Submit

TL-SOC: A Hybrid Decision-Centric Intrusion Detection Framework for Security Operations Centers

Open AccessArticle

TL-SOC: A Hybrid Decision-Centric Intrusion Detection Framework for Security Operations Centers

Volume 11, Issue 2, Page No 30–42, 2026

Author’s Name: Imane Lotfi*Email, Meriem MandarEmail
Laboratory of Mathematics, Artificial Intelligence and Digital Learning, Higher Normal School of Casablanca, Hassan II University, Casablanca, Morocco
*whom correspondence should be addressed. E-mail: imane.lotfi@enscasa.ma

Adv. Sci. Technol. Eng. Syst. J. 11(2), 30–42 (2026); crossref symbol DOI: 10.25046/aj110204

Keywords: Intrusion Detection Systems, Security Operations Centers, Hybrid Intrusion Detection, Deep Anomaly Detection, Zero-Day Detection, Out-of-Distribution Attacks, Advanced Persistent Threats, Explainable AI

Received: 12 March 2026, Revised: 27 March 2026, Accepted: 1 April 2026, Published Online: 23 April 2026
(This article belongs to the SP20 (Special Issue on Multidisciplinary Frontiers in Engineering, Computing and Applied Sciences 2026) & Section Information Systems in Computer Science (CIS))
Download Now!
2 Downloads
Export Citations

Abstract

Security Operations Centers (SOCs) require intrusion detection systems that achieve high detection accuracy while maintaining a low false-positive rate and robustness to evolving attack patterns. However, most existing machine learning-based approaches primarily focus on detecting known threats and often overlook distribution shifts and the reliability of generated alerts. In this paper, we propose TL-SOC, a decision-centric intrusion detection framework that integrates anomaly representation learning and supervised classification within a unified architecture. The proposed system combines a CNN–Transformer autoencoder, a graph neural network autoencoder, and an XGBoost classifier, whose outputs are fused through a meta-learning decision layer operating under explicit false-positive-rate constraints. To enhance transparency, SHAP-based explanations are incorporated to provide both global and local interpretability of detection outcomes. Experimental results on the CICIDS-2017 dataset show that TL-SOC achieves a precision of 99.63%, a recall of 74.44%, and an F1-score of 85.21%, while maintaining a very low false-positive rate (5.52 × 10⁻⁴). The framework also demonstrates strong robustness under time-series and out-of-distribution scenarios, achieving competitive performance in cross-dataset evaluation. These results highlight the effectiveness of decision-centric hybrid architectures for reliable and operational intrusion detection in SOC environments.

References (17)

