A Multi-Stage AI Framework for Intelligent Incident Detection and Response Automation in Security Operations Centers

Authors

DOI:

https://doi.org/10.66279/9zqrqk18

Keywords:

Security Operations Center, Automated Incident Response, Anomaly Detection, Machine Learning Security Analytics

Abstract

Security Operations Centers (SOCs) are essential for safeguarding company infrastructure against increasingly sophisticated cyber threats. The expansion of cloud services, Internet of Things (IoT) devices, and extensive dispersed systems has resulted in a significant increase in security event quantities, burdening analysts and revealing the inadequacies of conventional, manual workflows. Rule-based Security Information and Event Management (SIEM) systems, in particular, experience elevated false-positive rates, leading to alert fatigue and protracted incident response times. This paper introduces IRAS (Incident Response Automation and Management System), an AI-driven platform that automates key stages of the incident response lifecycle within enterprise SOC environments. IRAS integrates a two-stage machine learning pipeline combining Isolation Forest for anomaly detection and Random Forest for multi-class attack classification, coupled with Wazuh for centralized log management and deployed within a Dockerized microservice architecture on Ubuntu Linux. Upon detecting malicious activity, IRAS executes predefined mitigation playbooks including IP blocking, endpoint isolation, and account suspension within seconds of detection. IRAS was tested in a controlled experimental setup using an Ubuntu victim machine and a Kali Linux attack machine on the CIC-DDoS2019 and SSH Brute-Force datasets and got a weighted F1-score of 94.5% and, a false-positive rate of 2.8%, and a mean automated response time of 2.46 seconds, representing a substantial reduction compared to manual SOC baselines of 8–15 minutes. The system achieved a peak throughput of 1,200 incidents per hour and reduced analyst workload by 74%, demonstrating significant improvements in SOC efficiency within the evaluated threat scenarios and providing a foundation for semi-autonomous SOC operations. Generalization to additional attack categories such as ransomware, insider threats, and APTs remains a direction for future validation.

Downloads

Download data is not yet available.

Author Biographies

  • Aboulela Abdo, Nahda University

    Faculty of Computers Science, Nahda University, Beni-Suef City, 62511, Egypt

  • Doaa Sayed, Nahda University

    Faculty of Computers and Artificial Intelligence University, Beni Suef, 62511, Egypt,

  • Reham Darwish, Nahda University

    Faculty of Computers Science, Nahda University, Beni-Suef City, 62511, Egypt

  • Omar Moataz, Nahda University

    Faculty of Computers Science, Nahda University, Beni-Suef City, 62511, Egypt

References

[1] M. Anisetti, C. Ardagna, M. Cremonini, E. Damiani, J. Sessa, and L. Costa, "Security threat landscape," White Paper Security Threats, 2020.

[2] A. Mohammed, "AI in Cybersecurity: Enhancing Audits and Compliance Automation," Available at SSRN, vol. 5066097, 2021.

[3] N. B. Kilaru, S. K. M. Cheemakurthi, and V. Gunnam, "SOAR Solutions in PCI Compliance: Orchestrating Incident Response for Regulatory Security," ESP Journal of Engineering & Technology Advancements, vol. 1, no. 2, pp. 78-84, 2021.

[4] B. A. Alahmadi, L. Axon, and I. Martinovic, "99% false positives: A qualitative study of {SOC} analysts' perspectives on security alarms," in 31st USENIX Security Symposium (USENIX Security 22), 2022, pp. 2783-2800.

[5] L. N. Kaliyaperumal, "The evolution of security operations and strategies for building an effective SOC," ISACA Journal, vol. 5, no. 1, 2021.

