b86ae87b75
Event-Reified Temporal Provenance Dual-Granularity Prompting for LLM-based APT detection on DARPA provenance datasets. Includes phase 0-14 method spec, IR/graph/metapath/trimming/prompt modules, scripts for THEIA candidate universe, landmark CSG construction, hybrid prompting, and LLM inference. Excludes data/, reports/, and local LLM config from version control.
614 B
614 B
Implementation Checkpoints
Each phase must preserve the research method rather than drifting into a simpler detector.
Non-negotiable Checks
- Event nodes are explicit and keep raw event IDs.
- Event-view and causal-view edges are both represented.
- Metapaths are time-respecting.
- Trimming returns evidence paths, not just neighbor IDs.
- Numerical statistics are computed by code before prompting.
- Prompt blocks include evidence path IDs.
- Ground-truth text is not used in prompt construction.
- Flat logs, target-only prompts, BFS, random neighbors, and GNNs are baseline or ablation paths only.