arxiv: 2604.24644 · v1 · submitted 2026-04-27 · 💻 cs.CR

Recognition: unknown

ARCANE: Cross-Campaign Attacker Re-identification via Passive Beacon Telemetry -- A Bayesian Network Framework for Longitudinal Cyber Attribution

Abraham Itzhak Weinberg

Authors on Pith no claims yet

Pith reviewed 2026-05-08 02:37 UTC · model grok-4.3

classification 💻 cs.CR

keywords cyber attributionBayesian networkpassive telemetryadversary re-identificationlongitudinal analysisfeature indistinguishabilitysynthetic datasetcross-campaign aggregation

0 comments

The pith

Aggregating passive telemetry across cyber campaigns does not eliminate attribution ambiguity among sophisticated adversaries.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper examines whether combining evidence from multiple campaigns can improve identification of cyber adversaries beyond single-incident analysis. It models fingerprints from behavioral, infrastructural, and temporal features in covert beacon interactions and updates them via a Bayesian network with time-decayed confidence. Evaluation on synthetic threat profiles shows higher similarity within the same actor than between different actors, yet the gap stays too narrow for reliable distinction. Performance holds steady even when evasion increases, indicating that feature overlap from common practices among advanced groups creates the main barrier. The work concludes that cross-campaign aggregation alone hits a structural limit and that new signal types are required for better results.

Core claim

ARCANE constructs persistent adversary fingerprints as multi-dimensional vectors from passive beacon telemetry and aggregates them across campaigns and organizations using a Bayesian belief network that incorporates new evidence over time with a time-decayed confidence metric. On a synthetic dataset of multiple threat profiles, intra-actor similarity exceeds inter-actor similarity, but separation remains limited by shared operational practices, so that cross-campaign aggregation does not resolve attribution ambiguity. Attribution accuracy stays stable under increasing evasion, showing the constraint arises from feature indistinguishability rather than adversarial adaptation.

What carries the argument

The Bayesian belief network in ARCANE that integrates new evidence over time to build persistent adversary fingerprints using time-decayed confidence on multi-dimensional telemetry feature vectors.

If this is right

Intra-actor similarity consistently exceeds inter-actor similarity across the derived feature vectors.
Attribution accuracy remains stable even as the modeled level of evasion increases.
Separation between distinct actors stays limited due to shared operational practices among sophisticated adversaries.
Additional signal classes such as targeting patterns, temporal coordination, and infrastructure relationships are required to improve attribution reliability.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

Defenders could shift resources toward collecting novel data types instead of refining existing telemetry aggregation methods.
Real-world overlap among adversaries may exceed the synthetic model, further reducing the value of longitudinal beacon data alone.
The result points toward hybrid approaches that combine passive telemetry with external intelligence sources for longitudinal tracking.

Load-bearing premise

The synthetic dataset of multiple threat profiles accurately captures the degree of behavioral and infrastructural overlap that exists among real sophisticated adversaries.

What would settle it

A direct comparison of attribution accuracy on real multi-campaign incident datasets against the synthetic results, checking whether cross-campaign aggregation improves separation beyond the reported structural ceiling.

Figures

Figures reproduced from arXiv: 2604.24644 by Abraham Itzhak Weinberg.

**Figure 1.** Figure 1: Within-actor (S¯w = 0.848, blue) and cross-actor (S¯ c = 0.802, red) fingerprint similarity distributions. Separation is statistically significant (t = 8.33, p = 1.52 × 10−16) but the gap ∆S = 0.046 falls below the threshold required for high-confidence re-identification at N = 8 actors. Error bars omitted for clarity. 5 The ARCANE Algorithm Algorithm 1 presents the complete ARCANE procedure. The key desi… view at source ↗

**Figure 2.** Figure 2: (a) Attribution confidence distributions: both methods produce low-confidence posteriors due to view at source ↗

