An AI Security Agent for University ACMIS: Multi-Vector Threat Detection and Automated Response
Pith reviewed 2026-06-30 11:24 UTC · model grok-4.3
The pith
An AI security agent for university academic management systems detects multi-vector threats with a macro-average F1 of 0.966 on simulated event logs while providing automated responses in under 1 millisecond.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The central claim is that an integrated AI security agent monitoring authentication, authorisation, financial transactions, user behaviour, and system health can achieve a threat detection macro-average F1 of 0.966 on a simulated dataset of 147,922 sessions, outperforming a rule-based baseline at 0.156 and an LSTM baseline at 0.836, with critical-tier response latency under 1 ms, and the recovery chatbot reaching 97.1% identity verification accuracy and 87.3% mass-reset attack detection with zero false positives on legitimate periods.
What carries the argument
The modular AI security agent architecture that monitors five operational layers and employs a four-tier risk escalation framework with supervised anomaly detection, behavioural analytics, and an NLP-based recovery chatbot.
If this is right
- The agent outperforms traditional rule-based intrusion detection by a wide margin in distinguishing malicious from normal activities.
- End-to-end automated responses for critical threats occur in under 1 ms on a single-node setup.
- The integrated chatbot verifies user identity at 97.1 percent accuracy and detects mass-reset attacks at 87.3 percent with no false positives on high-volume legitimate periods.
- A modular design supports extension of the core engine to other institutional systems beyond ACMIS.
Where Pith is reading between the lines
- The approach could be adapted to detect similar threats in other high-value database systems like financial or healthcare records.
- Real-world deployment would require ongoing retraining to handle evolving attack patterns not present in the simulation.
- Combining the detection engine with the chatbot creates a closed-loop system that both identifies and mitigates user-facing threats.
- Performance metrics suggest the multi-vector approach captures structural similarities between normal and malicious sessions that single-method baselines miss.
Load-bearing premise
The simulated ACMIS event log dataset of 147,922 sessions accurately represents the statistical properties of normal operations and real malicious activity in a live university system.
What would settle it
Running the agent on actual live ACMIS logs from a university system and measuring whether the macro-average F1 score remains above 0.9 or drops significantly toward the LSTM baseline.
Figures
read the original abstract
University Academic Management Information Systems (ACMIS) are high-value targets for a wide spectrum of security threats including brute-force login attacks, payment fraud, privilege escalation, insider data theft, and academic integrity violations. Traditional rule-based intrusion detection systems are inadequate because many malicious activities are structurally indistinguishable from normal operations. This paper presents an AI-based security agent for ACMIS that combines supervised anomaly detection, behavioural analytics, and a natural language processing chatbot for secure password recovery. The agent monitors five operational layers: authentication, authorisation, financial transactions, user behaviour, and system health, and responds through a four-tier risk escalation framework. A modular architecture allows the core engine to be extended to other institutional systems. Experiments on a simulated ACMIS event log dataset of 147,922 sessions demonstrate a threat detection macro-average F1 of 0.966, compared to 0.156 for a rule-based baseline and 0.836 for a sequence-only (LSTM) baseline, with end-to-end critical-tier automated response latency under 1 ms on a single-node prototype. The integrated recovery chatbot achieves 97.1 percent identity verification accuracy and an 87.3 percent mass-reset attack detection rate with zero false positives on legitimate high volume recovery periods.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper presents an AI security agent for University ACMIS that combines supervised anomaly detection, behavioural analytics, and an NLP chatbot for secure password recovery. It monitors five layers: authentication, authorisation, financial transactions, user behaviour, and system health, responding via a four-tier risk escalation framework. Experiments on a simulated dataset of 147,922 sessions report a threat detection macro-average F1 of 0.966 (vs. 0.156 rule-based and 0.836 LSTM), <1 ms latency, and chatbot accuracies of 97.1% identity verification and 87.3% mass-reset detection with zero false positives.
Significance. Should the simulated dataset accurately reflect real ACMIS operations, this approach could meaningfully advance practical security for institutional systems by addressing the indistinguishability of many threats from normal activity through multi-layer monitoring and automated responses. The modular architecture is noted as a positive for broader applicability. The work does not include machine-checked proofs or open code.
major comments (1)
- [Abstract] The headline results (macro F1 0.966, chatbot 97.1%/87.3%, <1 ms latency, zero FPs) are obtained exclusively on a simulated 147,922-session ACMIS log whose construction is not described: no parameters for normal vs attack distributions, no inter-layer correlation model, no validation against real university logs, and no sensitivity analysis. Because the five monitored layers and four-tier escalation are defined in terms of these logs, any mismatch in statistical properties directly invalidates both the F1 comparison and the zero-FP claim on high-volume recovery periods.
Simulated Author's Rebuttal
We thank the referee for the constructive critique. The primary concern is the insufficient description of the simulated dataset, which we address below by committing to a detailed revision. We believe this strengthens the paper without altering its core claims.
read point-by-point responses
-
Referee: [Abstract] The headline results (macro F1 0.966, chatbot 97.1%/87.3%, <1 ms latency, zero FPs) are obtained exclusively on a simulated 147,922-session ACMIS log whose construction is not described: no parameters for normal vs attack distributions, no inter-layer correlation model, no validation against real university logs, and no sensitivity analysis. Because the five monitored layers and four-tier escalation are defined in terms of these logs, any mismatch in statistical properties directly invalidates both the F1 comparison and the zero-FP claim on high-volume recovery periods.
