250 - GARNET: GoT-based Alert Reduction and Narrative Event Tracing
Association for Artificial Intelligence 2026, Changzhi Zhao, Zhigang Lu, Tian Tian, Yiru Gong, Bo Jiang, Xiaobo Yang, JunRong Liu, Song Liu
Underline Science Inc.
Problems Identified (5)
SOC alert overload: Security Operations Center alerts are numerous and scattered, creating high analyst workload and slowing response times.
Complex alert correlation graphs: Existing alert correlation graph methods can reduce alert volume but are too complex for analysts to understand.
Readable attack path summarization: Analysts need automatic alert correlation and concise, human-readable attack path summaries.
Graph-log alignment and reasoning challenges: LLM-based reasoning over alert correlation graphs requires modality alignment, semantic alignment, and graph-path reasoning support.
SOC alert overload: Security Operations Center alerts are numerous and scattered, creating high analyst workload and slowing response times.
Proposed Solutions (5)
GARNET LLM alert-graph reasoning framework: GARNET is a framework that applies LLM reasoning to alert correlation graphs.
Contrastive graph-log embedding alignment: GARNET projects graph and log embeddings into a shared vector space using contrastive learning.
Self-supervised graph-log instruction tuning: GARNET uses self-supervised graph-log instructions to bridge semantic gaps by training a novel LLM.
Graph-of-Thought path reasoning: GARNET uses a Graph-of-Thought interaction reasoning approach to guide LLM reasoning along graph paths.
GARNET LLM alert-graph reasoning framework: GARNET is a framework that applies LLM reasoning to alert correlation graphs.
Results (3)
Human-readable attack path summaries:
False positive reduction:
Low false positive rate:
Research Domain
cybersecurity / SOC alert correlation