AUGMENTING WAZUH SIEM WITH MACHINE LEARNING FOR ADVANCED CYBER THREAT ANALYTICS

Dr. Ali R. Al-Harthy; Dr. Hassan Ben Youssef; Dr. Noura Al-Mutairi

Open Access icon Open Access

ARTICLE

AUGMENTING WAZUH SIEM WITH MACHINE LEARNING FOR ADVANCED CYBER THREAT ANALYTICS

Dr. Ali R. Al-Harthy ¹ , Dr. Hassan Ben Youssef ² , Dr. Noura Al-Mutairi ³

¹ Department of Computer Science, Sultan Qaboos University, Oman

² Department of Computer Science, University of Tunis El Manar, Tunisia

³ Department of Cybersecurity, King Abdullah University of Science and Technology (KAUST), Saudi Arabia

Issue Vol. 1 No. 01 (2024): Volume 01 Issue 01 --- Section Articles --- Published Date: 2024-12-29

Citations: Loading…

ABSTRACT VIEWS: 235 | FILE VIEWS: 275 | PDF: 275 HTML: 0 OTHER: 0 | TOTAL: 510

Views + Downloads (Last 90 days)

Cumulative % included

Abstract

The escalating sophistication of cyber threats necessitates a paradigm shift from traditional, signature-based security measures to more dynamic, intelligent defense mechanisms. This article explores the enhancement of Wazuh, a widely adopted open-source Security Information and Event Management (SIEM) solution, through the integration of machine learning techniques. The primary limitation of rule-based systems, such as high false-positive rates and an inability to detect novel threats, is a significant challenge for modern Security Operations Centers (SOCs). This study proposes and evaluates a hybrid framework that integrates both supervised (K-Nearest Neighbors, Random Forest, Naive Bayes, Logistic Regression, Support Vector Machine) and unsupervised (DBSCAN, K-Means, Isolation Forest) machine learning models into the Wazuh detection pipeline. By leveraging algorithms such as these, this work demonstrates the potential to significantly improve threat detection rates, reduce false positives, and automate complex security event analysis. This study details a comprehensive framework for data collection in a simulated enterprise environment, extensive preprocessing and feature engineering, the application of various machine learning models for threat identification, and a rigorous comparative analysis of their performance. The findings indicate that the Random Forest classifier achieves a superior accuracy of 97.2%, while the DBSCAN algorithm demonstrates 91.1% accuracy in anomaly detection, significantly enhancing the quality of alerts. Furthermore, the real-world viability is assessed through latency and scalability testing, confirming that the proposed system can operate effectively within the stringent time constraints of a real-time SOC. This fusion of machine learning with Wazuh's robust monitoring capabilities offers a formidable, cost-effective, and scalable solution for organizations, particularly Small and Medium-sized Enterprises (SMEs), to bolster their cybersecurity posture against an evolving threat landscape. The article further discusses the practical implications, limitations, and future research directions, emphasizing the synergy between automated systems and human expertise within a modern SOC.

Keywords

Wazuh, SIEM, Machine Learning, Threat Detection

References

1. Chamkar, S.A.; Maleh, Y.; Gherabi, N. Security Operations Centers: Use Case Best Practices, Coverage, and Gap Analysis Based on MITRE Adversarial Tactics, Techniques, and Common Knowledge. J. Cybersecur. Priv. 2024, 4, 777–793.

2. Mokalled, H.; Catelli, R.; Casola, V.; Debertol, D.; Meda, E.; Zunino, R. The Applicability of a SIEM Solution: Requirements and Evaluation. In Proceedings of the 28th IEEE International Conference on Enabling Technologies: Infrastructure for Collaborative Enterprises, Naples, Italy, 12–14 June 2019.

3. Sheeraz, M.; Paracha, M.A.; Haque, M.U.; Durad, M.H.; Mohsin, S.M.; Band, S.S.; Mosavi, A. Effective security monitoring using efficient SIEM architecture. Hum.-Centric Comput. Inf. Sci. 2023, 13, 1–18.

