LanG — A Governance-Aware Agentic AI Platform for Unified Security Operations
Summary: arXiv:2604.05440v1 Announce Type: cross
Abstract: Modern Security Operations Centers struggle with alert fatigue, fragmented tooling, and limited cross-source event correlation. Challenges that current Security Information Event Management and Extended Detection and Response systems only partially address through fragmented tools. This paper presents the LLM-assisted network Governance (LanG), an open-source, governance-aware agentic AI platform for unified security operations.
Key Contributions of LanG
The LanG platform introduces several innovative features aimed at enhancing security operations:
- Unified Incident Context Record: A correlation engine with an F1 score of 87% that consolidates various security alerts into a single context.
- Agentic AI Orchestrator: Built on LangGraph, it includes human-in-the-loop checkpoints to ensure reliable operation.
- LLM-based Rule Generator: Finetuned on four base models, this component produces deployable Snort 2/3, Suricata, and YARA rules with an average acceptance rate of 96.2%.
- Three-Phase Attack Reconstructor: This system combines Louvain community detection, LLM-driven hypothesis generation, and Bayesian scoring, achieving 87.5% accuracy in kill-chain assessments.
- Governance-MCP-Agentic AI-Security Architecture: All tools are accessible via the Model Context Protocol, governed by an AI Governance Policy Engine that features a two-layer guardrail pipeline, resulting in a 98.1% F1 score and zero false positives.
Designed for Managed Security Service Providers
LanG is tailored for Managed Security Service Providers (MSSPs), supporting:
- Multi-tenant Isolation: Ensuring that different clients’ data and operations remain secure and independent.
- Role-based Access: Facilitating varied access permissions based on user roles for enhanced security management.
- Fully Local Deployment: Allowing organizations to operate the platform within their own infrastructure, enhancing data privacy and control.
Performance and Benchmarking
LanG has demonstrated exceptional performance in intrusion-detection benchmarks, with:
- Weighted F1 Scores: Achieving 99.0% for anomaly detection and 91.0% for threat detection.
- Inference Speed: Running inferences in approximately 21 ms with a machine-side mean time to detect of 1.58 seconds.
- Rule Generator Efficiency: Exceeding 91% deployability on live Intrusion Detection System (IDS) engines.
Comparison with Other SOC Platforms
A systematic comparison against eight Security Operations Center (SOC) platforms has shown that LanG uniquely satisfies a wide range of industrial capabilities, all encapsulated within a single open-source tool. This comprehensive approach not only enhances security operations but also ensures adherence to selected AI governance policies, setting a new standard in the cybersecurity landscape.