Information-Dense Reasoning for Efficient and Auditable Security Alert Triage

Information-Dense Reasoning for Efficient and Auditable Security Alert Triage Guangze Zhao1,2, Yongzheng Zhang1, Changbo Tian2, Dan Xie3, Hongri Liu4,†, Bailing Wang4,5,† Abstract—Security Operations Centers face massive, heteroge- neous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps—minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while minimizing complexity. We construct compact datasets by distilling alerts into 3–5 high-information bullets (68% token reduction), train domain-specialized experts via LoRA, and deploy a cloud-edge architecture: a cloud LLM routes alerts to on-premises experts generating SOAR-ready JSON. Experiments demonstrate AIDR achieves higher accuracy and 40.6% latency reduction versus Chain-of-Thought, with robustness to data corruption and out-of-distribution generaliza- tion, enabling auditable and efficient SOC triage with full data residency compliance. Index Terms—Alert Triage, Chain of Draft, Cloud-Edge Col- laboration, LLM for Security, SOC Automation I. INTRODUCTION Security Operations Centers (SOCs) [53, 34, 32] face an unrelenting operational challenge: the continuous ingestion of massive and highly heterogeneous alert streams. These data sources—spanning endpoint detection and response (EDR) systems [1], intrusion detection systems (IDS) [2], firewalls, cloud telemetry, and diverse application logs—generate over- whelming alert volumes that frequently reach thousands per analyst team per day, completely saturating the typical 1–5 minute service window and leading to a pervasive operational crisis known as alert fatigue [7]. This fatigue significantly delays incident response and, critically, masks high-value genuine threat signals within the noise. In practical terms, numerous SOC teams report being chronically overwhelmed by false positives and consequently unable to investigate a sub- stantial fraction of incoming alerts, revealing a persistent and 1Harbin Institute of Technology. 2CHANG AN communication technol- ogy Co., Ltd. 3University of Science and Technology of China. 4Harbin Institute of Technology (Weihai) Qingdao Research Institute. 5Shandong Key Laboratory of Industrial Network Security. †Co-corresponding authors: Hongri Liu (liuhr@hit.edu.cn) and Bailing Wang (wbl@hit.edu.cn). This work is supported by National Natural Science Foundation of China (NSFC) (Grant No.62272129), Key R&D Program of Shandong Province (Grant No.2023CXPT065). critical gap between modern, advanced threat detection [47] capabilities and the capacity for actionable, timely triage. Conventional security triage approaches have consistently struggled with this escalating operational load. Signature- and rule-based Security Information and Event Management (SIEM) [27] systems are fundamentally brittle to previously unseen attack variants, demand continuous tuning, and fre- quently inflate false positive rates as enterprise environments evolve and existing rules drift out of sync with operational baselines. Anomaly-based methods [51, 61] focus on flagging statistical deviations rather than identifying confirmed threats, making resulting actions uncertain and low-confidence while exposing high sensitivity to concept drift in nonstationary security data streams. Meanwhile, fully cloud-hosted Large Language Model (LLM) [16, 18, 9, 10] triage solutions introduce significant practical concerns despite their advanced reasoning capabilities: end-to-end latency becomes a major bottleneck in time-sensitive incident response [4, 26, 5], token costs escalate at high daily alert volumes, and operation [39] in regulated environments introduces insurmountable obstacles related to data privacy, residency requirements, and secure operations. Recent industry risk catalogs for LLM applica- tions [14, 11, 36, 42] have explicitly highlighted these precise issues, underscoring the urgent necessity for solutions that balance advanced reasoning with compliance and operational security requirements. To address these challenges, we propose AIDR (Accuracy- preserving Information-Dense Reasoning for alert forensics and triage), as shown in Fig. 1, a Chain-of-Draft frame- work that reformulates SOC alert triage. First, we ad- dress a fundamental latency-accuracy trade-off in security triage: verbose r

This content is AI-processed based on open access ArXiv data.