Information-Dense Reasoning for Efficient and Auditable Security Alert Triage

Guangze Zhao; Yongzheng Zhang; Changbo Tian; Dan Xie; Hongri Liu; Bailing Wang

arXiv:2512.08169·cs.CR·December 10, 2025

Information-Dense Reasoning for Efficient and Auditable Security Alert Triage

Guangze Zhao, Yongzheng Zhang, Changbo Tian, Dan Xie, Hongri Liu, Bailing Wang

PDF

Open Access

TL;DR

AIDR introduces a gradient-based compression method for reasoning chains in security alert triage, balancing accuracy, transparency, and efficiency by optimizing information density within token and latency constraints.

Contribution

The paper presents a hybrid cloud-edge framework with gradient-based compression of reasoning chains, enabling efficient, auditable, and privacy-compliant security alert triage.

Findings

01

Achieves 68% token reduction in alert summaries.

02

40.6% latency reduction compared to Chain-of-Thought.

03

Maintains robustness to data corruption and out-of-distribution data.

Abstract

Security Operations Centers face massive, heterogeneous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps--minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.

Taxonomy

TopicsSoftware System Performance and Reliability · Network Security and Intrusion Detection · Security and Verification in Computing