[6] A. L. Buczak and E. Guven, "A survey of data mining and machine learning methods for cyber security intrusion detection," IEEE Communications surveys & tutorials, vol. 18, no. 2, pp. 1153-1176, 2015. DOI: https://doi.org/10.1109/COMST.2015.2494502

[7] J. Ruan et al., "Deep learning for cybersecurity in smart grids: Review and perspectives," Energy Conversion and Economics, vol. 4, no. 4, pp. 233-251, 2023. DOI: https://doi.org/10.1049/enc2.12091

[8] R. O. Andrade and S. G. Yoo, "Cognitive security: A comprehensive study of cognitive science in cybersecurity," Journal of Information Security and Applications, vol. 48, p. 102352, 2019. DOI: https://doi.org/10.1016/j.jisa.2019.06.008

[9] A. Mohammed, "The Paradox of AI in Cybersecurity: Protector and Potential Exploiter," Baltic Journal of Engineering and Technology, vol. 2, no. 1, pp. 70-76, 2023.

[10] A. O. Aljahdali and R. Alsulami, "Streamlining threat response and automating critical use cases with security orchestration, automation and response (SOAR)," Journal of Digital Security and Forensics, vol. 2, no. 1, pp. 36–57-36–57, 2025. DOI: https://doi.org/10.29121/digisecforensics.v2.i1.2025.45

[11] H. Xu et al., "Large language models for cyber security: A systematic literature review," ACM Transactions on Software Engineering and Methodology, 2024. DOI: https://doi.org/10.1145/3769676

[12] J. Kinyua and L. Awuah, "AI/ML in Security Orchestration, Automation and Response: Future Research Directions," Intelligent Automation & Soft Computing, vol. 28, no. 2, 2021. DOI: https://doi.org/10.32604/iasc.2021.016240

[13] D. Stiawan, M. Y. Idris, R. F. Malik, S. Nurmaini, N. Alsharif, and R. Budiarto, "Investigating brute force attack patterns in IoT network," Journal of Electrical and Computer Engineering, vol. 2019, no. 1, p. 4568368, 2019. DOI: https://doi.org/10.1155/2019/4568368

[14] D. Chou and M. Jiang, "A survey on data-driven network intrusion detection," ACM Computing Surveys (CSUR), vol. 54, no. 9, pp. 1-36, 2021. DOI: https://doi.org/10.1145/3472753

[15] F. B. Kokulu et al., "Matched and mismatched SOCs: A qualitative study on security operations center issues," in Proceedings of the 2019 ACM SIGSAC conference on computer and communications security, 2019, pp. 1955-1970. DOI: https://doi.org/10.1145/3319535.3354239

[16] F. S. d. Lima Filho, F. A. Silveira, A. de Medeiros Brito Junior, G. Vargas-Solar, and L. F. Silveira, "Smart detection: an online approach for DoS/DDoS attack detection using machine learning," Security and Communication Networks, vol. 2019, no. 1, p. 1574749, 2019. DOI: https://doi.org/10.1155/2019/1574749

[17] M. A. Ferrag, L. Maglaras, S. Moschoyiannis, and H. Janicke, "Deep learning for cyber security intrusion detection: Approaches, datasets, and comparative study," Journal of Information Security and Applications, vol. 50, p. 102419, 2020. DOI: https://doi.org/10.1016/j.jisa.2019.102419

[18] M. Vielberth, F. Böhm, I. Fichtinger, and G. Pernul, "Security operations center: A systematic study and open challenges," Ieee Access, vol. 8, pp. 227756-227779, 2020. DOI: https://doi.org/10.1109/ACCESS.2020.3045514

[19] G. Pang, A. van den Hengel, C. Shen, and L. Cao, "Deep reinforcement learning for unknown anomaly detection," arXiv preprint arXiv:2009.06847, 2020.

[20] S. Akhtar and T. Javaid, "Machine Learning in SOC Operations: Transforming Incident Detection and Response," 2021.

[21] M. Landauer, F. Skopik, M. Frank, W. Hotwagner, M. Wurzenberger, and A. Rauber, "Maintainable log datasets for evaluation of intrusion detection systems," IEEE Transactions on Dependable and Secure Computing, vol. 20, no. 4, pp. 3466-3482, 2022. DOI: https://doi.org/10.1109/TDSC.2022.3201582

[22] T. T. Bukhari, O. Oladimeji, E. D. Etim, and J. O. Ajayi, "Systematic review of SIEM integration for threat detection and log correlation in AWS-based infrastructure," Shodhshauryam, International Scientific Refereed Research Journal, vol. 6, no. 5, pp. 479-512, 2023.

