International Journal of Advanced Research in Computer and Communication Engineering

Abstract: Signature-based defences cannot detect novel cyber threats in real time. We present THREAT-DETECT, a containerised platform that unifies a three-model stacking ensemble (Random Forest, Bidirectional LSTM, and 1D-CNN) with a DAG-based automated incident response engine. A 29-dimensional feature vector spanning lexical, WHOIS, and network signals feeds all models; SHAP attributions provide per-prediction explainability; and an uncertainty-based active learning controller continuously improves model quality. The Playbook Engine translates scored threat events into DNS sinkholing, firewall rule injection, TheHive case creation, MISP IOC export, and Slack alerting via auditable, rollback-capable DAG playbooks. Evaluation on 487K labelled examples yields ensemble AUC-ROC 0.9970 and median end-to-end response latency of 711 ms.

Keywords: threat detection · ensemble learning · deep learning · active learning · incident response · SHAP explainability · DAG playbook · DNS sinkholing · MISP · TheHive

Downloads: | DOI: 10.17148/IJARCCE.2026.15251