MALCDF: A Distributed Multi-Agent LLM Framework for Real-Time Cyber

MALCDF: A Distributed Multi-Agent LLM Framework for Real-Time Cyber Defense Arth Bhardwaj, Sia Godika, Yuvam Loonker Saint Francis High School, Massachusetts Institute of Technology, JBCN International School arthbhardwaj1234@gmail.com, siag@mit.edu, yuvamloonker@gmail.com Abstract—Traditional, centralized security tools often miss adaptive, multi-vector attacks. We present the Multi-Agent LLM Cyber Defense Framework (MALCDF), a practical setup where four large language model (LLM) agents—Detection, In- telligence, Response, and Analysis—work together in real time. Agents communicate over a Secure Communication Layer (SCL) with encrypted, ontology-aligned messages, and produce audit-friendly outputs (e.g., MITRE ATT&CK mappings). For evaluation, we keep the test simple and consistent: all reported metrics come from the same 50-record live stream derived from the CICIDS2017 [1] feature schema. CICIDS2017 is used for configuration (fields/schema) and to train a practical ML baseline. The ML-IDS baseline is a Lightweight Random Forest IDS (LRF-IDS) trained on a subset of CICIDS2017 and tested on the 50-record stream, with no overlap between training and test records. In experiments, MALCDF reaches 90.0% detection ac- curacy, 85.7% F1-score, and 9.1% false-positive rate, with 6.8 s average per-event latency. It outperforms the lightweight ML-IDS baseline and a single-LLM setup on accuracy while keeping end-to-end outputs consistent. Overall, this hands- on build suggests that coordinating simple LLM agents with secure, ontology-aligned messaging can improve practical, real- time cyber defense. Keywords: Multi-Agent Systems; Large Language Models; Cyber Defense; Threat Intelligence. 1. Introduction Modern networks move fast and change a lot. In this space, traditional, centralized security tools struggle with adaptive, multi-vector attacks that can shift behavior mid- incident. Attackers now use AI, automation, and even gen- erative techniques to produce polymorphic malware, exploit zero-day bugs, and coordinate large campaigns [2]. As more workloads move to cloud, IoT, and edge, the attack surface grows and simple signatures or fixed rules are not enough. Real-time defense needs systems that understand context and make coordinated decisions quickly. Reactive tools like antivirus or static firewalls do well on known indicators, but they often miss attacks that morph or hide inside normal traffic. Classic ML detectors (anomaly and supervised models) also hit limits when datasets are stale or lack context, which leads to false positives and noisy alert triage [3]. Centralized designs can also struggle to keep up with high-velocity environments. We need something that works in real time and can collaborate across components. We propose the Multi-Agent LLM Cyber Defense Frame- work (MALCDF), a distributed setup where several large language model (LLM) agents work together to detect, analyze, and mitigate threats in real time. Figure 1 shows the high-level layout. The framework follows a SOC-style design with four roles: a Threat Detection Agent (TDA), a Threat Intelligence Agent (TIA), a Response Coordination Agent (RCA), and an Analyst Agent (AA). The agents share information through a Secure Communication Layer (SCL) that keeps messages encrypted, aligned to a common ontol- ogy, and semantically consistent. This helps agents reason together, reduces confusion, and protects operational data from eavesdropping or impersonation. A quick example helps. In our tests, the Detection Agent flagged a high byte-rate UDP transfer on port 18530 that looked like data exfiltration. The Intelligence Agent linked the destination to a known campaign, and the Response Agent suggested containment and outbound blocking. The Analyst Agent wrote a short report with a MITRE ATT&CK mapping, so the event was easy to review later. This is the kind of end-to-end workflow we want in practice. Our implementation uses Groq’s LLaMA 3.3 70B model for each agent, a JADE [4] style orchestration layer for message passing, and a Streamlit dashboard for running the system end to end. We configure agents with CICIDS- derived fields (feature schema and example patterns) so out- puts are structured and ontology-aligned, and then we eval- uate the full pipeline on a separate 50-record live stream derived from the same schema. The 50 test records are not used for prompt design or baseline training. In experiments, MALCDF reaches 90.0% accuracy and an 85.7% F1-score, with a 9.1% false-positive rate and 6.8 s average per-event latency. Compared to a practical ML baseline (LRF-IDS, trained on a CICIDS subset and tested on the 50 records) and a single-LLM setup and MALCDF improves detection accuracy. Contribution This work focuses on practical, multi-agent collaboration among LLMs for real-time cyber defense. We organize the study around three objectives and guiding questions: 1. Design a multi-agent architecture that enables LLMs to coordinate autonomously f

…(Full text truncated)…

This content is AI-processed based on ArXiv data.