pith. sign in
Pith Number

pith:XBA2D4RI

pith:2026:XBA2D4RIBZI4JZLZ2HUGKFPFYX
not attested not anchored not stored refs pending

Evolution of Log-Based Detection Rules in Public Repositories

David Evans, Minjun Long

Detection rules in public repositories evolve non-monotonically, repeatedly adding and removing logical conditions rather than converging to stable forms.

arxiv:2605.05383 v3 · 2026-05-06 · cs.CR · cs.SE

Open paper page JSON Open Graph Bundle Merged state Verified badge What is a Pith Number?
Add to your LaTeX paper 
\usepackage{pith}
\pithnumber{XBA2D4RIBZI4JZLZ2HUGKFPFYX}

Prints a linked badge after your title and injects PDF metadata. Compiles on arXiv. Learn more · Embed verified badge

Record completeness

1 Bitcoin timestamp
2 Internet Archive
3 Author claim open · sign in to claim
4 Citations open
5 Replications open
Portable graph bundle live · download bundle · merged state
The bundle contains the canonical record plus signed events. A mirror can host it anywhere and recompute the same current state with the deterministic merge algorithm.

Claims

C1strongest claim

Roughly 56% of rules undergo at least one revision on detection logic. Across rule lifetimes, evolution is predominantly non-monotonic, with over half of rules both adding and removing clauses over time. Roughly a quarter to a third of rules alternate between expanding coverage and reducing false positives, rather than converging toward a stable form.

C2weakest assumption

That the predicate graph intermediate representation and tree alignment procedure faithfully capture semantic changes in detection logic without introducing artifacts or losing critical operational distinctions between rules.

C3one line summary

Analysis of 6,859 rule histories shows 56% undergo detection logic revisions, with over half both adding and removing clauses and a quarter to a third alternating between coverage expansion and false-positive reduction.

Receipt and verification
First computed 2026-06-05T01:14:40.183268Z
Builder pith-number-builder-2026-05-17-v1
Signature Pith Ed25519 (pith-v1-2026-05) · public key
Schema pith-number/v1.0

Canonical hash

b841a1f2280e51c4e579d1e86515e5c5c50644e122499e235303dd7b73f78b7a

Aliases

arxiv: 2605.05383 · arxiv_version: 2605.05383v3 · doi: 10.48550/arxiv.2605.05383 · pith_short_12: XBA2D4RIBZI4 · pith_short_16: XBA2D4RIBZI4JZLZ · pith_short_8: XBA2D4RI
Agent API
Resolver JSON Graph JSON Events JSON Schema Signing key
Verify this Pith Number yourself 
curl -sH 'Accept: application/ld+json' https://pith.science/pith/XBA2D4RIBZI4JZLZ2HUGKFPFYX \
  | jq -c '.canonical_record' \
  | python3 -c "import sys,json,hashlib; b=json.dumps(json.loads(sys.stdin.read()), sort_keys=True, separators=(',',':'), ensure_ascii=False).encode(); print(hashlib.sha256(b).hexdigest())"
# expect: b841a1f2280e51c4e579d1e86515e5c5c50644e122499e235303dd7b73f78b7a
Canonical record JSON 
{
  "metadata": {
    "abstract_canon_sha256": "013580ff7bb7c9c1cde2d242d4e39375c030f30e3eef0093165ec31d795a1fc6",
    "cross_cats_sorted": [
      "cs.SE"
    ],
    "license": "http://creativecommons.org/licenses/by/4.0/",
    "primary_cat": "cs.CR",
    "submitted_at": "2026-05-06T19:08:11Z",
    "title_canon_sha256": "d0be5da734a449a7fd7d53c5d38bd6c2615f99748d48e0c312bf0f050753728f"
  },
  "schema_version": "1.0",
  "source": {
    "id": "2605.05383",
    "kind": "arxiv",
    "version": 3
  }
}