AI-DRIVEN THREAT DETECTION AND RESPONSE FRAMEWORK FOR CLOUD INFRASTRUCTURE SECURITY

Abstract

This quantitative study developed and evaluated an AI-Driven Threat Detection and Response Framework for cloud infrastructure security using a controlled multi-service cloud testbed. The review phase synthesized evidence from over 30 peer-reviewed studies addressing cloud threat surfaces, telemetry foundations, AI detection models, automated response orchestration, drift robustness, and closed-loop security control. The experiment analyzed 120,000 fixed-length telemetry windows (114,000 benign; 6,000 malicious) and 360 injected incident episodes stratified by workload volatility, identity complexity, and attack stealth. Multi-modal telemetry from IAM logs, control-plane audit trails, network flow logs, runtime metrics, and application traces was transformed into single-source, late-fusion, and early-fusion feature sets. Detection comparisons showed high overall performance (precision M = 0.91, recall M = 0.88, PR-AUC M = 0.93) with low alert noise (false alarm rate M = 0.021) and rapid detection (MTTD M = 2.8 minutes). Mixed-effects regressions indicated that deep sequence (β = 0.041, p < .001), deep graph (β = 0.038, p < .001), and hybrid ensemble models (β = 0.052, p < .001) significantly improved PR-AUC relative to supervised baselines, and early multi-modal fusion yielded the largest gain (β = 0.047, p < .001). Drift-triggered recalibration reduced detection delay (β = −0.62 minutes, p < .001) and false alarms (β = −0.006, p < .01), stabilizing performance across drift phases where PR-AUC shifted from 0.95 (pre-drift) to 0.89 (drift) and recovered to 0.94 (post-drift). Calibrated threat scores reduced false containment via significant mediation (indirect β = −0.012). Risk-weighted response decreased MTTR by 1.21 minutes (p < .001), while sequential response produced the highest containment success (β = 0.058, p < .001) with lower service-impact cost. Detection and response models explained 62% and 61% of variance in PR-AUC and containment success, supporting a quantitative closed-loop cloud defense framework.