Aviation environments generate large, heterogeneous log streams that overwhelm signature-only monitoring. We present a developmental framework for threat-informed labeling that maps low-level log events to MITRE ATT&CK tactics and techniques with explicit rationale and confidence. The framework comprises: (i) contextual enrichment from aircraft architecture definitions (network connectivity, domains/partitioning, and safety-criticality labels) and flight-phase awareness; (ii) a retrieval-augmented, LLM-based loop that selects candidate techniques with justification; and (iii) high-volume hygiene (allowlists and burst grouping) to reduce alert spam and pass coherent batches to the LLM. This is a design paper: we describe architecture, interfaces, and assumptions; we do not report quantitative evaluation. We provide artifact schemas (input logs, enrichment, ATT&CK-mapped outputs) and a concrete plan for future assessment (metrics, baselines, and ablations).

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Developmental Framework for an LLM Enabled Aircraft Log Anomaly Detection for Identification of Security Events in an IP Environment

  • Sean I. McConoughey,
  • Jayson F. Clifford,
  • Daniel J. Diessner

摘要

Aviation environments generate large, heterogeneous log streams that overwhelm signature-only monitoring. We present a developmental framework for threat-informed labeling that maps low-level log events to MITRE ATT&CK tactics and techniques with explicit rationale and confidence. The framework comprises: (i) contextual enrichment from aircraft architecture definitions (network connectivity, domains/partitioning, and safety-criticality labels) and flight-phase awareness; (ii) a retrieval-augmented, LLM-based loop that selects candidate techniques with justification; and (iii) high-volume hygiene (allowlists and burst grouping) to reduce alert spam and pass coherent batches to the LLM. This is a design paper: we describe architecture, interfaces, and assumptions; we do not report quantitative evaluation. We provide artifact schemas (input logs, enrichment, ATT&CK-mapped outputs) and a concrete plan for future assessment (metrics, baselines, and ablations).