Pith Number

pith:4JHZUWES

pith:2026:4JHZUWESGXEPZY5P43BQJZFOOR

not attested not anchored not stored refs resolved

Context-Aware Web Attack Detection in Open-Source SIEM Systems via MITRE ATT&CK-Enriched Behavioral Profiling

Aref Shaheed, Assef Jafar, Badr Alboushy, Mohamad Aljnidi, Mohamad Bashar Disoki

Context features from prior events raise web attack detection F1 in open-source SIEM from 0.705 to 0.967.

arxiv:2605.13337 v1 · 2026-05-13 · cs.CR · cs.LG

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?

Add to your LaTeX paper

\usepackage{pith}
\pithnumber{4JHZUWESGXEPZY5P43BQJZFOOR}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp

2 Internet Archive

3 Author claim open · sign in to claim

4 Citations open

5 Replications open

✓ Portable graph bundle live · download bundle · merged state

The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Context features improve all tested gradient boosting algorithms from ~0.705 macro F1 to 0.947-0.967 (Stage 1) and 0.876-0.914 (Stage 2); the hybrid cascade achieves F1 of 0.967 (binary) and 0.914 (six-class). Wazuh's native rule engine detects 0% of Brute Force and Broken Authentication events; the AI module detects 100% and 98.3% respectively.

C2weakest assumption

The purpose-built dataset of 46,454 Wazuh security events accurately reflects the distribution and behavioral patterns of real-world web attacks and normal traffic.

C3one line summary

Smart-SIEM adds context-aware ML profiling to Wazuh SIEM, lifting binary attack detection F1 to 0.967 and six-class categorization to 0.914 while recovering from concept drift via retraining.

References

55 extracted · 55 resolved · 1 Pith anchors

[1] and Harris, Shon and Harper, Allen and VanDyke, Stephen and Blask, Chris , title = 2010

[2] and Schmidt, Kevin J 2012

[3] Event Correlation Engine , school = 2009

[4] International Journal of Science and Research (IJSR) , volume =

[5] Security Information and Event Management ( 2021

Formal links

1 machine-checked theorem link

Receipt and verification

First computed	2026-05-18T02:44:48.454704Z
Builder	pith-number-builder-2026-05-17-v1
Signature	Pith Ed25519 (`pith-v1-2026-05`) · public key
Schema	pith-number/v1.0

Canonical hash

e24f9a589235c8fce3afe6c304e4ae7441ca8b0c696c71e0656bf515f8dfd589

Aliases

arxiv: 2605.13337 · arxiv_version: 2605.13337v1 · doi: 10.48550/arxiv.2605.13337 · pith_short_12: 4JHZUWESGXEP · pith_short_16: 4JHZUWESGXEPZY5P · pith_short_8: 4JHZUWES

Agent API

Resolver JSON Graph JSON Events JSON Schema Signing key

Verify this Pith Number yourself

curl -sH 'Accept: application/ld+json' https://pith.science/pith/4JHZUWESGXEPZY5P43BQJZFOOR \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: e24f9a589235c8fce3afe6c304e4ae7441ca8b0c696c71e0656bf515f8dfd589

Canonical record JSON

{
  "metadata": {
    "abstract_canon_sha256": "bad9fcea0ae8f21f46e7dd3860e45b1887ba8aa7e5b996040369920d7ce8c54c",
    "cross_cats_sorted": [
      "cs.LG"
    ],
    "license": "http://arxiv.org/licenses/nonexclusive-distrib/1.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-13T10:54:36Z",
    "title_canon_sha256": "d1addcb4f64fa6b5fd000c69907c6d19cb09fb180b9c83f4461d2619475bde6e"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.13337",
    "kind": "arxiv",
    "version": 1
  }
}