Enhancing Network and Endpoint Detection and Response Systems: A Grounded LLM-Assisted Contextual Analysis
| dc.contributor.author | Saha, Tanuraj | |
| dc.contributor.department | fi=Tietotekniikan laitos|en=Department of Computing| | |
| dc.contributor.faculty | fi=Teknillinen tiedekunta|en=Faculty of Technology| | |
| dc.contributor.studysubject | fi=Information and Communication Technology|en=Information and Communication Technology| | |
| dc.date.accessioned | 2026-07-01T19:31:53Z | |
| dc.date.issued | 2026-06-21 | |
| dc.description.abstract | Modern Security Operations Centres (SOCs) face challenges due to a large number of fragmented security alerts originating from both external and internal networks. Specifically, in the case of lateral movement of internal traffic, they originate from siloed Network Detection and Response (NDR) and Endpoint Detection and Response (EDR) technologies. To address these issues, this thesis presents an end-to-end multi-layered architecture for automated alert correlation and contextual reasoning. This thesis focuses primarily on the post-detection phase by designing a contextual framework that groups related alerts into structured incidents, rather than developing telemetry integration or detection algorithms. This contextual analysis of the Large Language Models (LLMs) can help generate short, evidence-based summaries and investigative recommendations. Earlier, analysts had to manually reconstruct threat narratives, which can often lead to alert fatigue, increased cognitive load, and delayed incident response when there is no structural aggregation. One of the major analytical capabilities of LLMs is the automation of triage for SOCs. However, their implementation in enterprise SOCs is often delayed by inadequate contextual data and strong data protection regulations. The methodology involves several steps. First, a detection layer with machine learning models (such as XGBoost, random forest, and autoencoders) trained on public datasets. Then, a correlation layer integrates these network anomalies with endpoint logs, converting a large number of alerts into a limited number of incidents. The contextualization layer evaluates the reasoning capabilities of both cloud-based (Gemini 2.5 Flash, OpenAI gpt-4o) and locally deployed LLMs (Llama 3, Gemma 3). Cloud-based LLMs performed better at detailed interpretation. In summary, this thesis demonstrates that grounding LLMs in deterministically linked NDR and EDR telemetry substantially improves automated threat analysis. The system converts discrete alerts into standardised playbook-ready intelligence to support Tier-1 SOC triage. It provides a viable, privacy-preserving system for deploying sophisticated generative AI in secure enterprise environments. The machine learning detection layer achieved an F1-score close to 0.99. The deterministic correlation engine reduced telemetry to an Alert-to-Incident Ratio (AIR) of 95. Subsequently, the grounded LLM produced MITRE-aligned narratives with near-zero hallucinations, reducing triage time by up to 66 percent. | |
| dc.format.extent | 132 | |
| dc.identifier.uri | https://www.utupub.fi/handle/11111/62638 | |
| dc.identifier.urn | URN:NBN:fi-fe20260701107626 | |
| dc.language.iso | eng | |
| dc.rights | fi=Julkaisu on tekijänoikeussäännösten alainen. Teosta voi lukea ja tulostaa henkilökohtaista käyttöä varten. Käyttö kaupallisiin tarkoituksiin on kielletty.|en=This publication is copyrighted. You may download, display and print it for Your own personal use. Commercial use is prohibited.| | |
| dc.rights.accessrights | avoin | |
| dc.subject | Network detection and response | |
| dc.subject | Endpoint detection and response | |
| dc.subject | Large Language Model | |
| dc.subject | Alert correlation | |
| dc.subject | Contextual analysis | |
| dc.subject | Cybersecurity | |
| dc.subject | Security Operation Centre | |
| dc.subject | SOC Triage | |
| dc.title | Enhancing Network and Endpoint Detection and Response Systems: A Grounded LLM-Assisted Contextual Analysis | |
| dc.type.ontasot | fi=Diplomityö|en=Master's thesis| |
Tiedostot
1 - 1 / 1
Ladataan...
- Name:
- Enhancing_Network_and_Endpoint_Detection_and_Response_Systems__A_Grounded_LLM_Assisted_Contextual_Analysis.pdf
- Size:
- 11.88 MB
- Format:
- Adobe Portable Document Format