Aman Choudhary, Rajdeep Sikdar, Ishant Roy, Madhusudhan M V, Manjula H M, Prashanth Kannadaguli "Autonomous Cyber Threat Hunting Agent"

Abstract

The main problems faced by current Security Operations Centers (SOCs) are a profuse amount of alerts from different sources, resulting in burnout of analysts, and the absence of context in siloed detection systems, which fail to identify complex, multi-stage attacks. This paper proposes a multi-sensor threat detection system that is powered by AI and combines network and host-level intelligence. There are three main components:  a Network Intrusion Detection System (NIDS) using an LSTM-CNN model trained on the UNSW-NB15 dataset for analyzing live network traffic from a Zeek sensor;  a Host-based Intrusion Detection System (HIDS) using a Random Forest classifier with bi-gram features to detect malicious call sequences from the ADFA-LD dataset; and a Correlation Engine that aggregates alerts from both sensors and generates "Meta-Alerts" within a specified time window, when both network and host-level threats are detected for the same asset. Results for each component, when tested separately, show an overall accuracy of 90.35%, achieving 99% precision, 87% recall, and an F1-score of 92% for attack identification in NIDS; an overall accuracy of 96.31%, with 91% precision, 78% recall, and an F1-score of 84% in HIDS; and that the Correlation Engine successfully mapped related alerts from both sensors to generate unified, high-confidence meta-alerts.Together, these components form a framework that improves SOC efficiency, reduces analyst fatigue