{"bundle_type":"pith_open_graph_bundle","bundle_version":"1.0","pith_number":"pith:2023:WB2BPMDFYAJFJEZBJUHZ26DF5A","short_pith_number":"pith:WB2BPMDF","canonical_record":{"source":{"id":"2304.13941","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2023-04-27T03:19:26Z","cross_cats_sorted":[],"title_canon_sha256":"8f442d6bde68b66c7791b2014ddce01af56c9b53f34d954b685e73f443b23e3c","abstract_canon_sha256":"25834a3a4c29e17db70be54647aee3b8098ea2dbcfcb9d8d57457d7e1a66117e"},"schema_version":"1.0"},"canonical_sha256":"b07417b065c0125493214d0f9d7865e8166b2c49581a8eb60920207cee134aa4","source":{"kind":"arxiv","id":"2304.13941","version":3},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2304.13941","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"arxiv_version","alias_value":"2304.13941v3","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2304.13941","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"pith_short_12","alias_value":"WB2BPMDFYAJF","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"pith_short_16","alias_value":"WB2BPMDFYAJFJEZB","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"pith_short_8","alias_value":"WB2BPMDF","created_at":"2026-05-26T02:03:44Z"}],"events":[{"event_type":"record_created","subject_pith_number":"pith:2023:WB2BPMDFYAJFJEZBJUHZ26DF5A","target":"record","payload":{"canonical_record":{"source":{"id":"2304.13941","kind":"arxiv","version":3},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2023-04-27T03:19:26Z","cross_cats_sorted":[],"title_canon_sha256":"8f442d6bde68b66c7791b2014ddce01af56c9b53f34d954b685e73f443b23e3c","abstract_canon_sha256":"25834a3a4c29e17db70be54647aee3b8098ea2dbcfcb9d8d57457d7e1a66117e"},"schema_version":"1.0"},"canonical_sha256":"b07417b065c0125493214d0f9d7865e8166b2c49581a8eb60920207cee134aa4","receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-26T02:03:44.390644Z","signature_b64":"fraIc3wzbpCS6jmaNTcXHoLGFiNFxJ4ii9Z5dzjpPTtdkm9HR1nUCrO51OT75Uez8y1fyhzSATUAZns+9Fd4BQ==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"b07417b065c0125493214d0f9d7865e8166b2c49581a8eb60920207cee134aa4","last_reissued_at":"2026-05-26T02:03:44.390000Z","signature_status":"signed_v1","first_computed_at":"2026-05-26T02:03:44.390000Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"source_kind":"arxiv","source_id":"2304.13941","source_version":3,"attestation_state":"computed"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-26T02:03:44Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"UL9AAIQQ2OwELG8vJMJ+ylwByWP/m1xxxvoFoSJZC16xMGeU62CVr0u+AT59CFTuvND4NkDEH8O9IyblYpHUBQ==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-30T23:53:12.726758Z"},"content_sha256":"9fa32e0bee7031f9835abdd223c43933d17636f960f10f0f956ff73e5d76c6b7","schema_version":"1.0","event_id":"sha256:9fa32e0bee7031f9835abdd223c43933d17636f960f10f0f956ff73e5d76c6b7"},{"event_type":"graph_snapshot","subject_pith_number":"pith:2023:WB2BPMDFYAJFJEZBJUHZ26DF5A","target":"graph","payload":{"graph_snapshot":{"paper":{"title":"Detection of Anomalous Network Nodes via Hierarchical Prediction and Extreme Value Theory","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"A two-stage method using hierarchical time series prediction of ARP calls followed by extreme value theory flags anomalous network nodes while cutting false positives.","cross_cats":[],"primary_cat":"cs.CR","authors_text":"Asha Rao, Conrad Sanderson, Hideya Ochiai, Mahdi Abolghasemi, Sevvandi Kandanaarachchi","submitted_at":"2023-04-27T03:19:26Z","abstract_excerpt":"Continuously evolving cyber-attacks against industrial networks reduce the effectiveness of signature-based detection methods. Once malware has infiltrated a network (for example, entering via an unsecured device), it can infect further network nodes and carry out malicious activity. Infected nodes can exhibit unusual behaviour in their use of Address Resolution Protocol (ARP) calls within the network. In order to detect such anomalous nodes, we propose a two-stage method: (i) modelling of ARP call behaviour via hierarchical time series prediction methods, and (ii) exploiting Extreme Value The"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"Empirical evaluations on a real-life dataset containing over 10M ARP calls from 362 nodes show that the proposed method results in considerably reduced number of false positives, addressing the problem of alert fatigue commonly reported by security professionals.