**Figure 3.** Figure 3: Re-identification accuracy vs training campaign count for ARCANE (blue) and baseline (red). view at source ↗

**Figure 4.** Figure 4: Inter-actor mean fingerprint similarity matrix. All off-diagonal entries exceed view at source ↗

**Figure 5.** Figure 5: ARCANE re-identification accuracy under adversarial evasion. Accuracy is stable across evasion view at source ↗

**Figure 6.** Figure 6: Threat actor infrastructure similarity graph. Node colour indicates nation-state origin: KP (red), view at source ↗

**Figure 7.** Figure 7: Monthly re-identification accuracy (bars, left axis) and mean attribution confidence (line, right view at source ↗

read the original abstract

Current cyber attribution approaches typically operate on a per-incident basis, leaving open whether aggregating evidence across campaigns improves adversary identification. We investigate whether cross-campaign attribution reduces ambiguity or whether structural limits persist under longitudinal data. We model adversary fingerprints as multi-dimensional feature vectors encoding behavioral, infrastructural, and temporal characteristics derived from covert beacon interactions. We introduce ARCANE (Attacker Re-identification via Cross-campaign Attribution Network), a probabilistic framework that aggregates passive telemetry across campaigns and organizations to construct persistent adversary fingerprints. These fingerprints are updated using a Bayesian belief network that integrates new evidence over time. A time-decayed confidence metric captures accumulated similarity across campaigns. Evaluation on a synthetic dataset of multiple threat profiles shows that intra-actor similarity consistently exceeds inter-actor similarity. However, separation between distinct actors remains limited due to shared operational practices among sophisticated adversaries. Results indicate that cross-campaign aggregation alone does not resolve attribution ambiguity. Performance is constrained by a structural ceiling in feature space, where inter-actor similarity remains high even without evasion. Attribution accuracy remains stable under increasing evasion, suggesting the main limitation is feature indistinguishability rather than adversarial adaptation. These findings highlight the need for additional signal classes, such as targeting patterns, temporal coordination, and infrastructure relationships, to improve attribution reliability.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

ARCANE's Bayesian aggregation of beacon telemetry hits a claimed structural ceiling on synthetic data, but lacks real-world grounding.

read the letter

The key takeaway is that this paper proposes ARCANE, a Bayesian network for re-identifying attackers by aggregating passive beacon telemetry across campaigns, and concludes that this approach runs into a structural limit in the feature space rather than being thwarted by evasion tactics. The new part is the specific formulation of the belief network with time-decayed confidence scores, plus the synthetic evaluation that tests how performance holds up as evasion ramps up. It does a decent job of showing that intra-actor similarities stay higher than inter-actor ones, but the gap doesn't grow enough with more data to make attribution reliable. The Bayesian updating seems standard but applied reasonably here to longitudinal data. The main weakness is the evaluation setup. Everything rests on synthetic threat profiles, and there's no description of how those profiles were created or how their feature overlaps were tuned to reflect real-world adversary behaviors. Without that, it's hard to know if the reported structural ceiling is a real phenomenon or just a property of the generated data. The abstract mentions stability under evasion, but without real telemetry or even basic separation metrics like ROC curves or distance distributions, the support for shifting focus to new signal classes feels preliminary. This paper is aimed at the cyber attribution community, particularly those thinking about multi-incident analysis. A reader working on similar probabilistic models might find the framework useful as a starting point, but anyone expecting empirical validation on actual incidents will be disappointed. It shows clear thinking on the problem, so it deserves a serious referee who can push for better validation or at least clearer data generation details. I would recommend sending it to peer review rather than desk rejecting it, because the question it asks about the limits of aggregation is worth pursuing even if the current evidence is limited.

