Model for Detecting Security Events from SIEM Logs Using Machine Learning Techniques
摘要
Currently, real-time cybersecurity threat detection represents a significant challenge for organizations due to the high volume and complexity of security event logs. This study proposes a robust model based on Machine Learning techniques for the automatic classification of security events, using data collected from a next-generation firewall and stored in a SIEM system. The methodology was structured into four phases: data acquisition (over 98,000 records collected and labeled with expert validation), preprocessing (removal of low-variance variables, correlation analysis, and transformation using Weight of Evidence and Information Value), application of classification models (Logistic Regression, Random Forest, Gradient Boosting, SVM, Decision Tree, Naive Bayes, Neural Networks, XGBoost, LightGBM, and CatBoost), and evaluation using metrics such as precision, accuracy, recall, F1-score, and ROC-AUC. After hyperparameter tuning, the Gradient Boosting model achieved the best performance, with metrics exceeding 97% and an ROC-AUC value of 0.9964, demonstrating a high capability to detect suspicious events with minimal false positives and negatives. These results highlight the potential of optimized machine learning models to strengthen threat detection processes in Security Operations Centers (SOCs), enabling more accurate and timely incident response.