Sample-Efficient LLM-Based Detection of Malicious Web Server Logs with Forensically Explainable Reasoning

Researchers introduce CEF-Log, an LLM-based method for detecting malicious web server logs that achieves 99% F1-score using only four examples while generating forensically explainable reasoning. The approach embeds investigative methodology through structured chain-of-thought prompting, addressing the critical need for both accuracy and legal-admissible explanations in cybersecurity forensics.

CEF-Log represents a meaningful advancement in applying large language models to cybersecurity forensics, where explainability carries legal and operational weight. Traditional machine learning approaches for log analysis suffer from opacity—security teams cannot easily justify why a system flagged suspicious activity in court or compliance documentation. This research tackles that gap by designing prompts that guide LLMs through deliberate reasoning steps rather than pattern matching, mirroring how human forensic analysts work.

The technical achievement is notable: achieving 0.99 F1-score with only four training examples demonstrates remarkable sample efficiency, representing a 10× improvement over existing prompting methods. This matters because organizations struggle to label large volumes of security logs, making few-shot learning practically valuable. The introduction of ForenWebLog, a dataset featuring real-world attacks and multi-step sequences, fills an evaluation gap in the research community and enables better benchmarking of forensic analysis tools.

For enterprises and security teams, this work signals that LLMs can reduce the friction between detection accuracy and explainability requirements. Compliance-heavy sectors like finance and government require audit trails showing *why* systems made decisions. CEF-Log addresses this without sacrificing performance. The structured reasoning template approach also generalizes potentially to other forensic domains beyond web logs.

The research's impact depends on adoption velocity and validation against adversarial evasion techniques. Security practitioners should monitor whether LLM-based approaches remain reliable when attackers specifically craft logs to deceive chain-of-thought reasoning. Real-world deployment will test whether forensic explainability holds up under sophisticated threat actors.

• →CEF-Log achieves 0.99 F1-score using only four examples, demonstrating 10× better sample efficiency than competing LLM prompting methods
• →Structured chain-of-thought reasoning templates enable LLMs to generate legally admissible forensic explanations rather than black-box predictions
• →ForenWebLog dataset introduces real-world attack sequences for comprehensive evaluation, addressing prior research gaps in log forensics
• →Few-shot learning approach reduces labeling burden, making forensic analysis more practical for resource-constrained security teams
• →Results suggest LLMs can simultaneously optimize for detection accuracy and explainability requirements in compliance-critical domains