Cloud Security Operations Center (SOC) enable cloud governance, risk and compliance by providing insights visibility and control. Cloud SOC triages high-volume, heterogeneous telemetry from elastic, short-lived resources while staying within tight budgets. In this research, we implement an AI-Augmented Security Operations Center (AISOC) on AWS that combines cloud-native instrumentation with ML-based detection. The architecture uses three Amazon EC2 instances: Attacker, Defender, and Monitoring. We simulate a reverse-shell intrusion with Metasploit, and Filebeat forwards Defender logs to an Elasticsearch and Kibana stack for analysis. We train two classifiers, a malware detector built on a public dataset and a log-anomaly detector trained on synthetically augmented logs that include adversarial variants. We calibrate and fuse the scores to produce multi-modal threat intelligence and triage activity into NORMAL, SUSPICIOUS, and HIGH\_CONFIDENCE\_ATTACK. On held-out tests the fusion achieves strong macro-F1 (up to 1.00) under controlled conditions, though performance will vary in noisier and more diverse environments. These results indicate that simple, calibrated fusion can enhance cloud SOC capabilities in constrained, cost-sensitive setups.
翻译:云安全运营中心(SOC)通过提供洞察可见性与控制能力,实现云治理、风险与合规管理。云SOC在严格预算限制下,对来自弹性、短生命周期资源的海量异构遥测数据进行分类处理。本研究在AWS上实现了一个人工智能增强型安全运营中心(AISOC),将云原生检测工具与基于机器学习的检测技术相结合。该架构使用三个Amazon EC2实例:攻击者、防御者和监控节点。我们通过Metasploit模拟反向shell入侵,并利用Filebeat将防御者日志转发至Elasticsearch与Kibana堆栈进行分析。我们训练了两个分类器:基于公开数据集构建的恶意软件检测器,以及对包含对抗性变体的合成增强日志进行训练的日志异常检测器。通过对评分进行校准与融合,生成多模态威胁情报,并将活动分类为正常、可疑和高置信度攻击三类。在保留测试集上,融合方法在受控条件下实现了较高的宏观F1值(最高达1.00),但在噪声更高、环境更复杂的情况下性能可能有所波动。这些结果表明,在资源受限且成本敏感的场景中,简单的校准融合方法能够有效增强云SOC的检测能力。
相关内容
微信扫码咨询专知VIP会员