Local LLM Security Engine: An Intelligent Cybersecurity Log Analysis System Based on Local Large Language Models

Local LLM Security Engine is a localized security operation platform with a dual-service architecture. Its core value lies in using Ollama to run large language model (LLM) inference locally, classifying security events into structured JSON output, and ensuring sensitive log data does not leave the enterprise network. This system addresses the contradiction faced by enterprise SOCs: low efficiency of manual analysis and data privacy risks of cloud-based AI analysis. It is suitable for industry scenarios with extremely high data security requirements, such as finance, healthcare, and government.

In the digital age, enterprise SOCs need to process massive security alerts and logs. However, traditional manual analysis is inefficient, and cloud-based AI analysis has risks of sensitive data leakage and compliance issues. The Local LLM Security Engine project aims to provide a fully locally deployed AI-assisted solution, balancing AI efficiency and data security through local LLM inference, ensuring sensitive data does not leave the enterprise intranet.

The system adopts a dual-service integration architecture:

1. LLM Security Engine: Built on Python 3.10+ and FastAPI, it is responsible for calling local LLMs via Ollama, outputting structured JSON, and providing REST API interfaces for event analysis, context analysis, etc. It is lightweight, efficient, and can run independently.
2. SOC Backend: Built on TypeScript and Express, it receives raw alerts, calls the engine for analysis, handles protocol conversion, data validation, etc., and serves as a bridge between raw data and AI analysis.

The core feature is local LLM inference:

• Uses the Ollama framework to run open-source models (such as Llama, Mistral, Phi, etc., with phi4-mini as the default to balance resources and quality);
• Data does not leave the enterprise: All analysis is completed on the enterprise's own facilities, meeting GDPR and Level Protection 2.0 compliance requirements;
• Low latency and offline availability: Does not rely on the network, suitable for critical infrastructure monitoring.

API Design: Adopts contract-first approach, follows OpenAPI 3.1 specification. Main endpoints include /analyze-event (event classification), /analyze-context (context analysis), etc., returning a unified structured response (including fallback flag). Deployment Modes: Supports same-machine deployment or remote encrypted connection (e.g., Cloudflare Tunnel), achieving a balance between centralized management and distributed access.

Configuration: Manages Ollama address, model name, timeout, API key, rate limit (sliding window algorithm), etc., via environment variables, complying with the Twelve-Factor App principles. Scalability: Can replace Ollama models to adapt to needs; scenario-based fine-tuning will be supported in the future. Testing: The Python engine has 126 unit tests, and the TypeScript backend has 92 unit tests. Mock technology is used so no actual Ollama instance is needed, ensuring functional and contract compliance.

Application scenarios include:

• Intrusion Detection: Intelligently classify and sort Suricata/Zeek alerts;
• Endpoint Security: Analyze EDR suspicious behaviors and provide disposal suggestions;
• Log Management: Process Syslog/Windows Event Log, extract security events and perform semantic understanding, and discover advanced threats missed by rule engines.

The current version has gaps compared to production-level deployment (such as insufficient high availability, horizontal scaling, persistent storage, and audit logs), so users need to evaluate its maturity. In the future, as local LLM capabilities improve and hardware costs decrease, this solution will become more important in enterprise security operations, representing the direction of AI-assisted analysis: balancing intelligence and data sovereignty.