EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

GridPRISM: Provenance-aware real-time intrusion detection via prior-guided subgraph routing and auditable budgeted semantic masking

Fengwei Zhang and Hongjiao Li

International Journal of Critical Infrastructure Protection, 2026, vol. 53, issue C

Abstract: Real-time, window-level intrusion detection on provenance graphs is desirable for cyber–physical and operational-technology (CPS/OT) deployments. However, CPU-only service-level objectives (SLOs) impose a hard constraint: richer causal evidence escalates per-window workload and memory footprint. Existing provenance intrusion detection often relies on heuristic subgraph extraction and masking, leaving the budget–evidence boundary under-specified. Consequently, per-alert auditing of retained evidence and per-window resource use is difficult, and reported effectiveness may not remain feasible under CPU-only real-time SLOs. To address these challenges, we propose GridPRISM, a CPU-only budgeted detection pipeline. It begins with a Guarded Subgraph Router (GSR) that routes each window under an explicit utility–cost objective, with hard guardrails that bound worst-case expansion. Building on routed windows, Budgeted Semantic Masking (BSM) replaces uniform random corruption with a domain-aware, budget-calibrated policy that stabilizes self-supervised learning under benign dominance and enhances sensitivity to sparse anomalies. Critically, to prevent conflating controlled effectiveness with end-to-end feasibility, GridPRISM is evaluated under two complementary protocols on CADETS, TRACE, and IEEE-14, separately reporting benchmark effectiveness and CPU-only SLO compliance. Under an equal global masking budget, BSM improves entity-level detection over uniform random masking, with absolute gains of +0.08/+0.13 in average precision and +0.08/+0.14 in F1 at a locked operating point. Moreover, in CPU-only end-to-end execution, GridPRISM meets SLOs, achieving 95th-percentile latency 15.7–108.6 ms and peak RSS 0.435–5.34 GB, making the budget–evidence trade-off auditable for CPU-only CPS/OT monitoring and alert triage.

Keywords: Provenance graphs; Intrusion detection; Critical infrastructure protection; Resource-bounded detection; Evidence auditing; Real-time monitoring (search for similar items in EconPapers)
Date: 2026
References: Add references at CitEc
Citations:

Downloads: (external link)
http://www.sciencedirect.com/science/article/pii/S1874548226000211
Full text for ScienceDirect subscribers only

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:eee:ijocip:v:53:y:2026:i:c:s1874548226000211

DOI: 10.1016/j.ijcip.2026.100849

Access Statistics for this article

International Journal of Critical Infrastructure Protection is currently edited by Leon Strous

More articles in International Journal of Critical Infrastructure Protection from Elsevier
Bibliographic data for series maintained by Catherine Liu ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2026-06-07
Handle: RePEc:eee:ijocip:v:53:y:2026:i:c:s1874548226000211