Ctrl Alt Defend

SOC analysts are drowning in noise. We built Ctrl Alt Defend to fix this. Our engine uses algorithms to group related events into 'Cases'. We use AI to act as an assistant.

Comment

🛡️ Ctrl Alt Defend

💡 Inspiration

Modern Security Operations Centers (SOCs) are drowning in noise. The prompt for this challenge highlighted a critical industry problem: Cognitive Overload. Analysts aren't failing because they lack data; they are failing because they have too much of it.

We realized that simply building another "Black Box" AI classifier would fail the prompt's requirement to "support human decision-making under uncertainty." If an AI says "99% Malicious" but can't explain why, an analyst cannot trust it.

We were inspired to build Ctrl Alt Defend: a hybrid system that combines the rigid safety of hard rules with the intuition of Machine Learning to automate the role of a Level 1 SOC Analyst.

🚀 What it does

Ctrl Alt Defend is a Signal-to-Decision pipeline that transforms raw, noisy logs into a prioritized list of high-fidelity "Cases." It doesn't just filter alerts; it reasons about them.

  • Filters Noise: Reduces raw log volume by ~40% while preserving critical context.
  • Rescues "Sneaky" Attacks: Uses an ML model to catch low-severity events (like a suspicious "Informational" login) that hard rules often miss.
  • Builds Cases: Automatically groups related alerts (e.g., a Login followed by a File Download) into a single "Case" using graph theory.
  • Quantifies Uncertainty: Explicitly penalizes the priority score when data (like dest_ip) is missing, preventing false certainty.
  • AI Co-Pilot: Integrates Google Gemini to generate natural language summaries and actionable next steps for every case.

⚙️ How we built it

We architected a three-stage pipeline using a Hybrid Heuristic approach.

Stage 1: The "Hybrid" Filter (Signal Extraction)

We rejected the idea of using only Rules or only ML. Instead, we used a Union Logic: $$IsAlert = (Rule_{Severity} \lor Rule_{Defense}) \lor (ML_{Augmentation})$$

  • The Safety Net: Hard rules catch obvious threats (e.g., Severity >= Medium or Action == Blocked).
  • The Hunter (ML): We trained a Random Forest Classifier on behavioral features (Event Type, Action, Outcome) to catch subtle anomalies. If the ML model is >60% suspicious, it "rescues" the event even if the vendor labeled it "Informational."

Stage 2: Graph Clustering (Case Building)

We used NetworkX to map the relationships between alerts.

  • Nodes: Alerts, Users, IPs, Assets.
  • Edges: Created when an alert involves an entity.
  • Cases: We identified Connected Components in the graph. This ensures that a Phishing Email (Alert A) and a Malware Download (Alert B) are grouped into the same case if they share the same User (Node C).

Stage 3: Uncertainty Scoring

We implemented a custom scoring equation to handle the "noisy and incomplete" nature of the dataset. Instead of a binary "Bad/Good," we calculate a Priority Score that degrades based on missing information: $$Priority_{final} = Priority_{base} \times (1 - \sum Penalty_{uncertainty})$$ Where $Penalty$ increases if dest_ip or dest_domain are NaN. This forces the dashboard to flag cases as "High Risk but Low Confidence," prompting human review rather than blind panic.

🚧 Challenges we ran into

  • The "Context Gap" (Missing Data): Our EDA revealed that over 66% of events were missing destination IPs. This made correlating network events extremely difficult. We solved this by pivoting to "User" and "Host" based clustering, allowing us to link events even when network indicators were absent.
  • Simulating the Real World: SOC data is heavily imbalanced—mostly "Informational" noise with very few "Critical" signals. Our initial ML models learned to just predict "Safe" for everything. We had to implement aggressive feature engineering and rarity weighting to force the model to pay attention to the anomalies.
  • Frontend-Backend Disconnect: We wanted a sleek, interactive frontend (HTML/JS) but needed powerful Python libraries for the graph logic. Bridging the gap between our Streamlit data processing and the GitHub Pages hosted frontend required careful JSON serialization of our graph structures.

🏆 Accomplishments that we're proud of

  • Massive Noise Reduction: In our testing on the challenge dataset, we successfully condensed 344 raw events into just 101 actionable cases, drastically reducing the analyst's workload.
  • Zero-Shot AI Analysis: We successfully integrated the Google Gemini API directly into the dashboard. It takes our structured JSON case data and outputs a professional "Analyst Summary" in seconds, requiring zero custom training.
  • Handling the Unknown: Unlike traditional tools that hide broken data, our "Uncertainty Score" explicitly tells the analyst what we don't know, which is often more valuable than what we do know.

🧠 What we learned

  • Data Quality > Model Quality: No amount of fancy ML can fix a dataset where 60% of the columns are empty. The biggest gains came from cleaning the data and handling NaN values intelligently, not from hyperparameter tuning.
  • The Power of Graphs: Viewing security logs as a "Network" rather than a "Spreadsheet" completely changed how we understood the attacks. It allowed us to see lateral movement that was invisible in the raw logs.
  • UX Matters for Security: A complex algorithm is useless if the analyst can't understand the output. Spending time on the "Confidence Bar" and "AI Summary" made the tool significantly more usable.

🔮 What's next for Ctrl Alt Defend

  • Active Learning: Allowing analysts to click "False Positive" on a case to retrain the underlying Random Forest model in real-time.
  • Live Ingestion: Moving from batch CSV processing to a live API listener that updates the graph dynamically as logs flow in.
  • Knowledge Graph RAG: Instead of just sending raw logs to Gemini, we want to feed it the Graph structure itself, allowing the AI to reason about the relationships between users and assets.
Share this project:

Updates