Evolution of Log-Based Detection Rules in Public Repositories

2026-04-13 · Source: cs.SE updates on arXiv.org · Field: Technology & Digital — Cybersecurity & Data Privacy, Artificial Intelligence & Machine Learning, Data Science & Analytics · Depth: Expert, extended

Summary

The study presents the first longitudinal analysis of log-based detection rule evolution in public repositories, specifically the community-driven Sigma project and the curated Splunk Security Content (SSC). Researchers introduced a predicate graph intermediate representation (PGIR) and a tree alignment procedure to compare rule versions based on detection logic, not surface syntax. Applying this method to 6,859 rule histories from 2017–2026, they found approximately 56% of rules undergo at least one detection logic revision. Evolution is predominantly non-monotonic, with over half of rules both adding and removing clauses over time. Recurring reversions indicate that changes are often revisited rather than strictly accumulated. Combining structural analysis with LLM-based inference revealed that roughly a quarter to a third of rules alternate between expanding coverage and reducing false positives, reflecting ongoing operational trade-offs rather than steady convergence.

Key takeaway

For AI Security Engineers maintaining host-based intrusion detection rules, recognize that rule evolution is rarely a linear path to stability. Your rules will likely oscillate between expanding coverage and reducing false positives, often revisiting prior logic. Implement tools that use canonical representations like PGIR to track semantic changes, not just syntax. This approach helps identify unresolved design tensions and supports more informed, data-driven rule refinement processes.

Key insights

Log-based detection rules evolve non-monotonically, balancing coverage and false positives through iterative, often conflicting, revisions.

Principles

• Rule evolution reflects ongoing operational trade-offs.
• Structural changes are often coordinated, not isolated.
• Non-monotonic evolution is the dominant pattern.

Method

A predicate graph intermediate representation (PGIR) canonicalizes rule logic, enabling semantic comparison via a four-phase tree alignment algorithm and LLM-based classification of operational intent.

In practice

• Use PGIR for semantic rule comparison.
• Implement LLM-based intent classification.
• Develop tooling for canonical rule representations.

Topics

• Log-Based Detection
• Security Operations Centers
• Rule Evolution Analysis
• Predicate Graph IR
• Sigma Project
• Splunk Security Content
• LLM Intent Inference

Code references

• SigmaHQ/sigma-cli
• Elena6918/Evolution-of-Log-Based-Detection-Rules

Best for: AI Scientist, AI Security Engineer, Research Scientist

Related on AIssential

• What if your security system could think like a fraudster before they act? — AI systems provide real-time, adaptive fraud detection by learning normal behavior and flagging anomalies.
• Trailmark turns code into graphs — Code analysis benefits significantly from graph-based reasoning over list-based approaches, especially for security and test quality.
• Generative AI and Digital Ecosystem Resilience: A Proactive Lifecycle-Based Survey — Proactive, lifecycle-based detection of GenAI-driven inauthentic narratives is crucial for digital ecosystem resilience, shifting from reactive methods.
• Perplexity Comet, agentic blabbering, and the shift-left failure — AI's internal reasoning and code analysis capabilities introduce new attack vectors and reveal hidden vulnerabilities in legacy systems.
• VulnAgent-R2: Evidence-Calibrated Multi-Agent Auditing for Repository-Level Vulnerability Detection — Vulnerability detection is improved by a staged, evidence-driven auditing process using multi-agent collaboration and selective verification.
• When Alerts Mean Nothing: How AI Could Fix the Noise Problem in IT and Security — AI can mitigate alert fatigue by using behavioral analysis to distinguish abnormal events from normal activity.

Open in AIssential →

Editorial summary, takeaway, and curation by AIssential. Original article published by cs.SE updates on arXiv.org.