Elnaz Rabieinejad Balagafsheh PhD Defence

PhD Thesis Abstract: AI-Enabled Framework for Log-Driven Detection and Attribution

Enterprises now depend on logs to protect endpoints, applications, identity systems, cloud control planes, and emerging agents/LLM services. While centralizing telemetry once promised unified visibility, privacy and data-residency constraints, heterogeneous and evolving log formats, and the short-lived links that carry real forensic value make monolithic data lakes costly, brittle, and slow. Defenders must therefore detect and explain multi-step attacks from fast-moving, sensitive logs that often cannot leave their source, where the decisive signal resides in relationships and timing rather than any single line. To address these challenges, we advance an AI-enabled, log-centric security framework comprising four coordinated components. First component, Federated Threat Detection, couples federated learning with encrypted aggregation (e.g., partial homomorphic encryption/secure aggregation) so models train where logs are produced while updates are combined in ciphertext, preserving both data locality and update confidentiality. Second component, Decentralized Log Analysis, eliminates single points of failure by coordinating learning peer-to-peer and automatically converting unstructured records into parse-graphs of origin–target–activity relations, restoring cross-source context without raw-data pooling. Third component, Behavioral Attribution, performs graph-based threat modeling and attribution using graph attention networks and a two-level graph summarization that preserves thin bridge edges, mapping results to operator taxonomies such as MITRE ATT&CK and the Cyber Kill Chain for concise, actionable narratives. Finally,Agentic-LLM Threat Detection component brings a structure-first view to multi-agent LLM workflows by constructing interaction graphs from runtime operational logs (tool calls, arguments, timing) to raise early alarms on partial traces and attribute responsibility to specific agent interactions without reliance on surface text. Together, these contributions enable privacy-respecting learning, decentralized context restoration, structure-preserving modeling, and agentic-AI-aware attribution, delivering timely, analyst-ready intelligence from distributed, sensitive logs.