English

Using Large Language Models for Template Detection from Security Event Logs

Cryptography and Security 2025-04-15 v3

Abstract

In modern IT systems and computer networks, real-time and offline event log analysis is a crucial part of cyber security monitoring. In particular, event log analysis techniques are essential for the timely detection of cyber attacks and for assisting security experts with the analysis of past security incidents. The detection of line patterns or templates from unstructured textual event logs has been identified as an important task of event log analysis since detected templates represent event types in the event log and prepare the logs for downstream online or offline security monitoring tasks. During the last two decades, a number of template mining algorithms have been proposed. However, many proposed algorithms rely on traditional data mining techniques, and the usage of Large Language Models (LLMs) has received less attention so far. Also, most approaches that harness LLMs are supervised, and unsupervised LLM-based template mining remains an understudied area. The current paper addresses this research gap and investigates the application of LLMs for unsupervised detection of templates from unstructured security event logs.

Keywords

Cite

@article{arxiv.2409.05045,
  title  = {Using Large Language Models for Template Detection from Security Event Logs},
  author = {Risto Vaarandi and Hayretdin Bahsi},
  journal= {arXiv preprint arXiv:2409.05045},
  year   = {2025}
}

Comments

Accepted for publication in International Journal of Information Security

R2 v1 2026-06-28T18:37:39.804Z