Cloud Investigation Automation Framework (CIAF): An AI-Driven Approach to Cloud Forensics

• URL: http://arxiv.org/abs/2510.00452v1
• Date: Wed, 01 Oct 2025 03:05:47 GMT
• Title: Cloud Investigation Automation Framework (CIAF): An AI-Driven Approach to Cloud Forensics
• Authors: Dalal Alharthi, Ivan Roberto Kawaminami Garcia,
• Abstract summary: We introduce the Cloud Investigation Automation Framework (CIAF), a framework that systematically investigates cloud forensic logs.<n>CIAF standardizes user inputs through semantic validation, eliminating ambiguity and ensuring consistency in log interpretation.<n>Results show significant improvement in ransomware detection, achieving precision, recall, and F1 scores of 93 percent.
• Score: 0.0
• License: http://creativecommons.org/licenses/by/4.0/
• Abstract: Large Language Models (LLMs) have gained prominence in domains including cloud security and forensics. Yet cloud forensic investigations still rely on manual analysis, making them time-consuming and error-prone. LLMs can mimic human reasoning, offering a pathway to automating cloud log analysis. To address this, we introduce the Cloud Investigation Automation Framework (CIAF), an ontology-driven framework that systematically investigates cloud forensic logs while improving efficiency and accuracy. CIAF standardizes user inputs through semantic validation, eliminating ambiguity and ensuring consistency in log interpretation. This not only enhances data quality but also provides investigators with reliable, standardized information for decision-making. To evaluate security and performance, we analyzed Microsoft Azure logs containing ransomware-related events. By simulating attacks and assessing CIAF's impact, results showed significant improvement in ransomware detection, achieving precision, recall, and F1 scores of 93 percent. CIAF's modular, adaptable design extends beyond ransomware, making it a robust solution for diverse cyberattacks. By laying the foundation for standardized forensic methodologies and informing future AI-driven automation, this work underscores the role of deterministic prompt engineering and ontology-based validation in enhancing cloud forensic investigations. These advancements improve cloud security while paving the way for efficient, automated forensic workflows.

