |
## 🎮 Demo Scenarios | |
1. **Lateral Movement**: Post-breach attacker movement through network | |
2. **Phishing Campaign**: Email-based credential theft attack | |
3. **Ransomware Attack**: File encryption with extortion demands | |
## 🛠️ Installation & Usage | |
### Local Setup | |
```bash | |
pip install -r requirements.txt | |
python app.py | |
``` | |
### Hugging Face Spaces | |
This app is deployed on Hugging Face Spaces for easy access and demonstration. | |
## 📊 Sample Analysis Output | |
**L2 Investigation Analysis:** | |
``` | |
🔍 DETAILED ANALYSIS: | |
• ATTACK VECTOR: Suspicious PowerShell execution with encoded commands | |
• TECHNICAL DETAILS: powershell.exe -enc ZXhlYyBjYWxjLmV4ZQ== | |
• CORRELATION: Check for related activities on 192.168.1.100 | |
• INVESTIGATION STEPS: | |
1. Examine process tree and parent processes | |
2. Check network connections from source host | |
3. Review user login history | |
4. Scan for similar indicators across environment | |
• THREAT INTEL: Similar pattern observed in APT29 campaigns | |
• RECOMMENDATION: Monitor for lateral movement indicators | |
``` | |
## 🎯 Research Applications | |
This PoC supports research in: | |
- **Human-AI Collaboration** in cybersecurity | |
- **Multi-modal Learning** for threat detection | |
- **Explainable AI** in security operations | |
- **Automated Incident Response** workflows | |
## 🔮 Future Enhancements | |
- Integration with real SIEM systems | |
- Advanced threat correlation algorithms | |
- Automated response orchestration | |
- Multi-language support | |
- Custom model fine-tuning for specific environments | |
## 👥 Research Team | |
**Abdullah Alanazi** - PhD Candidate | |
**Prof. Ali Shoker** - Project Supervisor | |
**KAUST** - Computer, Electrical and Mathematical Sciences and Engineering | |
## 📚 Related Work | |
This project builds upon research in: | |
- Multi-modal learning for cybersecurity | |
- Automated alert triage systems | |
- Human-computer interaction in SOCs | |
- Large language models for domain-specific applications | |
## 🤝 Contributing | |
This is a research prototype developed for academic purposes. For collaboration opportunities or research partnerships, please contact the development team. | |
## 📄 License | |
This project is developed for research and educational purposes at KAUST. | |
--- | |
**🎓 Academic Purpose**: This Proof-of-Concept demonstrates the feasibility of LLM-based SOC assistance for cybersecurity research and education. |