Referee Report

2 major / 2 minor

Summary. The manuscript presents ARCANE, a Bayesian network framework for longitudinal cyber attribution that aggregates passive beacon telemetry across campaigns to construct persistent adversary fingerprints. Adversary behavior is encoded as multi-dimensional feature vectors capturing behavioral, infrastructural, and temporal characteristics. The model uses Bayesian updating with a time-decayed confidence metric to integrate evidence over time. Evaluation on a synthetic dataset of multiple threat profiles shows intra-actor similarity consistently exceeds inter-actor similarity, yet separation remains limited due to shared operational practices. The central conclusion is that cross-campaign aggregation alone does not resolve attribution ambiguity because of a structural ceiling in feature space; attribution accuracy stays stable under increasing evasion, implying the primary limit is feature indistinguishability rather than adversarial adaptation. The work recommends incorporating additional signals such as targeting patterns and infrastructure relationships.

Significance. If the synthetic evaluation holds under more realistic conditions, the paper would usefully demonstrate that standard telemetry features impose a hard limit on attribution even with longitudinal aggregation, thereby motivating investment in richer signal classes. The Bayesian belief network and time-decay mechanism provide a clean, extensible probabilistic formulation for persistent fingerprinting. No machine-checked proofs or reproducible code are provided, but the framework is parameter-light and the similarity comparisons are defined externally to the fitted model.

major comments (2)

[§4 (Evaluation)] §4 (Evaluation): The synthetic dataset generation process for the multiple threat profiles is not described. No details are given on how the behavioral, infrastructural, and temporal feature vectors are sampled or correlated across actors to produce the reported degree of inter-actor overlap. This omission is load-bearing for the structural-ceiling claim, because the observed intra-actor > inter-actor similarity and the stability under evasion could be artifacts of the (unspecified) synthesis procedure rather than empirical properties of real beacon telemetry.
[§5 (Results)] §5 (Results): The claim that 'attribution accuracy remains stable under increasing evasion' requires an explicit model of how evasion is injected into the synthetic feature vectors (e.g., which dimensions are perturbed and by how much). Without this, it is impossible to verify that the stability result is not an artifact of the evasion simulation itself.

minor comments (2)

[Abstract and §4] The abstract and §4 state that 'intra-actor similarity consistently exceeds inter-actor similarity' but report no numerical values, confidence intervals, or statistical tests. Adding these would strengthen the presentation.
[§3 (Model)] Notation for the time-decayed confidence metric and the Bayesian update equations could be clarified with a single summary table of symbols.

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive and detailed feedback. The comments highlight important gaps in the description of our synthetic evaluation, which we will address directly in the revision to strengthen the transparency and verifiability of the structural-ceiling claim.

read point-by-point responses

Referee: [§4 (Evaluation)] The synthetic dataset generation process for the multiple threat profiles is not described. No details are given on how the behavioral, infrastructural, and temporal feature vectors are sampled or correlated across actors to produce the reported degree of inter-actor overlap. This omission is load-bearing for the structural-ceiling claim, because the observed intra-actor > inter-actor similarity and the stability under evasion could be artifacts of the (unspecified) synthesis procedure rather than empirical properties of real beacon telemetry.

Authors: We agree that the absence of a detailed description of the synthetic data generation process limits the ability to assess whether the observed intra-actor versus inter-actor similarity patterns are robust. In the revised manuscript we will insert a new subsection in §4 that fully specifies the generation procedure. This will include: (i) the marginal distributions and ranges for each behavioral, infrastructural, and temporal feature; (ii) the correlation matrices used to induce intra-actor consistency while allowing controlled inter-actor overlap that reflects shared operational practices; and (iii) the exact parameter values chosen to produce the reported similarity statistics. These additions will make the synthesis reproducible and will allow readers to verify that the structural ceiling is not an artifact of the particular sampling choices. revision: yes
Referee: [§5 (Results)] The claim that 'attribution accuracy remains stable under increasing evasion' requires an explicit model of how evasion is injected into the synthetic feature vectors (e.g., which dimensions are perturbed and by how much). Without this, it is impossible to verify that the stability result is not an artifact of the evasion simulation itself.

