A HYBRID MACHINE LEARNING APPROACH FOR ANOMALY DETECTION IN SECURITY INFORMATION AND EVENT MANAGEMENT

Abstract

Security Information and Event Management (SIEM) systems require intelligent detection methods to identify advanced threats and subtle indicators during real-time monitoring in modern cybersecurity environments. Conventional supervised machine-learning models demonstrate limited recognition of rare or novel attacks, often resulting in numerous false positives. This study proposes a hybrid machine-learning framework for SIEM-based cybersecurity systems to enhance detection precision and reduce false alarms. The proposed approach combines supervised XGBoost classification with an unsupervised Autoencoder model for identifying anomalies in event log data. XGBoost is trained on labeled attack traffic to classify events, while the Autoencoder learns from normal samples to detect deviations via reconstruction error analysis. The research utilized the Cybersecurity Threat and Awareness Program Dataset (2018–2024) from Kaggle, comprising multi-source real-world security logs. Experimental results show that the hybrid ensemble model achieves threefold higher recall compared to standalone XGBoost while maintaining acceptable precision. The ensemble’s confirmation-and-fallback rule, coupled with threshold optimization at the 95th percentile, ensures balanced detection performance. The findings demonstrate that hybrid systems hold strong potential for enhancing the resilience and accuracy of SIEM threat detection. Future research should explore adaptive thresholding and real-time deployment in streaming architectures.