OpenSOC-AI: Democratizing Security Operations with Parameter Efficient LLM Log Analysis

TL;DR

OpenSOC-AI introduces a lightweight, fine-tuned language model framework for automated security log analysis, enabling SMBs to improve threat detection without extensive resources.

Contribution

It demonstrates effective parameter-efficient fine-tuning of a large language model for security log analysis, achieving significant accuracy improvements with minimal training time and resources.

Findings

68% point gain in threat classification accuracy

30% point gain in severity assessment accuracy

F1 score of 0.68 on test set

Abstract

Small and medium sized businesses (SMBs) face an escalating cybersecurity threat landscape, yet most lack the resources to staff full Security Operations Centers (SOCs) or deploy enterprise grade detection platforms. This paper presents OpenSOC-AI, a lightweight log analysis framework that uses parameter efficient fine tuning of a 1.1-billion parameter language model (TinyLlama-1.1B) to perform automated threat classification, MITRE ATT&CK technique mapping, and severity assessment on raw security log entries. Using Low-Rank Adaptation (LoRA) with only 12.6 million trainable parameters (roughly 1.13% of the base model), we fine tuned on 450 domain specific SOC examples in under five minutes on a single NVIDIA T4 GPU. Testing on a heldout set of 50 examples showed a 68% point gain in threat classification accuracy (from 0% to 68%), a 30% point gain in severity accuracy (from 28% to 58%), and an F1 score of 0.68 compared to the untuned baseline. Full codebase, adapter weights, and datasets are publicly released to support reproducibility and community extension.