Hybrid AI-SIEM Framework: Leveraging CNN-LSTM Models and Wazuh For Attack Identification and Response

Abstract

Security Information and Event Management (SIEM) systems are critical for modern cybersecurity, but their reliance on static rule-based detection limits their effectiveness against evolving threats. This thesis presents a Hybrid AI-SIEM Framework that combines the strengths of machine learning models and the open-source Wazuh SIEM to improve attack identification and response. We integrate a CNN-LSTM architecture for detecting complex attacks like DDoS and anomalies, and augmentWazuh with targeted solutions for various threats, including malware detection using YARA, LLMs technology,Wazuh rules, and Suricata-based network intrusion detection. The framework was tested against several critical attack types, including DDoS, brute-force login attempts, web application exploits, malware infections, and suspicious activities. The result is a layered, adaptable system that not only detects but actively responds to security incidents with improved accuracy and reduced false positives. This research demonstrates how hybrid intelligence can transform static SIEMs into smarter, more responsive security ecosystems