Authors: We accept that the evasion simulation must be described explicitly. In the revised §5 we will add a precise account of the evasion model, specifying: (i) the subset of feature dimensions that are perturbed (behavioral and infrastructural features, with temporal features left unperturbed to reflect realistic operational constraints); (ii) the perturbation mechanism (additive zero-mean Gaussian noise whose variance is scaled by an evasion intensity parameter); and (iii) the discrete set of intensity values tested. This description will demonstrate that the observed stability is driven by the baseline inter-actor overlap already present in the non-evaded feature space rather than by any particular property of the noise injection. revision: yes

Circularity Check

0 steps flagged

No significant circularity in derivation or evaluation chain

full rationale

The paper defines a standard Bayesian belief network for aggregating telemetry into fingerprints and applies a time-decayed confidence metric. Similarity comparisons (intra-actor vs. inter-actor) and the resulting performance claims are computed from the synthetic dataset properties rather than being equivalent to the model definition by construction. No equations reduce the reported accuracy or structural-ceiling conclusion to a fitted parameter or self-referential input. The synthetic data generation and evaluation steps remain independent of the framework's probabilistic update rules, satisfying the criteria for a self-contained derivation without load-bearing circularity.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

Abstract provides insufficient detail to enumerate specific free parameters or invented entities; the framework relies on standard Bayesian assumptions and a synthetic dataset whose realism is unverified.

axioms (1)

domain assumption Bayesian belief networks can be used to update adversary fingerprints from passive telemetry without introducing bias from shared operational practices
Invoked when the model aggregates evidence across campaigns to produce persistent profiles.

pith-pipeline@v0.9.0 · 5529 in / 1329 out tokens · 32467 ms · 2026-05-08T02:37:50.889675+00:00 · methodology

discussion (0)

Forward citations

Cited by 2 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

CLOUDBURST: Cloud-Layer Observations Using Beacons for Unified Real-time Surveillance and Threat Attribution
cs.CR 2026-05 unverdicted novelty 7.0

CLOUDBURST defines the first formal taxonomy for cloud passive beacons and a CAS metric, finding IAM roles most effective while showing rapid attribution decay from infrastructure churn.
PHANTOM: Polymorphic Honeytoken Adaptation with Narrative-Tailored Organisational Mimicry
cs.CR 2026-05 unverdicted novelty 7.0

PHANTOM raises honeytoken believability from 0.576 to 0.778 by adding organization-specific mimicry, lifting human acceptance to 100% and detection resistance to 0.870.

Reference graph

Works this paper leans on

30 extracted references · 1 canonical work pages · cited by 2 Pith papers

[1]

Attributing cyber attacks,

T. Rid and B. Buchanan, “Attributing cyber attacks,”Journal of strategic studies, vol. 38, no. 1-2, pp. 4–37, 2015

2015
[2]

A survey on technical threat intelligence in the age of sophisticated cyber attacks,

W. Tounsi and H. Rais, “A survey on technical threat intelligence in the age of sophisticated cyber attacks,”Computers & security, vol. 72, pp. 212–233, 2018

2018
[3]

Holmes: real-time apt detection through correlation of suspicious information flows,

S. M. Milajerdi, R. Gjomemo, B. Eshete, R. Sekar, and V. Venkatakrishnan, “Holmes: real-time apt detection through correlation of suspicious information flows,” in2019 IEEE symposium on security and privacy (SP). IEEE, 2019, pp. 1137–1152

2019
[4]

Oneprovenance: Efficient extraction of dynamic coarse-grained provenance from database query event logs,

F. Psallidas, A. Agrawal, C. Sugunan, K. Ibrahim, K. Karanasos, J. Camacho-Rodríguez, A. Floratou, C. Curino, and R. Ramakrishnan, “Oneprovenance: Efficient extraction of dynamic coarse-grained provenance from database query event logs,”Proceedings of the VLDB Endowment, vol. 16, no. 12, pp. 3662–3675, 2023

