Papers
Topics
Authors
Recent
Search
2000 character limit reached

SentinelSphere: Integrating AI-Powered Real-Time Threat Detection with Cybersecurity Awareness Training

Published 8 Apr 2026 in cs.CE, cs.AI, cs.CR, and cs.CY | (2604.06900v1)

Abstract: The field of cybersecurity is confronted with two interrelated challenges: a worldwide deficit of qualified practitioners and ongoing human-factor weaknesses that account for the bulk of security incidents. To tackle these issues, we present SentinelSphere, a platform driven by artificial intelligence that unifies machine learning-based threat identification with security training powered by a LLM. The detection module uses an Enhanced Deep Neural Network (DNN) trained on the CIC-IDS2017 and CIC-DDoS2019 benchmark datasets, enriched with novel HTTP-layer feature engineering that captures application level attack signatures. For the educational component, we deploy a quantised variant of Phi-4 model (Q4_K_M), fine-tuned for the cybersecurity domain, enabling deployment on commodity hardware requiring only 16 GB of RAM without dedicated GPU resources. Experimental results show that the Enhanced DNN attains high detection accuracy while substantially lowering false positives relative to baseline models, and maintains strong recall across critical attack categories such as DDoS, brute force, and web-based exploits. Validation workshops involving industry professionals and university students confirmed that the Traffic Light visualisation system and conversational AI assistant are both intuitive and effective for users without technical backgrounds. SentinelSphere illustrates that coupling intelligent threat detection with adaptive, LLM-driven security education can meaningfully address both technical and human-factor cybersecurity vulnerabilities within a single, cohesive framework.

Summary

  • The paper presents an integrated AI system that combines a deep neural network-based threat detection engine with real-time cybersecurity awareness training.
  • It details a modular microservices architecture that processes over 11 million events in 30 minutes, achieving a 69.5% reduction in false positives with enhanced threat scoring.
  • Experimental validation shows improved detection metrics (F1 0.94, precision 0.95, recall 0.93) and high user engagement, confirming efficacy for both technical and non-technical users.

SentinelSphere: Unifying AI-Powered Threat Detection with Cybersecurity Awareness Training

System Architecture and Integration

SentinelSphere is architected as a modular, microservices-based extension to the established ResilMesh cyber resilience framework. The integration facilitates scalable ingestion, real-time threat analytics, and user-centric feedback. Security events from diverse sources are normalized using Vector and streamed via NATS into SentinelSphere, enabling distributed detection and coordinated visualization. Figure 1

Figure 1: High-level system architecture illustrating SentinelSphere integration with the ResilMesh stack.

Figure 2

Figure 2: Data flow architecture showing SentinelSphere and ResilMesh integration paths.

The core threat detection engine utilizes an Enhanced Deep Neural Network (DNN) with both conventional network flow features and novel HTTP-layer engineering. This dual-layer approach enables signature identification for application-specific attacks such as SQL injection, cross-site scripting (XSS), and brute force attempts, with robust feature isolation for adversarial patterns.

Threat Visualization and Scoring

Central to SentinelSphere’s usability is the Traffic Light System (TLS), which distills multidimensional threat telemetry into actionable, color-coded indicators. Events are classified into green, yellow, or red states, adhering to an algorithmic severity calculation factoring anomaly confidence, event frequency, source correlation, IP reputation, and attack diversity. Figure 3

Figure 3: SentinelSphere Dashboard displaying the Traffic Light Assessment and Event Trends Reports chart.

Threat scores are computed as follows: Figure 4

Figure 4: Traffic Light Threat Calculation equation showing the mathematical formula for computing the final threat score.

The multi-factor scoring enables dynamic adjustment based on both volume and correlation, ensuring high sensitivity to anomalous cluster events and weighted IP reputational factors. The TLS provides rapid human-in-the-loop assessment by non-specialists, as verified empirically in educational and professional workshops.

AI-Powered Security Education

The platform embeds a quantized Phi-4 variant (Q4_K_M) for a domain-specific LLM-powered chatbot, capable of deployment on commodity hardware (16 GB RAM, CPU-only). Fine-tuning and quantization preserve content relevance and inference speed while enabling data privacy and organization-level control. The system prompt strictly constrains responses to cybersecurity domains. Figure 5

Figure 5: Cybersecurity Conversation Agent, Phi-4 Model performance summary.

