{"title":"Design and Computational Modeling of an AI-Based Automated Cybersecurity Incident Response System","authors":"Jiehao Zhang;Simin Li;Weiwei Huang;Haoxin Jing;Qin Zhang;Xing Xia","doi":"10.1109/ACCESS.2025.3603975","DOIUrl":null,"url":null,"abstract":"Modern cybersecurity operations face unsustainable alert volumes, averaging 22000 weekly alerts with 68% false positives, overwhelming defenses and delaying incident response due to limitations in conventional SOAR platforms. To address this, an AI-driven Automated Incident Response (AIR) system is proposed, integrating STIX/TAXII multimodal fusion for unified data ingestion, attention-LSTM networks for adaptive threat recognition across temporal sequences, Bayesian game-theoretic decision layers for strategic response planning, and DRL validation for real-time optimization. This architecture reduces false negatives by 42% in C2 tunneling detection and achieves Nash equilibrium in 97.3% of adversarial engagements. Rigorous testing on hybrid infrastructure datasets (100 K normal events, 20K DDoS, 5K C2 attacks) demonstrates a 93% mean F1-score across attack scenarios, end-to-end latency of 58.3 ms, and <inline-formula> <tex-math>$12.5\\times $ </tex-math></inline-formula> higher strategy updates/sec versus baselines. Compared to existing models, the system improves detection F1 by 10.7%, reduces false positives by 39%, and enhances energy efficiency to 1850 events/Joule (<inline-formula> <tex-math>$2.98\\times $ </tex-math></inline-formula> Snort). The framework establishes a new paradigm for agile, auditable incident response validated by STIX action chains.","PeriodicalId":13079,"journal":{"name":"IEEE Access","volume":"13 ","pages":"154383-154394"},"PeriodicalIF":3.6000,"publicationDate":"2025-08-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=11145017","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Access","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/11145017/","RegionNum":3,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}
引用次数: 0
Abstract
Modern cybersecurity operations face unsustainable alert volumes, averaging 22000 weekly alerts with 68% false positives, overwhelming defenses and delaying incident response due to limitations in conventional SOAR platforms. To address this, an AI-driven Automated Incident Response (AIR) system is proposed, integrating STIX/TAXII multimodal fusion for unified data ingestion, attention-LSTM networks for adaptive threat recognition across temporal sequences, Bayesian game-theoretic decision layers for strategic response planning, and DRL validation for real-time optimization. This architecture reduces false negatives by 42% in C2 tunneling detection and achieves Nash equilibrium in 97.3% of adversarial engagements. Rigorous testing on hybrid infrastructure datasets (100 K normal events, 20K DDoS, 5K C2 attacks) demonstrates a 93% mean F1-score across attack scenarios, end-to-end latency of 58.3 ms, and $12.5\times $ higher strategy updates/sec versus baselines. Compared to existing models, the system improves detection F1 by 10.7%, reduces false positives by 39%, and enhances energy efficiency to 1850 events/Joule ($2.98\times $ Snort). The framework establishes a new paradigm for agile, auditable incident response validated by STIX action chains.
IEEE AccessCOMPUTER SCIENCE, INFORMATION SYSTEMSENGIN-ENGINEERING, ELECTRICAL & ELECTRONIC
CiteScore
9.80
自引率
7.70%
发文量
6673
审稿时长
6 weeks
期刊介绍:
IEEE Access® is a multidisciplinary, open access (OA), applications-oriented, all-electronic archival journal that continuously presents the results of original research or development across all of IEEE''s fields of interest.
IEEE Access will publish articles that are of high interest to readers, original, technically correct, and clearly presented. Supported by author publication charges (APC), its hallmarks are a rapid peer review and publication process with open access to all readers. Unlike IEEE''s traditional Transactions or Journals, reviews are "binary", in that reviewers will either Accept or Reject an article in the form it is submitted in order to achieve rapid turnaround. Especially encouraged are submissions on:
Multidisciplinary topics, or applications-oriented articles and negative results that do not fit within the scope of IEEE''s traditional journals.
Practical articles discussing new experiments or measurement techniques, interesting solutions to engineering.
Development of new or improved fabrication or manufacturing techniques.
Reviews or survey articles of new or evolving fields oriented to assist others in understanding the new area.