{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2026:XBA2D4RIBZI4JZLZ2HUGKFPFYX","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"013580ff7bb7c9c1cde2d242d4e39375c030f30e3eef0093165ec31d795a1fc6","cross_cats_sorted":["cs.SE"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-06T19:08:11Z","title_canon_sha256":"d0be5da734a449a7fd7d53c5d38bd6c2615f99748d48e0c312bf0f050753728f"},"schema_version":"1.0","source":{"id":"2605.05383","kind":"arxiv","version":3}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2605.05383","created_at":"2026-06-05T01:14:40Z"},{"alias_kind":"arxiv_version","alias_value":"2605.05383v3","created_at":"2026-06-05T01:14:40Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2605.05383","created_at":"2026-06-05T01:14:40Z"},{"alias_kind":"pith_short_12","alias_value":"XBA2D4RIBZI4","created_at":"2026-06-05T01:14:40Z"},{"alias_kind":"pith_short_16","alias_value":"XBA2D4RIBZI4JZLZ","created_at":"2026-06-05T01:14:40Z"},{"alias_kind":"pith_short_8","alias_value":"XBA2D4RI","created_at":"2026-06-05T01:14:40Z"}],"graph_snapshots":[{"event_id":"sha256:1bbd6762af50c422b5d35b06e64bdc77ebde6272e543a5c39d5dca7e82d42738","target":"graph","created_at":"2026-06-05T01:14:40Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"Roughly 56% of rules undergo at least one revision on detection logic. Across rule lifetimes, evolution is predominantly non-monotonic, with over half of rules both adding and removing clauses over time. Roughly a quarter to a third of rules alternate between expanding coverage and reducing false positives, rather than converging toward a stable form."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the predicate graph intermediate representation and tree alignment procedure faithfully capture semantic changes in detection logic without introducing artifacts or losing critical operational distinctions between rules."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Analysis of 6,859 rule histories shows 56% undergo detection logic revisions, with over half both adding and removing clauses and a quarter to a third alternating between coverage expansion and false-positive reduction."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"Detection rules in public repositories evolve non-monotonically, repeatedly adding and removing logical conditions rather than converging to stable forms."}],"snapshot_sha256":"225dfb2d8d41ecbb2d7fa237ff4ee316469308e39bdca5ca43f480d89cdcef3c"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[{"findings_count":0,"name":"ai_meta_artifact","ran_at":"2026-05-20T10:33:31.503544Z","status":"completed","version":"1.0.0"},{"findings_count":0,"name":"doi_title_agreement","ran_at":"2026-05-19T21:01:19.421361Z","status":"completed","version":"1.0.0"},{"findings_count":0,"name":"doi_compliance","ran_at":"2026-05-19T13:37:07.661904Z","status":"completed","version":"1.0.0"}],"endpoint":"/pith/2605.05383/integrity.json","findings":[],"snapshot_sha256":"16e64f16ff53d240de339e6caed619b7915a2a378a24f4c118c1d78522ab0591","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Log-based detection rules remain central to modern security operations, encoding domain expertise that analysts iteratively refine to balance detection coverage against alert volume. Yet while prior work has examined the evolution of network intrusion detection signatures, the longitudinal behavior of log-based detection rules has received little empirical study. We present the first longitudinal analysis of detection rule evolution across two widely used repositories: the community-driven Sigma project and the curated Splunk Security Content (SSC). To compare rule versions based on detection ","authors_text":"David Evans, Minjun Long","cross_cats":["cs.SE"],"headline":"Detection rules in public repositories evolve non-monotonically, repeatedly adding and removing logical conditions rather than converging to stable forms.","license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-06T19:08:11Z","title":"Evolution of Log-Based Detection Rules in Public Repositories"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2605.05383","kind":"arxiv","version":3},"verdict":{"created_at":"2026-05-12T03:02:13.612031Z","id":"2720f1aa-80b4-4fcc-b394-a9670199dd6a","model_set":{"reader":"grok-4.3"},"one_line_summary":"Analysis of 6,859 rule histories shows 56% undergo detection logic revisions, with over half both adding and removing clauses and a quarter to a third alternating between coverage expansion and false-positive reduction.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"Detection rules in public repositories evolve non-monotonically, repeatedly adding and removing logical conditions rather than converging to stable forms.","strongest_claim":"Roughly 56% of rules undergo at least one revision on detection logic. Across rule lifetimes, evolution is predominantly non-monotonic, with over half of rules both adding and removing clauses over time. Roughly a quarter to a third of rules alternate between expanding coverage and reducing false positives, rather than converging toward a stable form.","weakest_assumption":"That the predicate graph intermediate representation and tree alignment procedure faithfully capture semantic changes in detection logic without introducing artifacts or losing critical operational distinctions between rules."}},"verdict_id":"2720f1aa-80b4-4fcc-b394-a9670199dd6a"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:822c6ee3f8f7d3106b9f9e6f14f87481fcadd2abbee9f5808e3ebc0b5202df23","target":"record","created_at":"2026-06-05T01:14:40Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"013580ff7bb7c9c1cde2d242d4e39375c030f30e3eef0093165ec31d795a1fc6","cross_cats_sorted":["cs.SE"],"license":"http://creativecommons.org/licenses/by/4.0/","primary_cat":"cs.CR","submitted_at":"2026-05-06T19:08:11Z","title_canon_sha256":"d0be5da734a449a7fd7d53c5d38bd6c2615f99748d48e0c312bf0f050753728f"},"schema_version":"1.0","source":{"id":"2605.05383","kind":"arxiv","version":3}},"canonical_sha256":"b841a1f2280e51c4e579d1e86515e5c5c50644e122499e235303dd7b73f78b7a","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"b841a1f2280e51c4e579d1e86515e5c5c50644e122499e235303dd7b73f78b7a","first_computed_at":"2026-06-05T01:14:40.183268Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-06-05T01:14:40.183268Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"cKvMb4STn1K83kBracz8GhhmhuMTvllZHVGmWSHDiTt3nAJyUMWeArKAPsQrWhab1bhfCMjYhWSqEP9D61lwCQ==","signature_status":"signed_v1","signed_at":"2026-06-05T01:14:40.183997Z","signed_message":"canonical_sha256_bytes"},"source_id":"2605.05383","source_kind":"arxiv","source_version":3}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:822c6ee3f8f7d3106b9f9e6f14f87481fcadd2abbee9f5808e3ebc0b5202df23","sha256:1bbd6762af50c422b5d35b06e64bdc77ebde6272e543a5c39d5dca7e82d42738"],"state_sha256":"0ca8e458261e9ec59f95eedd21e56d13f3fd04f46e12d5e48797800c0b542498"}