2023
[5]

Provg-searcher: A graph representation learning approach for efficient provenance graph search,

E. Altinisik, F. Deniz, and H. T. Sencar, “Provg-searcher: A graph representation learning approach for efficient provenance graph search,” inProceedings of the 2023 ACM SIGSAC conference on computer and communications security, 2023, pp. 2247–2261

2023
[6]

{SLEUTH}: Real-time attack scenario reconstruction from{COTS}audit data,

M. N. Hossain, S. M. Milajerdi, J. Wang, B. Eshete, R. Gjomemo, R. Sekar, S. Stoller, and V. Venkatakr- ishnan, “{SLEUTH}: Real-time attack scenario reconstruction from{COTS}audit data,” in26th USENIX Security Symposium (USENIX Security 17), 2017, pp. 487–504

2017
[7]

Tactical provenance analysis for endpoint detection and response systems,

W. U. Hassan, A. Bates, and D. Marino, “Tactical provenance analysis for endpoint detection and response systems,” in2020 IEEE symposium on security and privacy (SP). IEEE, 2020, pp. 1172– 1189

2020
[8]

Buchanan,The cybersecurity dilemma: Hacking, trust, and fear between nations

B. Buchanan,The cybersecurity dilemma: Hacking, trust, and fear between nations. Oxford University Press, 2016

2016
[9]

Techniques for cyber attack attribution,

D. A. Wheeler and G. N. Larsen, “Techniques for cyber attack attribution,” 2003

2003
[10]

The diamond model of intrusion analysis,

S. Caltagirone, A. Pendergast, and C. Betz, “The diamond model of intrusion analysis,” 2013

2013
[11]

Mitre att&ck: Design and philosophy,

B. E. Strom, A. Applebaum, D. P. Miller, K. C. Nickels, A. G. Pennington, and C. B. Thomas, “Mitre att&ck: Design and philosophy,” 2018

2018
[12]

Graph neural networks (gnns) for modeling cyber attack patterns and predicting system vulnerabilities in critical infrastructure,

T. K. Chowdhury and S. Biswas, “Graph neural networks (gnns) for modeling cyber attack patterns and predicting system vulnerabilities in critical infrastructure,”American Journal of Interdisciplinary Studies, vol. 3, no. 04, pp. 157–202, 2022

2022
[13]

Honeytokens: The other honeypot,

L. Spitzner, “Honeytokens: The other honeypot,” Symantec Enterprise Security Community, Jul. 2003, originally released 17 July 2003; updated version later released based on community feedback. [Online]. Available: https://community.broadcom.com/symantecenterprise/communities/community-home/ librarydocuments/viewdocument?DocumentKey=74450cf5-2f11-48c5-8d92...

2003
[14]

Honeywords: Making password-cracking detectable,

A. Juels and R. L. Rivest, “Honeywords: Making password-cracking detectable,” inProceedings of the 2013 ACM SIGSAC conference on Computer & communications security, 2013, pp. 145–160

2013
[15]

Honeyfactory: Container-based comprehensive cyber deception honeynet architecture,

T. Yu, Y. Xin, and C. Zhang, “Honeyfactory: Container-based comprehensive cyber deception honeynet architecture,”Electronics, vol. 13, no. 2, p. 361, 2024

2024
[16]

Cyber deception: Taxonomy, state of the art, frame- works, trends, and open challenges,

P. Beltrán-López, M. G. Pérez, and P. Nespoli, “Cyber deception: Taxonomy, state of the art, frame- works, trends, and open challenges,”IEEE Communications Surveys & Tutorials, 2025

2025
[17]

Passive hack-back strategies for cyber attribution: Covert vectors in denied environment.arXiv preprint arXiv:2508.16637, 2025

A. I. Weinberg, “Passive hack-back strategies for cyber attribution: Covert vectors in denied environ- ment,”arXiv preprint arXiv:2508.16637, 2025. 14

work page arXiv 2025
[18]