4. Khayat, M.; Barka, E.; Serhani, M.A.; Sallabi, F.; Shuaib, K.; Khater, H.M. Empowering Security Operation Center with Artificial Intelligence and Machine Learning–A Systematic Literature Review. IEEE Access 2025, 13, 19162–19197.

5. Hughes, K.; McLaughlin, K.; Sezer, S. Dynamic countermeasure knowledge for intrusion response systems. In Proceedings of the 2020 31st Irish Signals and Systems Conference (ISSC), Letterkenny, Ireland, 11–12 June 2020; pp. 1–6.

6. Coscia, A.; Dentamaro, V.; Galantucci, S.; Maci, A.; Pirlo, G. Automatic decision tree-based NIDPS ruleset generation for DoS/DDoS attacks. J. Inf. Secur. Appl. 2024, 82, 103736.

7. Kinyua, J.; Awuah, L. AI/ML in Security Orchestration, Automation and Response: Future Research Directions. Intell. Autom. Soft Comput. 2021, 28, 527–545.

8. Sworna, Z.T.; Islam, C.; Babar, M.A. APIRO: A framework for Automated Security Tools API Recommendation. ACM Trans. Softw. Eng. Methodol. 2023, 32, 1–42.

9. Toyin, O.; Adeola, M.O.; Oguntimilehin, A.; OB, A.; Aweh, O.M.; Obamiyi, S.E.; Akinduyite, C.O.; James, A.A. Intelligent Network Intrusion Detection and Prevention System (NIDPS): A Machine Learning and Network Security. In Proceedings of the 2024 IEEE 5th International Conference on Electro-Computing Technologies for Humanity (NIGERCON), Ado Ekiti, Nigeria, 26–28 November 2024; pp. 1–6.

10. Kurnia, R.; Widyatama, F.; Wibawa, I.M.; Brata, Z.A.; Nelistiani, G.A.; Kim, H. Enhancing Security Operations Center: Wazuh Security Event Response with Retrieval-Augmented-Generation-Driven Copilot. Sensors 2025, 25, 870.

11. Manzoor, J.; Waleed, A.; Jamali, A.F.; Masood, A. Cybersecurity on a budget: Evaluating security and performance of open-source SIEM solutions for SMEs. PLoS ONE 2024, 19, e0301183. [PubMed]

12. Moiz, S.; Majid, A.; Basit, A.; Ebrahim, M.; Abro, A.A.; Naeem, M. Security and threat detection through cloud-based Wazuh deployment. In Proceedings of the 2024 IEEE 1st Karachi Section Humanitarian Technology Conference (KHI-HTC), Tandojam, Pakistan, 8–9 January 2024; pp. 1–5.

13. Vilendeˇci´c, B.; Dejanovi´c, R.; Curi´c, P. The Impact of Human Factors in the Implementation of SIEM Systems. ´J. Electr. Eng. 2017, 5, 196–203.

14. Chamkar, S.A.; Maleh, Y.; Gherabi, N. The Human Factor Capabilities in Security Operation Center (SOC). EDPACS 2022, 66, 1–14.

15. Mughal, A.A. Building and securing the modern security operations center (soc). Int. J. Bus. Intell. Big Data Anal. 2022, 5, 1–15.

16. Önal, V.; Arslan, H.; Görmez, Y. Machine Learning and Event-Based User and Entity Behavior Analysis. In Proceedings of the 2024 32nd Signal Processing and Communications Applications Conference (SIU), Mersin, Turkiye, 15–18 May 2024; pp. 1–4.

17. Karampudi, B.; Phanideep, D.M.; Reddy, V.M.K.; Subhashini, N.; Muthulakshmi, S. Malware Analysis Using Machine Learning. In Intelligent Systems Design and Applications; Abraham, A., Pllana, S., Casalino, G., Ma, K., Bajaj, A., Eds.; Springer Nature: Cham, Switzerland, 2023; pp. 281–290.