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"That the residuals from the hierarchical time series predictions of ARP behavior follow heavy-tailed distributions for which Extreme Value Theory provides a reliable threshold to separate normal variation from anomalous behavior.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Hierarchical time series prediction of ARP calls combined with Extreme Value Theory identifies anomalous nodes while substantially lowering false positive rates on a real dataset of over 10 million calls.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"A two-stage method using hierarchical time series prediction of ARP calls followed by extreme value theory flags anomalous network nodes while cutting false positives.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"617787d4f90e66ff92e3f7de624b403f9363e5fb2a781b074b4357e32e04e3d4"},"source":{"id":"2304.13941","kind":"arxiv","version":3},"verdict":{"id":"94f5135f-1154-4cb9-b1dd-6a9d439b46f4","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-24T09:07:31.154395Z","strongest_claim":"Empirical evaluations on a real-life dataset containing over 10M ARP calls from 362 nodes show that the proposed method results in considerably reduced number of false positives, addressing the problem of alert fatigue commonly reported by security professionals.","one_line_summary":"Hierarchical time series prediction of ARP calls combined with Extreme Value Theory identifies anomalous nodes while substantially lowering false positive rates on a real dataset of over 10 million calls.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"That the residuals from the hierarchical time series predictions of ARP behavior follow heavy-tailed distributions for which Extreme Value Theory provides a reliable threshold to separate normal variation from anomalous behavior.","pith_extraction_headline":"A two-stage method using hierarchical time series prediction of ARP calls followed by extreme value theory flags anomalous network nodes while cutting false positives."},"integrity":{"clean":true,"summary":{"advisory":0,"critical":0,"by_detector":{},"informational":0},"endpoint":"/pith/2304.13941/integrity.json","findings":[],"available":true,"detectors_run":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938"},"references":{"count":0,"sample":[],"resolved_work":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","internal_anchors":0},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"verdict_id":"94f5135f-1154-4cb9-b1dd-6a9d439b46f4"},"signer":{"signer_id":"pith.science","signer_type":"pith_registry","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"created_at":"2026-05-26T02:03:44Z","supersedes":[],"prev_event":null,"signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"AnzCH+ryS4wenowz/6x2JsJ4T3IhdpW5BL8jhjogO4EpulOtdtdBoULaPPePMiUt+fdqD7oTIx4PyJEnsbRgBg==","signed_message":"open_graph_event_sha256_bytes","signed_at":"2026-05-30T23:53:12.727692Z"},"content_sha256":"94791d3e91e20548226d79791af5edbbeb8d2b5d6925fb3acdfd967f8363ab76","schema_version":"1.0","event_id":"sha256:94791d3e91e20548226d79791af5edbbeb8d2b5d6925fb3acdfd967f8363ab76"}],"timestamp_proofs":[],"mirror_hints":[{"mirror_type":"https","name":"Pith Resolver","base_url":"https://pith.science","bundle_url":"https://pith.science/pith/WB2BPMDFYAJFJEZBJUHZ26DF5A/bundle.json","state_url":"https://pith.science/pith/WB2BPMDFYAJFJEZBJUHZ26DF5A/state.json","well_known_bundle_url":"https://pith.science/.well-known/pith/WB2BPMDFYAJFJEZBJUHZ26DF5A/bundle.json","status":"primary"}],"public_keys":[{"key_id":"pith-v1-2026-05","algorithm":"ed25519","format":"raw","public_key_b64":"stVStoiQhXFxp4s2pdzPNoqVNBMojDU/fJ2db5S3CbM=","public_key_hex":"b2d552b68890857171a78b36a5dccf368a953413288c353f7c9d9d6f94b709b3","fingerprint_sha256_b32_first128bits":"RVFV5Z2OI2J3ZUO7ERDEBCYNKS","fingerprint_sha256_hex":"8d4b5ee74e4693bcd1df2446408b0d54","rotates_at":null,"url":"https://pith.science/pith-signing-key.json","notes":"Pith uses this Ed25519 key to sign canonical record SHA-256 digests. Verify with: ed25519_verify(public_key, message=canonical_sha256_bytes, signature=base64decode(signature_b64))."