Salvato in:
Dettagli Bibliografici
Autori principali: Zhao, Guangze, Zhang, Yongzheng, Gai, Weilin, Liu, Hongri, Wei, Yuliang, Wang, Bailing
Natura: Preprint
Pubblicazione: 2026
Soggetti:
Accesso online:https://arxiv.org/abs/2605.29269
Tags: Aggiungi Tag
Nessun Tag, puoi essere il primo ad aggiungerne!!
_version_ 1866911726291648512
author Zhao, Guangze
Zhang, Yongzheng
Gai, Weilin
Liu, Hongri
Wei, Yuliang
Wang, Bailing
author_facet Zhao, Guangze
Zhang, Yongzheng
Gai, Weilin
Liu, Hongri
Wei, Yuliang
Wang, Bailing
contents Modern alert-triage systems reduce SOC burden by filtering false positives, but flagging a high-risk alert is only the start of incident response. Threat hunting requires reconstructing causal attack chains across heterogeneous, partially corrupted logs. Against APTs using anti-forensics (parent-PID spoofing, log wiping, fileless execution), provenance graphs split into disjoint subgraphs and fail. Unconstrained LLM agents fabricate causal links violating OS physics, producing fluent but forensically inadmissible narratives. We propose HunterAgent, a neuro-symbolic framework that reframes trace reconstruction as cost-bounded heuristic graph search under partial observability. It uses an asymmetric Generator-Verifier pipeline: the LLM proposes semantic hypotheses within a typed ontology, while a verifier grounds each via identifier-level collisions on surviving orthogonal telemetry. To resolve severed traces, we score hops using a calibrated cost combining semantic divergence and OS temporal potential; schema violations are hard-pruned. A length-discounted epistemic budget prevents inferential drift and forces graceful halting. Under strict LOFO cross-validation on three public benchmarks and an in-house 40-trace dataset, HunterAgent achieves 86.1% mean F1, outperforming the top agentic baseline by 26.7 F1 and KAIROS by 17.1 F1, while cutting path-level hallucination from 61.5% to 6.4%. Under 70% log wiping, recall drops but precision stays >=84%, with 95.7% halting safely. All results hold under the realistic assumption that at least one orthogonal telemetry source survives.
format Preprint
id arxiv_https___arxiv_org_abs_2605_29269
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle HunterAgent: Neuro-Symbolic Attack Trace Reconstruction under Anti-Forensics
Zhao, Guangze
Zhang, Yongzheng
Gai, Weilin
Liu, Hongri
Wei, Yuliang
Wang, Bailing
Cryptography and Security
Modern alert-triage systems reduce SOC burden by filtering false positives, but flagging a high-risk alert is only the start of incident response. Threat hunting requires reconstructing causal attack chains across heterogeneous, partially corrupted logs. Against APTs using anti-forensics (parent-PID spoofing, log wiping, fileless execution), provenance graphs split into disjoint subgraphs and fail. Unconstrained LLM agents fabricate causal links violating OS physics, producing fluent but forensically inadmissible narratives. We propose HunterAgent, a neuro-symbolic framework that reframes trace reconstruction as cost-bounded heuristic graph search under partial observability. It uses an asymmetric Generator-Verifier pipeline: the LLM proposes semantic hypotheses within a typed ontology, while a verifier grounds each via identifier-level collisions on surviving orthogonal telemetry. To resolve severed traces, we score hops using a calibrated cost combining semantic divergence and OS temporal potential; schema violations are hard-pruned. A length-discounted epistemic budget prevents inferential drift and forces graceful halting. Under strict LOFO cross-validation on three public benchmarks and an in-house 40-trace dataset, HunterAgent achieves 86.1% mean F1, outperforming the top agentic baseline by 26.7 F1 and KAIROS by 17.1 F1, while cutting path-level hallucination from 61.5% to 6.4%. Under 70% log wiping, recall drops but precision stays >=84%, with 95.7% halting safely. All results hold under the realistic assumption that at least one orthogonal telemetry source survives.
title HunterAgent: Neuro-Symbolic Attack Trace Reconstruction under Anti-Forensics
topic Cryptography and Security
url https://arxiv.org/abs/2605.29269