Initial commit: ER-TP-DGP research prototype
Event-Reified Temporal Provenance Dual-Granularity Prompting for LLM-based APT detection on DARPA provenance datasets. Includes phase 0-14 method spec, IR/graph/metapath/trimming/prompt modules, scripts for THEIA candidate universe, landmark CSG construction, hybrid prompting, and LLM inference. Excludes data/, reports/, and local LLM config from version control.
This commit is contained in:
BattleTag
17
docs/implementation_checkpoints.md
Normal file
17
docs/implementation_checkpoints.md
Normal file
@@ -0,0 +1,17 @@
|
||||
# Implementation Checkpoints
|
||||
|
||||
Each phase must preserve the research method rather than drifting into a simpler
|
||||
detector.
|
||||
|
||||
## Non-negotiable Checks
|
||||
|
||||
- Event nodes are explicit and keep raw event IDs.
|
||||
- Event-view and causal-view edges are both represented.
|
||||
- Metapaths are time-respecting.
|
||||
- Trimming returns evidence paths, not just neighbor IDs.
|
||||
- Numerical statistics are computed by code before prompting.
|
||||
- Prompt blocks include evidence path IDs.
|
||||
- Ground-truth text is not used in prompt construction.
|
||||
- Flat logs, target-only prompts, BFS, random neighbors, and GNNs are baseline or
|
||||
ablation paths only.
|
||||
|
||||
Reference in New Issue
Block a user