[23] S. Zhang, Y. Wang, and X. Su, "Threat detection framework based on industrial internet of things logs," IEEE Access, vol. 12, pp. 195642-195657, 2024. DOI: https://doi.org/10.1109/ACCESS.2024.3514097

[24] J. Dorobisz, "Analysis of trends and risks in the field of network security based on statistical data," GIS Odyssey Journal, vol. 4, no. 2, pp. 147-163, 2024.

[25] L. Havi, "Security operations centers in information technology and operational technology environments: A literature review of requirements, differences, issues, and improvements of IT and OT SOC environments," 2025.

[26] D. R. Ankireddy, S. Paria, A. Dasgupta, S. Ray, and S. Bhunia, "Lasa: Enhancing soc security verification with llm-aided property generation," arXiv preprint arXiv:2506.17865, 2025.

[27] J. Manzoor, A. Waleed, A. F. Jamali, and A. Masood, "Cybersecurity on a budget: Evaluating security and performance of open-source SIEM solutions for SMEs," Plos one, vol. 19, no. 3, p. e0301183, 2024. DOI: https://doi.org/10.1371/journal.pone.0301183

[28] R. Amami, M. Charfeddine, and S. Masmoudi, "Exploration of Open Source SIEM Tools and Deployment of an Appropriate Wazuh-Based Solution for Strengthening Cyberdefense," in 2024 10th International Conference on Control, Decision and Information Technologies (CoDIT), 2024, pp. 1-7: IEEE. DOI: https://doi.org/10.1109/CoDIT62066.2024.10708476

[29] M. R. Islam and R. Rafique, "Wazuh SIEM for Cyber Security and Threat Mitigation in Apparel Industries," International Journal of Engineering Materials and Manufacture, vol. 9, no. 4, pp. 136-144, 2024. DOI: https://doi.org/10.26776/ijemm.09.04.2024.02

[30] S. Stanković, S. Gajin, and R. Petrović, "A review of Wazuh tool capabilities for detecting attacks based on log analysis," No Nama Agent Integrity File Added Delete Modified, vol. 1, 2022.

[31] S. M. Tarek, Muthmainnah; Obaid, Ahmed J., "A Cross-Dataset Empirical Evaluation of Adversarial Evasion Attacks and Defenses in Machine Learning-Based Intrusion Detection Systems," Computational Discovery and Intelligent Systems (CDIS), vol. 3, no. 1, pp. 57-70, 2026. DOI: https://doi.org/10.66279/3k5mqs50

[32] F. T. Liu, K. M. Ting, and Z.-H. Zhou, "Isolation forest," in 2008 eighth ieee international conference on data mining, 2008, pp. 413-422: IEEE. DOI: https://doi.org/10.1109/ICDM.2008.17

[33] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, "Toward generating a new intrusion detection dataset and intrusion traffic characterization," ICISSp, vol. 1, no. 2018, pp. 108-116, 2018.

[34] S. Vethachalam, “Cybersecurity automation: Enhancing incident response and threat mitigation,” World Journal of Advanced Engineering Technology and Sciences, vol. 15, no. 3, pp. 572–585, 2025, doi: 10.30574/wjaets.2025.15.3.0972. DOI: https://doi.org/10.30574/wjaets.2025.15.3.0972

[35] D. Ferraiolo, D. Kuhn, and R. Chandramouli, "Role-based access con-trol," Pr ocee dingsof15th NIST-NCSC National Computer Security Conferenc e, pp. 554-563, 1992.

