DEVELOPMENT OF A METHODOLOGY FOR INTEGRATING LARGE LANGUAGE MODELS INTO THE PROCESSES OF SECURITY OPERATIONS CENTERS
Abstract
The article discusses the importance of integrating large language models (LLMs) into information security monitoring center processes (SOCs) to increase their effectiveness in dealing with growing cyber threats. The aim of the research is to develop a method for incorporating LLMs into SOCs aimed at automating data analysis and incident response processes. The research goals include the theoretical justificajustification for and development of a safe LLM implementation platform, as well as assessing existing SOC processes and technical infrastructure. The article analyses key SOC metrics such as average incident detection times and the number of outstanding incidents, and proposes using the GQM approach to improve these metrics.. It also considers the need to assess the risks associated with the use of LLM, taking into account vulnerabilities and threats, as well as methods for minimizing them, including using the OWASP list of critical vulnerabilities. The article suggests the main stages of system development and implementation, including inventory of existing resources, analysis of integration complexity and system deployment. Key aspects such as assessing the complexity of integration, operational and supporting factors, as well as assessing risks associated with introducing new technologies into SOC infrastructure, are considered. In conclusion, the relevance of LLM use is emphasized to improve efficiency and quality of SOC work, contributing to increased information security level and faster response to cyberthreats. The introduction of such technologies will allow SOC to not only respond faster to incidents, but also improve the accuracy of data analysis and reduce the risks associated with the human factor
References
1. Tsentr monitoringa informatsionnoy bezopasnosti (Security Operations Center, SOC) [Information Se-curity Monitoring Center (Security Operations Center, SOC)]. Available at: https://encyclopedia.kaspersky.ru/glossary/security-operations-center-soc.
2. Chastikova V.A., Mityugov A.I. Metodika postroeniya sistemy analiza intsidentov informatsionnoy be-zopasnosti na osnove neyroimmunnogo podkhoda [Methodology for building a system for analyzing in-formation security incidents based on a neuroimmune approach], Elektronnyy setevoy politematicheskiy zhurnal "Nauchnye trudy KubGTU" [Electronic network political journal "Scientific Works of KubSTU"], 2022, No. 1, pp. 98-105.
3. Natsional'naya baza dannykh uyazvimostey [National Vulnerability Database]. Available at: https://nvd.nist.gov/vuln.
4. Hasanov I., Virtanen S., Hakkala A., Isoaho J. Application of Large Language Models in Cybersecurity: A Systematic Literature Review, IEEE Access, 2024, Vol. 12, pp. 176751-176778. DOI: 10.1109/ACCESS.2024.3505983.
5. Singh Y., Patel N.D., Shandilya S.K. Enhancing Security Operations Center Efficiency through Multi-Model Integration of Large Language Models and SIEM Systems, Preprints, 2024. DOI: 10.21203/rs.3.rs-5615639/v1.
6. Kotilingala S. Leveraging large language models for enhanced threat detection in security operations centers, World Journal of Advanced Engineering Technology and Sciences, 2025, Vol. 15, No. 1, pp. 579-591. Available at: https://doi.org/10.30574/wjaets.2025.15.1.0241 DOI: 10.30574/wjaets.2025.15.1.0241.
7. Hermann A. GPT Powered Log Analysis: Enhancing SOC Decision Making for Malicious and Benign Security Log Classification, Twente Student Conference on IT (TSeIT 41). Enschede, Netherlands, 2024, pp. 1-6.
8. Wudali P.N., Kravchik M., Malul E., Gandhi P.A., Elovici Y. A. Shabtai Rule-ATT&CK Mapper (RAM): Mapping SIEM Rules to TTPs Using LLMs, arXiv preprint, 2024. Available at: https://arxiv.org/abs/2502.02337v1.
9. Shukla A., Gandhi P.A., Elovici Y., Shabtai A. RuleGenie: SIEM Detection Rule Set Optimization, arXiv, 2024. Available at: https://arxiv.org/abs/2505.06701v1.