}],"merge_version":"pith-open-graph-merge-v1","built_at":"2026-05-30T23:53:12Z","links":{"resolver":"https://pith.science/pith/WB2BPMDFYAJFJEZBJUHZ26DF5A","bundle":"https://pith.science/pith/WB2BPMDFYAJFJEZBJUHZ26DF5A/bundle.json","state":"https://pith.science/pith/WB2BPMDFYAJFJEZBJUHZ26DF5A/state.json","well_known_bundle":"https://pith.science/.well-known/pith/WB2BPMDFYAJFJEZBJUHZ26DF5A/bundle.json"},"state":{"state_type":"pith_open_graph_state","state_version":"1.0","pith_number":"pith:2023:WB2BPMDFYAJFJEZBJUHZ26DF5A","merge_version":"pith-open-graph-merge-v1","event_count":2,"valid_event_count":2,"invalid_event_count":0,"equivocation_count":0,"current":{"canonical_record":{"metadata":{"abstract_canon_sha256":"25834a3a4c29e17db70be54647aee3b8098ea2dbcfcb9d8d57457d7e1a66117e","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2023-04-27T03:19:26Z","title_canon_sha256":"8f442d6bde68b66c7791b2014ddce01af56c9b53f34d954b685e73f443b23e3c"},"schema_version":"1.0","source":{"id":"2304.13941","kind":"arxiv","version":3}},"source_aliases":[{"alias_kind":"arxiv","alias_value":"2304.13941","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"arxiv_version","alias_value":"2304.13941v3","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.2304.13941","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"pith_short_12","alias_value":"WB2BPMDFYAJF","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"pith_short_16","alias_value":"WB2BPMDFYAJFJEZB","created_at":"2026-05-26T02:03:44Z"},{"alias_kind":"pith_short_8","alias_value":"WB2BPMDF","created_at":"2026-05-26T02:03:44Z"}],"graph_snapshots":[{"event_id":"sha256:94791d3e91e20548226d79791af5edbbeb8d2b5d6925fb3acdfd967f8363ab76","target":"graph","created_at":"2026-05-26T02:03:44Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"graph_snapshot":{"author_claims":{"count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57","strong_count":0},"builder_version":"pith-number-builder-2026-05-17-v1","claims":{"count":4,"items":[{"attestation":"unclaimed","claim_id":"C1","kind":"strongest_claim","source":"verdict.strongest_claim","status":"machine_extracted","text":"Empirical evaluations on a real-life dataset containing over 10M ARP calls from 362 nodes show that the proposed method results in considerably reduced number of false positives, addressing the problem of alert fatigue commonly reported by security professionals."},{"attestation":"unclaimed","claim_id":"C2","kind":"weakest_assumption","source":"verdict.weakest_assumption","status":"machine_extracted","text":"That the residuals from the hierarchical time series predictions of ARP behavior follow heavy-tailed distributions for which Extreme Value Theory provides a reliable threshold to separate normal variation from anomalous behavior."},{"attestation":"unclaimed","claim_id":"C3","kind":"one_line_summary","source":"verdict.one_line_summary","status":"machine_extracted","text":"Hierarchical time series prediction of ARP calls combined with Extreme Value Theory identifies anomalous nodes while substantially lowering false positive rates on a real dataset of over 10 million calls."},{"attestation":"unclaimed","claim_id":"C4","kind":"headline","source":"verdict.pith_extraction.headline","status":"machine_extracted","text":"A two-stage method using hierarchical time series prediction of ARP calls followed by extreme value theory flags anomalous network nodes while cutting false positives."}],"snapshot_sha256":"617787d4f90e66ff92e3f7de624b403f9363e5fb2a781b074b4357e32e04e3d4"},"formal_canon":{"evidence_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"integrity":{"available":true,"clean":true,"detectors_run":[],"endpoint":"/pith/2304.13941/integrity.json","findings":[],"snapshot_sha256":"c28c3603d3b5d939e8dc4c7e95fa8dfce3d595e45f758748cecf8e644a296938","summary":{"advisory":0,"by_detector":{},"critical":0,"informational":0}},"paper":{"abstract_excerpt":"Continuously evolving cyber-attacks against industrial networks reduce the effectiveness of signature-based detection methods. Once malware has infiltrated a network (for example, entering via an unsecured device), it can infect further network nodes and carry out malicious activity. Infected nodes can exhibit unusual behaviour in their use of Address Resolution Protocol (ARP) calls within the network. In order to detect such anomalous nodes, we propose a two-stage method: (i) modelling of ARP call behaviour via hierarchical time series prediction methods, and (ii) exploiting Extreme Value The","authors_text":"Asha Rao, Conrad Sanderson, Hideya Ochiai, Mahdi Abolghasemi, Sevvandi Kandanaarachchi","cross_cats":[],"headline":"A two-stage method using hierarchical time series prediction of ARP calls followed by extreme value theory flags anomalous network nodes while cutting false positives.","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2023-04-27T03:19:26Z","title":"Detection of Anomalous Network Nodes via Hierarchical Prediction and Extreme Value Theory"},"references":{"count":0,"internal_anchors":0,"resolved_work":0,"sample":[],"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"source":{"id":"2304.13941","kind":"arxiv","version":3},"verdict":{"created_at":"2026-05-24T09:07:31.154395Z","id":"94f5135f-1154-4cb9-b1dd-6a9d439b46f4","model_set":{"reader":"grok-4.3"},"one_line_summary":"Hierarchical time series prediction of ARP calls combined with Extreme Value Theory identifies anomalous nodes while substantially lowering false positive rates on a real dataset of over 10 million calls.","pipeline_version":"pith-pipeline@v0.9.0","pith_extraction_headline":"A two-stage method using hierarchical time series prediction of ARP calls followed by extreme value theory flags anomalous network nodes while cutting false positives.","strongest_claim":"Empirical evaluations on a real-life dataset containing over 10M ARP calls from 362 nodes show that the proposed method results in considerably reduced number of false positives, addressing the problem of alert fatigue commonly reported by security professionals.","weakest_assumption":"That the residuals from the hierarchical time series predictions of ARP behavior follow heavy-tailed distributions for which Extreme Value Theory provides a reliable threshold to separate normal variation from anomalous behavior."}},"verdict_id":"94f5135f-1154-4cb9-b1dd-6a9d439b46f4"}}],"author_attestations":[],"timestamp_anchors":[],"storage_attestations":[],"citation_signatures":[],"replication_records":[],"corrections":[],"mirror_hints":[],"record_created":{"event_id":"sha256:9fa32e0bee7031f9835abdd223c43933d17636f960f10f0f956ff73e5d76c6b7","target":"record","created_at":"2026-05-26T02:03:44Z","signer":{"key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signer_id":"pith.science","signer_type":"pith_registry"},"payload":{"attestation_state":"computed","canonical_record":{"metadata":{"abstract_canon_sha256":"25834a3a4c29e17db70be54647aee3b8098ea2dbcfcb9d8d57457d7e1a66117e","cross_cats_sorted":[],"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2023-04-27T03:19:26Z","title_canon_sha256":"8f442d6bde68b66c7791b2014ddce01af56c9b53f34d954b685e73f443b23e3c"},"schema_version":"1.0","source":{"id":"2304.13941","kind":"arxiv","version":3}},"canonical_sha256":"b07417b065c0125493214d0f9d7865e8166b2c49581a8eb60920207cee134aa4","receipt":{"algorithm":"ed25519","builder_version":"pith-number-builder-2026-05-17-v1","canonical_sha256":"b07417b065c0125493214d0f9d7865e8166b2c49581a8eb60920207cee134aa4","first_computed_at":"2026-05-26T02:03:44.390000Z","key_id":"pith-v1-2026-05","kind":"pith_receipt","last_reissued_at":"2026-05-26T02:03:44.390000Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","receipt_version":"0.3","signature_b64":"fraIc3wzbpCS6jmaNTcXHoLGFiNFxJ4ii9Z5dzjpPTtdkm9HR1nUCrO51OT75Uez8y1fyhzSATUAZns+9Fd4BQ==","signature_status":"signed_v1","signed_at":"2026-05-26T02:03:44.390644Z","signed_message":"canonical_sha256_bytes"},"source_id":"2304.13941","source_kind":"arxiv","source_version":3}}},"equivocations":[],"invalid_events":[],"applied_event_ids":["sha256:9fa32e0bee7031f9835abdd223c43933d17636f960f10f0f956ff73e5d76c6b7","sha256:94791d3e91e20548226d79791af5edbbeb8d2b5d6925fb3acdfd967f8363ab76"],"state_sha256":"1725a70d56f1bfb9318e3898a7eaec82b3e027b7994a7ce9b442d79b725c4266"},"bundle_signature":{"signature_status":"signed_v1","algorithm":"ed25519","key_id":"pith-v1-2026-05","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54","signature_b64":"MerqofSL4iaXBvYN4i6I4Ev2t/tPwU3z2ZwcKoKUV3ozfBCJk4nugsNeVtuAN0ckcco5S6d1KGr/iDETpxhiAA==","signed_message":"bundle_sha256_bytes","signed_at":"2026-05-30T23:53:12.731880Z","bundle_sha256":"7b08fc1fa3a810809c984bfc78492a223703734d672f12fa417a279a51b70c59"}}