Developmental Framework for an LLM Enabled Aircraft Log Anomaly Detection for Identification of Security Events in an IP Environment
摘要
Aviation environments generate large, heterogeneous log streams that overwhelm signature-only monitoring. We present a developmental framework for threat-informed labeling that maps low-level log events to MITRE ATT&CK tactics and techniques with explicit rationale and confidence. The framework comprises: (i) contextual enrichment from aircraft architecture definitions (network connectivity, domains/partitioning, and safety-criticality labels) and flight-phase awareness; (ii) a retrieval-augmented, LLM-based loop that selects candidate techniques with justification; and (iii) high-volume hygiene (allowlists and burst grouping) to reduce alert spam and pass coherent batches to the LLM. This is a design paper: we describe architecture, interfaces, and assumptions; we do not report quantitative evaluation. We provide artifact schemas (input logs, enrichment, ATT&CK-mapped outputs) and a concrete plan for future assessment (metrics, baselines, and ablations).