AI‑Driven Security Operations (AISECOPS): Architecture, Practices, and Evaluation

The rapid development of large models has prompted a shift in security operations (SECOPS) from traditional bug‑fixing to algorithm‑driven application integration, aiming to accelerate fault localisation and improve efficiency across diverse environments.

The presentation outlines five key topics: SECOPS industry pain points, AISECOPS practice, AISECOPS+, SECOPS AI, and a Q&A session.

Key pain points include the paradox of simple front‑end features demanding increasingly complex back‑end, architecture, and security infrastructure, as well as the explosion of attack vectors in hybrid cloud environments.

AISECOPS practice demonstrates four concrete scenarios—DNS reverse‑domain detection, web request anomaly detection, host command execution monitoring, and HIDS data analysis—using large‑model embeddings (OpenAI Ada, ST5) combined with classifiers such as SVM and MLP to achieve >99% accuracy.

Model evaluation shows ST5‑Large delivering up to 60 QPS on a G4dn.xlarge instance, while the OpenAI Ada model incurs higher inference costs; cost analysis indicates training expenses of roughly ¥1,300 for three days and per‑inference costs as low as $0.000005.

Further development includes AISECOPS+Agent integration with chat‑ops and SIEM dashboards, enabling automatic rule generation for firewalls and providing DBA assistance through natural‑language queries and optimization suggestions.

The safety framework adopts the Helpful‑Truthful‑Harmless (HTH) principles, emphasizing privacy protection, adversarial robustness, reliability, explainability, performance, and supply‑chain risk mitigation for large‑model deployment in ops.

Finally, the article discusses the need for controlled APIs, proper authorization, and avoidance of over‑reliance on models to prevent unintended actions such as accidental data deletion.