18. Silic, M.; Delac, G.; Srbljic, S. Prediction of Atomic Web Services Reliability Based on K-means Clustering. In ESEC/FSE, Proceedings of the 2013 9th Joint Meeting on Foundations of Software Engineering, Saint Petersburg, Russia, 18–26 August 2013; ACM: New York, NY, USA, 2013; pp. 70–80.

19. Laaksonen, J.; Oja, E. Classification with Learning K-nearest Neighbors. In Proceedings of the IEEE International Conference on Neural Networks, Washington, DC, USA, 3–6 June 1996; Volume 3, pp. 1480–1483.

20. Breiman, L. Random forests. In Machine Learning; Springer: Berlin/Heidelberg, Germany, 2001; Volume 45, pp. 1–33.

21. Rish, I. An Empirical Study of The Naive Bayes Classifier. In IJCAI 2001 Workshop on Empirical Methods in Artificial Intelligence; Washington, DC, USA, 2001; Volume 3, pp. 41–46.

22. Liu, F.T.; Ting, K.M.; Zhou, Z.-H. Isolation Forest. In Proceedings of the 2008 Eighth IEEE International Conference on Data Mining, Pisa, Italy, 15–19 December 2008; pp. 413–422.

23. Schubert, E.; Sander, J.; Ester, M.; Kriegel, H.P.; Xu, X. DBSCAN revisited, revisited: Why and how you should (still) use DBSCAN. ACM Trans. Database Syst. (TODS) 2017, 42, 1–21.

How to Cite

AUGMENTING WAZUH SIEM WITH MACHINE LEARNING FOR ADVANCED CYBER THREAT ANALYTICS. (2024). European Journal of Emerging Cybersecurity and Information Protection, 1(01), 57-67. https://parthenonfrontiers.com/index.php/ejecip/article/view/84

Download Citation

ejecip Open Access Journal

European Journal of Emerging Cybersecurity and Information Protection

All issues

AUGMENTING WAZUH SIEM WITH MACHINE LEARNING FOR ADVANCED CYBER THREAT ANALYTICS

Abstract

Keywords

References

How to Cite

Related articles

Journal Information

Journal Guidelines

Follow Us

Join Us

Contact Us

Share Link

Related articles

Toward Unified Interpretability and Robustness in Machine Learning–Based Anomaly Detection Across Industrial, Network, Financial, and Cyber-Physical Domains

Integrative Data Processing and Optimized Machine Learning Architectures for Advanced Electricity and Retail Demand Forecasting in High-Dimensional Environments

Integrated Intelligent Maintenance Architectures for Hydro-Generator Excitation Systems: A Knowledge-Driven and Machine-Assisted Diagnostic Paradigm

Integrative Artificial Intelligence Architectures for Supply Chain Optimization and Market Intelligence: A Deep Synthesis of Forecasting, Sentiment Analytics, and Business Concept Innovation

A TRUST-BASED INCENTIVE FRAMEWORK FOR FEDERATED LEARNING IN EDGE ENVIRONMENTS WITH DIVERSE PARTICIPANTS

Artificial Intelligence–Driven Demand Forecasting And Supply Chain Performance: A Deep Integrative Analysis Of Neural, Hybrid, And Context-Aware Models In Contemporary Retail And Industrial Networks

A STATIC ANALYSIS FRAMEWORK UTILIZING LARGE LANGUAGE MODELS FOR IDENTIFYING MALICIOUS OFFICE OPEN XML FILES

Integrating Business Intelligence Frameworks for Enhanced Organizational Decision-Making: Theoretical and Empirical Synthesis

AN ANALYTICAL SURVEY OF IMMERSIVE TECHNOLOGIES FOR ENHANCING CYBER SITUATIONAL AWARENESS

ASSESSING END-USER RESILIENCE TO PHISHING: A STUDY ON EDUCATIONAL INTERVENTIONS AND SIMULATED ATTACKS IN A CROATIAN UNIVERSITY