10. Zangana H.M., Mohammed H.S., Husain M.M. The Role of Large Language Models in Enhancing Cybersecurity Measures: Empirical Evidence from Regional Banking Institutions, Sistemasi: Jurnal Sis-tem Informasi, 2025, Vol. 14, No. 5, pp. 2018–2027. Available at: https://sistemasi.ftik.unisi.ac.id/ in-dex.php/stmsi/article/download/5144/1029.
11. Ali T., Kostakos P. HuntGPT: Integrating Machine Learning-Based Anomaly Detection and Explainable AI with Large Language Models (LLMs), arXiv, 2023. Available at: https://arxiv.org/abs/2309.16021v1. – DOI: 10.48550/arXiv.2309.16021.
12. Oniagbi O., Hakkala A., Hasanov I. Evaluation of LLM Agents for the SOC Tier 1 Analyst Triage Pro-cess, University of Turku, 2024, 62 p. Available at: https://www.utupub.fi/bitstream/handle/ 10024/178601/Oniagbi_Openime_Thesis.pdf?sequence=1.
13. Ali A., Ghanem M.C. Beyond Detection: Large Language Models and Next-Generation Cybersecurity, SHIFRA, 2025, Vol. (2025), pp. 81-97. ISSN: 3078-3186. Available at: https://www.researchgate.net/publication/390931574_Beyond_Detection_Large_Language_Models_and_Next-Generation_Cybersecurity.
14. Chastikova V.A., Gulyay V.G. Podkhod k postroeniyu sistem analiza intsidentov informatsionnoy be-zopasnosti na osnove gibridizatsii metodov mashinnogo obucheniya [An approach to building systems for analyzing information security incidents based on the hybridization of machine learning methods], Elektronnyy setevoy politematicheskiy zhurnal "Nauchnye trudy KubGTU" [The electronic network po-litical journal "Scientific works of KubSTU"], 2023, No. 6, pp. 107-117.
15. Key SOC metrics and KPIs: How to define and use them. Available at: https://www.techtarget.com/searchsecurity/tip/How-SOC-metrics-improve-security-operation-centers-performance.
16. Seleznev V.M., Borovskaya O.E. Vstraivanie instrumentov SOAR-platform v ekosistemu SOC dlya avtomatizatsii protsessa reagirovaniya na intsidenty IB [Embedding SOAR platform tools into the SOC ecosystem to automate the process of responding to information security incidents], Mezhdunarodnyy nauchno-issledovatel'skiy zhurnal [International Scientific Research Journal], 2022, No. 10 (124). Available at: https://research-journal.org/archive/10-124-2022-october/10.23670/ IRJ.2022.124.8. – DOI: 10.23670/IRJ.2022.124.8.
17. Running Local LLMs, CPU vs. GPU - a Quick Speed Test. Available at: https://dev.to/maximsaplin/running-local-llms-cpu-vs-gpu-a-quick-speed-test-2cjn.
18. CPU vs GPU for Running LLMs Locally. Available at: https://www.marktechpost.com/2024/03/23/ cpu-vs-gpu-for-running-llms-locally/.
19. OWASP Top 10 for LLM Applications. Available at: https://owasp.org/www-project-top-10-for-large-language-model-applications/assets/PDF/OWASP-Top-10-for-LLMs-2023-v1_1.pdf.
20. Bakhtin A.S. Razrabotka metodiki integratsii bol'shikh yazykovykh modeley v protsessy tsentra moni-toringa informatsionnoy bezopasnosti: diplomnaya rabota po spetsial'nosti 10.05.03 «Informatsionnaya bezopasnost' avtomatizirovannykh sistem» [Development of a methodology for integrating large lan-guage models into the processes of the Information security Monitoring Center: thesis on specialty 05/10/03 "Information security of automated systems"]. Krasnodar: Kubanskiy gosudarstvennyy tekhno-logicheskiy universitet, 2024, 93 p.
