Cloud Security Leveraging AI: A Fusion-Based AISOC for Malware and Log Behaviour Detection

TL;DR

This paper presents an AI-augmented cloud security operations center that fuses multiple detection methods to improve malware and log behavior detection within cloud environments, demonstrating high accuracy in controlled tests.

Contribution

The paper introduces a novel fusion-based architecture for cloud SOC that combines cloud-native instrumentation with machine learning classifiers for enhanced threat detection.

Findings

Fusion achieves macro-F1 up to 1.00 in controlled tests

Combining malware and log anomaly detectors improves detection accuracy

Simple score calibration enhances multi-modal threat intelligence

Abstract

Cloud Security Operations Center (SOC) enable cloud governance, risk and compliance by providing insights visibility and control. Cloud SOC triages high-volume, heterogeneous telemetry from elastic, short-lived resources while staying within tight budgets. In this research, we implement an AI-Augmented Security Operations Center (AISOC) on AWS that combines cloud-native instrumentation with ML-based detection. The architecture uses three Amazon EC2 instances: Attacker, Defender, and Monitoring. We simulate a reverse-shell intrusion with Metasploit, and Filebeat forwards Defender logs to an Elasticsearch and Kibana stack for analysis. We train two classifiers, a malware detector built on a public dataset and a log-anomaly detector trained on synthetically augmented logs that include adversarial variants. We calibrate and fuse the scores to produce multi-modal threat intelligence and triage activity into NORMAL, SUSPICIOUS, and HIGH\_CONFIDENCE\_ATTACK. On held-out tests the fusion achieves strong macro-F1 (up to 1.00) under controlled conditions, though performance will vary in noisier and more diverse environments. These results indicate that simple, calibrated fusion can enhance cloud SOC capabilities in constrained, cost-sensitive setups.