Multi-agent Collaborative Framework with Few-Shot CoT for Threat Detection
摘要
To address the challenges of data scarcity, dynamic threats, and real-time detection in complex enterprise networks, this paper proposes a multi-agent collaborative framework integrated with Few-Shot Chain-of-Thought (CoT) reasoning for insider threat detection. The framework coordinates specialized agents—Manager, Behavior Analyst, Searcher, and Reflector—to execute end-to-end log analysis, anomaly detection, and rule refinement. By combining Few-Shot Learning with explicit CoT reasoning, the system generates interpretable detection rules from limited samples and dynamically optimizes them through multi-agent feedback. Evaluations on the CERT-IT r4.2 dataset demonstrate that our method outperforms traditional machine learning, deep learning, and zero-shot/few-shot LLM baselines, achieving 8–12% higher accuracy and 6–23% improvement in F1-score across diverse attack scenarios. Notably, the framework attains 92% rule interpretability and converges to stable rules within 1–2 iterations, reducing false positives/negatives by 30–45% compared to static approaches. These results highlight the effectiveness of integrating multi-agent collaboration and Few-Shot CoT reasoning for scalable, adaptive, and explainable insider threat detection.