Related papers

• Cloud Security Leveraging AI: A Fusion-Based AISOC for Malware and Log Behaviour Detection [0.0]
  Cloud Security Operations Center (SOC) enable cloud governance, risk and compliance by providing insights visibility and control.<n>We implement an AI-Augmented Security Operations Center (AISOC) on AWS that combines cloud-native instrumentation with ML-based detection.
  arXiv  Detail & Related papers  (2025-12-16T21:56:11Z)
• VulnLLM-R: Specialized Reasoning LLM with Agent Scaffold for Vulnerability Detection [45.69684471143409]
  VulnLLM-R is theemphfirst specialized reasoning LLM for vulnerability detection.<n>We train a reasoning model with seven billion parameters.<n>We show that VulnLLM-R has superior effectiveness and efficiency than SOTA static analysis tools.
  arXiv  Detail & Related papers  (2025-12-08T13:06:23Z)
• What's Next, Cloud? A Forensic Framework for Analyzing Self-Hosted Cloud Storage Solutions [0.0]
  Self-hosted cloud storage platforms like Nextcloud are gaining popularity among individuals and organizations seeking greater control over their data.<n>Despite Nextcloud's widespread use, it has received limited attention in forensic research.<n>We propose an extended forensic framework that incorporates device monitoring and leverages cloud APIs for structured, repeatable evidence acquisition.
  arXiv  Detail & Related papers  (2025-10-24T08:30:02Z)
• Explainable and Resilient ML-Based Physical-Layer Attack Detectors [46.30085297768888]
  We analyze the inner workings of various classifiers trained to alert about physical layer intrusions.<n>We evaluate the detectors' resilience to malicious parameter noising.<n>This work serves as a design guideline for developing fast and robust detectors trained on available network monitoring data.
  arXiv  Detail & Related papers  (2025-09-30T17:05:33Z)
• Enabling Transparent Cyber Threat Intelligence Combining Large Language Models and Domain Ontologies [3.4423725226938426]
  We propose a novel methodology to build an AI agent that improves the accuracy and explainability of information extraction from logs.<n>The design of our methodology is motivated by the analytical requirements associated with honeypot data.<n>Results demonstrate that our method achieves higher accuracy in information extraction compared to traditional prompt-only approaches.
  arXiv  Detail & Related papers  (2025-08-26T23:17:33Z)
• Reducing False Positives with Active Behavioral Analysis for Cloud Security [2.4631419586608225]
  Rule-based cloud security posture management (CSPM) solutions are known to produce a lot of false positives.<n>This paper introduces a validation-driven methodology that integrates active behavioral testing in cloud security posture management solution(s) to evaluate the exploitability of policy violations in real time.
  arXiv  Detail & Related papers  (2025-08-18T02:39:02Z)
• Advancing Software Security and Reliability in Cloud Platforms through AI-based Anomaly Detection [0.5599792629509228]
  This research aims to enhance CI/CD pipeline security by implementing anomaly detection through AI support. The goal is to identify unusual behaviour or variations from network traffic patterns in pipeline and cloud platforms. We implemented a combination of Convolution Neural Network(CNN) and Long Short-Term Memory (LSTM) to detect unusual traffic patterns.
  arXiv  Detail & Related papers  (2024-11-14T05:45:55Z)
• AutoPT: How Far Are We from the End2End Automated Web Penetration Testing? [54.65079443902714]
  We introduce AutoPT, an automated penetration testing agent based on the principle of PSM driven by LLMs. Our results show that AutoPT outperforms the baseline framework ReAct on the GPT-4o mini model.
  arXiv  Detail & Related papers  (2024-11-02T13:24:30Z)
• AI-Enabled System for Efficient and Effective Cyber Incident Detection and Response in Cloud Environments [0.0]
  The escalating sophistication and volume of cyber threats in cloud environments necessitate a paradigm shift in strategies.<n>This research explores the application of AI and ML and proposes an AI-powered cyber incident response system for cloud environments.<n>The findings highlight the effectiveness of the Random Forest model, achieving an accuracy 90% for the Network Traffic and 96% for the Malware Analysis Dual Model application.
  arXiv  Detail & Related papers  (2024-04-08T15:22:03Z)
• RCAgent: Cloud Root Cause Analysis by Autonomous Agents with Tool-Augmented Large Language Models [46.476439550746136]
  Large language model (LLM) applications in cloud root cause analysis (RCA) have been actively explored recently. We present RCAgent, a tool-augmented LLM autonomous agent framework for practical and privacy-aware industrial RCA usage. Running on an internally deployed model rather than GPT families, RCAgent is capable of free-form data collection and comprehensive analysis with tools.
  arXiv  Detail & Related papers  (2023-10-25T03:53:31Z)
• LogLAB: Attention-Based Labeling of Log Data Anomalies via Weak Supervision [63.08516384181491]
  We present LogLAB, a novel modeling approach for automated labeling of log messages without requiring manual work by experts. Our method relies on estimated failure time windows provided by monitoring systems to produce precise labeled datasets in retrospect. Our evaluation shows that LogLAB consistently outperforms nine benchmark approaches across three different datasets and maintains an F1-score of more than 0.98 even at large failure time windows.
  arXiv  Detail & Related papers  (2021-11-02T15:16:08Z)
• Analyzing Machine Learning Approaches for Online Malware Detection in Cloud [0.0]
  We present online malware detection based on process level performance metrics and analyze the effectiveness of different machine learning models. Our analysis conclude that neural network models can most accurately detect the malware that have on the process level features of virtual machines in the cloud.
  arXiv  Detail & Related papers  (2021-05-19T17:28:12Z)
• Robust and Transferable Anomaly Detection in Log Data using Pre-Trained Language Models [59.04636530383049]
  Anomalies or failures in large computer systems, such as the cloud, have an impact on a large number of users. We propose a framework for anomaly detection in log data, as a major troubleshooting source of system information.
  arXiv  Detail & Related papers  (2021-02-23T09:17:05Z)

This list is automatically generated from the titles and abstracts of the papers in this site.

This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.