Security Operations Centers face massive, heterogeneous alert streams under minute-level service windows, creating the Alert Triage Latency Paradox: verbose reasoning chains ensure accuracy and compliance but incur prohibitive latency and token costs, while minimal chains sacrifice transparency and auditability. Existing solutions fail: signature systems are brittle, anomaly methods lack actionability, and fully cloud-hosted LLMs raise latency, cost, and privacy concerns. We propose AIDR, a hybrid cloud-edge framework that addresses this trade-off through constrained information-density optimization. The core innovation is gradient-based compression of reasoning chains to retain only decision-critical steps--minimal evidence sufficient to justify predictions while respecting token and latency budgets. We demonstrate that this approach preserves decision-relevant information while minimizing complexity. We construct compact datasets by distilling alerts into 3-5 high-information bullets (68% token reduction), train domain-specialized experts via LoRA, and deploy a cloud-edge architecture: a cloud LLM routes alerts to on-premises experts generating SOAR-ready JSON. Experiments demonstrate AIDR achieves higher accuracy and 40.6% latency reduction versus Chain-of-Thought, with robustness to data corruption and out-of-distribution generalization, enabling auditable and efficient SOC triage with full data residency compliance.

翻译：安全运营中心面临海量异构告警流，需在分钟级服务窗口内处理，形成了告警分诊延迟悖论：冗长的推理链虽能确保准确性与合规性，却带来难以承受的延迟与计算开销；而极简推理链则牺牲了透明度与可审计性。现有解决方案均存在不足：基于特征签名的系统脆弱易失效，异常检测方法缺乏可操作性，完全云托管的LLM则引发延迟、成本与隐私问题。为此，我们提出AIDR——一种混合云边框架，通过约束性信息密度优化来解决这一权衡问题。其核心创新在于基于梯度的推理链压缩技术，仅保留决策关键步骤（即足以支撑预测的最小证据集），同时严格遵循计算开销与延迟预算。我们证明该方法能在最小化复杂度的同时保留决策相关信息。通过将告警提炼为3-5条高信息量要点（实现68%的文本量缩减），我们构建了紧凑数据集；借助LoRA训练领域专用专家模型，并部署云边架构：云端LLM将告警路由至本地专家模型，生成可直接驱动SOAR的JSON格式输出。实验表明，相较于思维链方法，AIDR在实现更高准确率的同时降低了40.6%的延迟，且对数据损坏具有鲁棒性，并能泛化至分布外场景，从而在满足全数据驻留合规要求的前提下，实现可审计且高效的安全运营中心告警分诊。