  1. T. Bass, “Intrusion detection systems and multisensor data fusion,” Communications of the ACM, 43, 99–105, 2000, doi:10.1145/332051.332079.
  2. S. Naseer, Y. Saleem, S. Khalid, M. K. Bashir, J. Han, M. M. Iqbal, K. Han, “Enhanced Network Anomaly Detection Based on Deep Neural Networks,” IEEE Access, 6, 48231–48246, 2018, doi:10.1109/ACCESS.2018.2863036.
  3. S. Zavrak, M. İskefiyeli, “Anomaly-Based Intrusion Detection From Network Flow Features Using Variational Autoencoder,” IEEE Access, 8, 108346–108358, 2020, doi:10.1109/ACCESS.2020.3001350.
  4. D. Kwon, H. Kim, J. Kim, S. C. Suh, I. Kim, K. J. Kim, “A survey of deep learning-based network anomaly detection,” Cluster Computing, 22, 949–961, 2019, doi:10.1007/s10586-017-1117-8.
  5. C. Liu, Z. Gu, J. Wang, “A Hybrid Intrusion Detection System Based on Scalable K-Means+ Random Forest and Deep Learning,” IEEE Access, 9, 75729–75740, 2021, doi:10.1109/ACCESS.2021.3082147.
  6. M. Sajid, K. R. Malik, A. Almogren, T. S. Malik, A. H. Khan, J. Tanveer, A. U. Rehman, “Enhancing intrusion detection: a hybrid machine and deep learning approach,” Journal of Cloud Computing, 13, 123, 2024, doi:10.1186/s13677-024-00685-x.
  7. R. Ahmad, I. Alsmadi, “Data fusion and network intrusion detection systems,” Cluster Computing, 27, 7493–7519, 2024, doi:10.1007/s10586-024-04365-y.
  8. Y. Xue, J. Pan, Y. Geng, Z. Yang, M. Liu, R. Deng, “Real-Time Intrusion Detection Based on Decision Fusion in Industrial Control Systems,” IEEE Transactions on Industrial Cyber-Physical Systems, 2, 143–153, 2024, doi:10.1109/TICPS.2024.3406505.
  9. I. Lotfi, M. Mandar, “Review of Detection and Prevention Techniques for Cyberattacks in SOCs: State of the Art and Future Challenges,” in 2025 International Conference on Circuit, Systems and Communication (ICCSC), 1–6, 2025, doi:10.1109/ICCSC66714.2025.11135218.
  10. Z. Chen, C. K. Yeo, B. S. Lee, C. T. Lau, “Autoencoder-based network anomaly detection,” in 2018 Wireless Telecommunications Symposium (WTS), 1–5, 2018, doi:10.1109/WTS.2018.8363930.
  11. M. Said Elsayed, N.-A. Le-Khac, S. Dev, A. D. Jurcut, “Network Anomaly Detection Using LSTM Based Autoencoder,” in Proceedings of the 16th ACM Symposium on QoS and Security for Wireless and Mobile Networks, Q2SWinet ’20, 37–45, Association for Computing Machinery, New York, NY, USA, 2020, doi:10.1145/3416013.3426457.
  12. H. Rajadurai, U. D. Gandhi, “A stacked ensemble learning model for intrusion detection in wireless network,” Neural Computing and Applications, 34, 15387–15395, 2022, doi:10.1007/s00521-020-04986-5.
  13. R. Lazzarini, H. Tianfield, V. Charissis, “A stacking ensemble of deep learning models for IoT intrusion detection,” Knowledge-Based Systems, 279, 110941, 2023, doi:10.1016/j.knosys.2023.110941.
  14. E. U. H. Qazi, M. H. Faheem, T. Zia, “HDLNIDS: Hybrid Deep-Learning-Based Network Intrusion Detection System,” Applied Sciences, 13(8), 2023, doi:10.3390/app13084921.
  15. A. Ayantayo, A. Kaur, A. Kour, X. Schmoor, F. Shah, I. Vickers, P. Kearney, M. M. Abdelsamea, “Network intrusion detection using feature fusion with deep learning,” Journal of Big Data, 10, 167, 2023, doi:10.1186/s40537-023-00834-0.
  16. C. Xu, J. Shen, X. Du, “A Method of Few-Shot Network Intrusion Detection Based on Meta-Learning Framework,” IEEE Transactions on Information Forensics and Security, 15, 3540–3552, 2020, doi:10.1109/TIFS.2020.2991876.
  17. T. Zoppi, M. Gharib, M. Atif, A. Bondavalli, “Meta-Learning to Improve Unsupervised Intrusion Detection in Cyber-Physical Systems,” ACM Trans. Cyber-Phys. Syst., 5(4), 2021, doi:10.1145/3467470.

Cited By

Citations by Dimensions

Citations by PlumX

Google Scholar

(Click to view)

Crossref Citations

Metrics

No. of Downloads Per Month
No. of Downloads Per Country

Related Articles

  1. Maikel Leon, Hanna DeSimone, "Advancements in Explainable Artificial Intelligence for Enhanced Transparency and Interpretability across Business Applications", Advances in Science, Technology and Engineering Systems Journal, vol. 9, no. 5, pp. 09–20, 2024. doi: 10.25046/aj090502
  2. Falko Gawantka, Franz Just, Marina Savelyeva, Markus Wappler, Jörg Lässig, "A Novel Metric for Evaluating the Stability of XAI Explanations", Advances in Science, Technology and Engineering Systems Journal, vol. 9, no. 1, pp. 133–142, 2024. doi: 10.25046/aj090113

Submit to ASTESJ
Review for ASTESJ
Propose a Special Issue
Share

Journal Menu

Journal Browser

Special Issues

Propose a Special Issue

Special Issue on Emerging Multidisciplinary Directions in Engineering, Computing, and Applied Sciences
Guest Editors: Prof. Wang Xiu Ying
Deadline: 31 December 2026

Special Issue on Digital Frontiers of Entrepreneurship: Integrating AI, Gender Equity, and Sustainable Futures
Guest Editors: Dr. Muhammad Nawaz Tunio, Dr. Aamir Rashid, Dr. Imamuddin Khoso
Deadline: 30 May 2026

Special Issue on Indigenous Knowledge Systems of the Tribal Communities of the Asia Pacific
Guest Editors: Dr. Anurag Hazarika
Deadline: 31 October 2026

Special Issue on Sustainable Technologies for a Resilient Future
Guest Editors: Dr. Debasis Mitra, Dr. Sourav Chattaraj, Dr. Addisu Assefa
Deadline: 30 April 2026

Special Issue on Multidisciplinary Frontiers in Engineering, Computing and Applied Sciences
Guest Editors: Prof. Wang Xiu Ying
Deadline: 30 April 2026