Figure 6

Figure 6: SentinelSphere Dashboard homepage with the integrated chatbot interaction panel.

Figure 7

Figure 7: Demonstration of the Phi-4 cybersecurity domain-specific LLM providing guidance on staying safe from cyber threats.

LLM streaming achieves sub-second token latency with throughput of 15–20 tokens/s, sufficient for responsive guided inquiry. The context window (4096 tokens) accommodates multi-turn conversational sessions and knowledge base integration. Figure 8

Figure 8: SentinelSphere Dashboard Cybersecurity Knowledge Base section.

Implementation and Performance Optimizations

The anomaly detection and threat calculation modules were rewritten from Python to Rust, exploiting zero-cost abstractions, deterministic memory allocation, SIMD optimizations, and lock-free async event handling. This yields a 5.6× steady-state and up to 326× batch processing speedup, with memory footprint reduced by 13.6×. Docker containerization shows ≤2 seconds event-to-display latency and full throughput exceeding 500 events/s sustained. Figure 9

Figure 9: SentinelSphere scalability testing, processing nearly 11 million requests in approximately 30 minutes.

The platform processed nearly 11 million events (Apache logs and network telemetry) in 30 minutes, exceeding 6,000 events/s, and maintained dashboard responsiveness (<3 s latency) under concurrent load (>1,000 connections).

Experimental Validation

The Enhanced DNN achieves an F1 score of 0.94 (vs. 0.87 baseline), 0.95 precision, 0.93 recall, and a 69.5% reduction in false positives. The improvements are most pronounced in web-based attack categories due to HTTP-layer feature engineering, with reduced false negatives (25% drop). These metrics directly translate to SOC operational efficiency, reducing alert fatigue and optimizing analyst triage resources.

Stakeholder validation in workshops demonstrates 91.7% chatbot engagement and TLS comprehension among non-technical university students and professionals from diverse sectors. Critical knowledge gaps were identified and effectively addressed, suggesting the platform’s potential for scalable human-factor mitigation.

Practical and Theoretical Implications

SentinelSphere’s integrated approach directly addresses the cybersecurity practitioner deficit and human-factor vulnerabilities. By coupling real-time detection and adaptive LLM-driven education, the system operationalizes incident response while democratizing security knowledge. The empirical reduction in false positives has direct implications for alert handling efficiency and SOC analyst workload distribution. The TLS abstraction facilitates cross-hierarchical threat communication, validated for user populations without technical expertise.

The quantized LLM deployment resolves practical constraints around infrastructure, cost, and privacy, for which cloud-based solutions remain unsuitable. Performance metrics confirm operational scalability and responsiveness, supporting enterprise adoption. In comparison to prior state-of-the-art, SentinelSphere surpasses attention-based detection methods (e.g., Khan et al., 2023) and uniquely unifies detection and education into a cohesive solution.

Limitations and Forward Directions

The scope is presently limited to HTTP-based attacks; protocol expansion (DNS, SMTP, FTP) will be necessary for broader applicability. Longitudinal evaluation of behavior change and user retention is lacking. Federated learning and multilingual chatbot extension offer avenues for enhanced privacy and global deployment. Adaptive educational sequencing based on proficiency metrics could further increase efficacy.

Conclusion

SentinelSphere exemplifies a convergence of advanced AI techniques for cybersecurity, achieving robust detection accuracy (94% F1, 69.5% fewer false positives), high scalability (processing 11 million events in 30 minutes), and validated usability (91.7% engagement/comprehension among non-technical users). The implementation demonstrates notable improvements in both technical and human-centric defense, bridging operational threat analytics and adaptive security education. The modular integration within ResilMesh and architectural optimizations provide a blueprint for scalable, accessible cyber resilience systems, with significant implications for practical SOC operations and longitudinal education impact. Future directions include multi-protocol coverage, federated privacy-preserving learning, and sustained behavior change studies.

(2604.06900)

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.