Scalable, behavior-based malware clustering

U. Bayer, P. M. Comparetti, C. Hlauschek, C. Kruegel, and E. Kirda, “Scalable, behavior-based malware clustering.” inNDSS, vol. 9, 2009, pp. 8–11

2009
[19]

Before we knew it: an empirical study of zero-day attacks in the real world,

L. Bilge and T. Dumitraş, “Before we knew it: an empirical study of zero-day attacks in the real world,” inProceedings of the 2012 ACM conference on Computer and communications security, 2012, pp. 833–844

2012
[20]

Tracking ransomware end-to-end,

D. Y. Huang, M. M. Aliapoulios, V. G. Li, L. Invernizzi, E. Bursztein, K. McRoberts, J. Levin, K. Levchenko, A. C. Snoeren, and D. McCoy, “Tracking ransomware end-to-end,” in2018 IEEE Sym- posium on Security and Privacy (SP). IEEE, 2018, pp. 618–631

2018
[21]

De-anonymizing programmers via code stylometry,

A. Caliskan-Islam, R. Harang, A. Liu, A. Narayanan, C. Voss, F. Yamaguchi, and R. Greenstadt, “De-anonymizing programmers via code stylometry,” in24th USENIX security symposium (USENIX Security 15), 2015, pp. 255–270

2015
[22]

{LLMmap}: Fingerprinting for large language models,

D. Pasquini, E. M. Kornaropoulos, and G. Ateniese, “{LLMmap}: Fingerprinting for large language models,” in34th USENIX Security Symposium (USENIX Security 25), 2025, pp. 299–318

2025
[23]

Using decision trees to improve signature-based intrusion detection,

C. Kruegel and T. Toth, “Using decision trees to improve signature-based intrusion detection,” inInter- national workshop on recent advances in intrusion detection. Springer, 2003, pp. 173–191

2003
[24]

Measuring the changing cost of cybercrime,

R. Anderson, C. Barton, R. Bölme, R. Clayton, C. Ganán, T. Grasso, M. Levi, T. Moore, and M. Vasek, “Measuring the changing cost of cybercrime,” 2019

2019
[25]

Mitigating inadvertent insider threats with incentives,

D. Liu, X. Wang, and L. J. Camp, “Mitigating inadvertent insider threats with incentives,” inInterna- tional Conference on Financial Cryptography and Data Security. Springer, 2009, pp. 1–16

2009
[26]

Investigating the implications of virtual machine introspection for digital forensics,

K. Nance, M. Bishop, and B. Hay, “Investigating the implications of virtual machine introspection for digital forensics,” in2009 International Conference on Availability, Reliability and Security. IEEE, 2009, pp. 1024–1029

2009
[27]

M-trends 2022: Cyber security metrics, insights and guidance from the frontlines,

J. Kutscher, “M-trends 2022: Cyber security metrics, insights and guidance from the frontlines,” Apr. 2022, threat Intelligence Report. [Online]. Available: https://cloud.google.com/blog/topics/ threat-intelligence/m-trends-2022

2022
[28]

State-sponsored cyber-attacks: Threats, strategies, and global responses

M. A. S. Al Barwani, “State-sponsored cyber-attacks: Threats, strategies, and global responses.”
[29]

Case studies: State-sponsored cyberattacks,

T. Singh, “Case studies: State-sponsored cyberattacks,” inCybersecurity, Psychology and People Hack- ing. Springer, 2025, pp. 151–165

2025
[30]

Verizon 2024 data breach in- vestigations report,

C. D. Hylender, P. Langlois, A. Pinto, and S. Widup, “Verizon 2024 data breach in- vestigations report,”The Verizon DBIR Team. Available online: https://www. verizon. com/business/resources/Tf18/reports/2024-dbir-data-breach-investigations-report. pdf (accessed on 20 November 2024), 2024. 15

2024