Authors: We agree this is a valid and important point. The current manuscript provides only high-level information on the simulated log and does not include the requested parameters, correlation model, sensitivity analysis, or explicit discussion of real-log validation. In the revised version we will add a dedicated subsection (likely 4.1 or 4.2) that specifies: (i) the generative parameters and distributions for normal versus attack sessions, (ii) the statistical model used to induce inter-layer correlations, (iii) sensitivity results across key parameters, and (iv) the institutional privacy constraints that prevented use of real university logs together with any proxy validation steps performed. These additions will allow readers to assess the statistical fidelity of the simulation and will directly support the reported F1 and zero-FP figures. We do not claim the simulation is a perfect surrogate for production ACMIS traffic; the revision will make this limitation explicit while preserving the comparative evaluation against the rule-based and LSTM baselines. revision: yes
Circularity Check
No circularity; results are direct experimental metrics on simulated data
full rationale
The paper reports empirical performance numbers (macro F1 0.966, chatbot accuracies, latency) obtained by training and evaluating models on a fixed simulated dataset of 147922 sessions. No equations, derivations, or self-citations are present that would make any reported metric equivalent to its own inputs by construction. The simulation itself is an external input whose statistical fidelity is an assumption, not a definitional loop inside the claimed results.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
I. Bongiovanni, “The least secure places in the universe? A system- atic literature review on information security management in higher education,”Computers & Security, vol. 86, pp. 350–357, 2019. doi: 10.1016/j.cose.2019.06.012
-
[2]
A survey of data mining and ma- chine learning methods for cyber security intrusion detection,
A. L. Buczak and E. Guven, “A survey of data mining and ma- chine learning methods for cyber security intrusion detection,”IEEE Commun. Surveys Tutorials, vol. 18, no. 2, pp. 1153–1176, 2016. doi: 10.1109/COMST.2015.2494502
-
[3]
Anomaly detection: a survey.ACM Comput
V . Chandola, A. Banerjee, and V . Kumar, “Anomaly detection: a survey,” ACM Computing Surveys, vol. 41, no. 3, article 15, pp. 1–58, 2009. doi: 10.1145/1541880.1541882
-
[4]
A survey of network anomaly detection techniques,
M. Ahmed, A. N. Mahmood, and J. Hu, “A survey of network anomaly detection techniques,”J. Network and Computer Applications, vol. 60, pp. 19–31, 2016. doi: 10.1016/j.jnca.2015.11.016
-
[5]
CERT insider threat dataset,
CERT Division, Software Engineering Institute, Carnegie Mellon Univ., “CERT insider threat dataset,” 2020. [Online]. Available: https:// resources.sei.cmu.edu/library/asset-view.cfm?assetid=508099
2020
-
[6]
H. S. Lallieet al., “Cyber security in the age of COVID-19: a timeline and analysis of cyber-crime and cyber-attacks during the pandemic,”Computers & Security, vol. 105, p. 102248, 2021. doi: 10.1016/j.cose.2021.102248
-
[7]
J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The quest to replace passwords: a framework for comparative evaluation of web au- thentication schemes,” inProc. 2012 IEEE Symp. Security and Privacy, San Francisco, CA, 2012, pp. 553–567. doi: 10.1109/SP.2012.44
-
[8]
F. T. Liu, K. M. Ting, and Z.-H. Zhou, “Isolation forest,” inProc. 8th IEEE Int. Conf. Data Mining (ICDM), 2008, pp. 413–422. doi: 10.1109/ICDM.2008.17
-
[9]
Neural Computation , issue_date =
S. Hochreiter and J. Schmidhuber, “Long short-term memory,” Neural Computation, vol. 9, no. 8, pp. 1735–1780, 1997. doi: 10.1162/neco.1997.9.8.1735
-
[10]
Semi-supervised classification with graph convolutional networks,
T. N. Kipf and M. Welling, “Semi-supervised classification with graph convolutional networks,” inProc. 5th Int. Conf. Learning Representa- tions (ICLR), Toulon, France, 2017
2017
-
[11]
Financial fraud detection using graph neural networks: a systematic review,
S. Motie and B. Raahemi, “Financial fraud detection using graph neural networks: a systematic review,”Expert Systems with Applications, vol. 240, p. 122156, 2024. doi: 10.1016/j.eswa.2023.122156
-
[12]
Network intrusion datasets: a survey, limitations, and recommendations,
P. Goldschmidt and D. Chud ´a, “Network intrusion datasets: a survey, limitations, and recommendations,”Computers & Security, vol. 156, p. 104510, 2025. doi: 10.1016/j.cose.2025.104510
-
[13]
Makerere varsity marks hackers iden- tified,
Daily Monitor, “Makerere varsity marks hackers iden- tified,”Monitor, Kampala, Uganda. [Online]. Avail- able: https://www.monitor.co.ug/uganda/news/national/ makerere-varsity-marks-hackers-identified-1611202
-
[14]
Kyambogo University students decry academic records manipulation through ACMIS,
Nile Post, “Kyambogo University students decry academic records manipulation through ACMIS,”Nile Post, Kampala, Uganda, 2023. [Online]. Available: https://nilepost.co.ug/education/
2023
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.