[36] I. Sharafaldin, A. H. Lashkari, S. Hakak, and A. A. Ghorbani, "Developing realistic distributed denial of service (DDoS) attack dataset and taxonomy," in 2019 international carnahan conference on security technology (ICCST), 2019, pp. 1-8: IEEE. DOI: https://doi.org/10.1109/CCST.2019.8888419

[37] I. Sharafaldin, A. H. Lashkari, and A. A. Ghorbani, "Toward Generating a New Intrusion Detection Dataset and Intrusion Traffic Characterization," presented at the 4th International Conference on Information Systems Security and Privacy (ICISSP), 2018. DOI: https://doi.org/10.5220/0006639801080116

[38] J. Luxemburk, K. Hynek, and T. Cejka, "TTPS Brute-force Dataset with Extended Network Flows," ed. Zenodo, 2020.

[39] Mahmoud, H. A., Khalaf, O. I., and Farid, O., “Certainty-Aware Skin Lesion Segmentation with Post-Hoc Reliability Estimation for the Segment Anything Model,” Journal of Smart Algorithms and Applications (JSAA), vol. 3, no. 2, pp. 71–86, Apr. 2026, doi: 10.66279/hzkw5y24. DOI: https://doi.org/10.66279/hzkw5y24

[40] L. Breiman, "Random forests," Machine learning, vol. 45, no. 1, pp. 5-32, 2001. DOI: https://doi.org/10.1023/A:1010933404324

[41] P. Probst, M. N. Wright, and A. L. Boulesteix, "Hyperparameters and tuning strategies for random forest," Wiley Interdisciplinary Reviews: data mining and knowledge discovery, vol. 9, no. 3, p. e1301, 2019. DOI: https://doi.org/10.1002/widm.1301

[42] J. Bergstra and Y. Bengio, "Random search for hyper-parameter optimization," Journal of machine learning research, vol. 13, no. 2, 2012.

[43] M. Akbari Gurabi et al., "Requirements for playbook-assisted cyber incident response, reporting and automation," Digital Threats: Research and Practice, vol. 5, no. 3, pp. 1-11, 2024. DOI: https://doi.org/10.1145/3688810

[44] N. Felix and W. Claudia, "Automated Security Operations: Scaling Threat Response with SOAR and AI-Driven Playbooks," International Journal of Trend in Scientific Research and Development, vol. 5, no. 2, pp. 1317-1323, 2021.

[45] N. Perry, “IP Networks Over Heterogeneous Embedded Serial Links,” 2025. Accessed: Jun. 08, 2026. [Online]. Available: https://hdl.handle.net/1721.1/164271.

[46] M. M. Hasan, “FEDERATED LEARNING MODELS FOR PRIVACY-PRESERVING AI IN ENTERPRISE DECISION SYSTEMS,” International Journal of Business and Economics Insights, vol. 5, no. 3, pp. 238–269, Sep. 2025, doi: 10.63125/RY033286. DOI: https://doi.org/10.63125/ry033286

[47] Saad, A., Ahmed, A. M., Shaban, M., et al., “Explainable machine learning framework for predicting cobalt ion removal by natural hematite,” Scientific Reports, vol. 15, Art. no. 35401, 2025, doi: 10.1038/s41598-025-18981-0. DOI: https://doi.org/10.1038/s41598-025-18981-0

[48] D. El Khaled, R. AlOtaibi, N. Novas, and J. A. Gazquez, “NetworkGuard: An Edge-Based Virtual Network Sensing Architecture for Real-Time Security Monitoring in Smart Home Environments,” Sensors, vol. 26, no. 7, Art. no. 2231, 2026, doi: 10.3390/s26072231. DOI: https://doi.org/10.3390/s26072231

Downloads

Published

26-06-2026

Data Availability Statement

DDoS Dataset 

IDS 2017 | Datasets | Research | Canadian Institute for Cybersecurity | UNB

HTTPS Brute-force dataset with extended network flows

How to Cite

A Multi-Stage AI Framework for Intelligent Incident Detection and Response Automation in Security Operations Centers. (2026). Journal of Smart Algorithms and Applications (JSAA), 4(2), 73-101. https://doi.org/10.66279/9zqrqk18

Similar Articles

1-10 of 20

You may also start an advanced similarity search for this article.