ARENA: An Architecture for Measuring the Transferability of Autonomous Cyber Defense

📅 2026-06-19
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
Real-world Security Operations Center (SOC) data is rarely accessible for research due to privacy constraints, leading existing studies to rely on synthetic or outdated datasets. This work proposes a high-fidelity anonymization method that extracts and structures SIEM logs from a financial-sector SOC, preserving temporal ordering and entity consistency while enforcing strict privacy guarantees—thereby establishing the first quantifiable privacy-utility trade-off boundary. Leveraging this approach, we construct 37 HIKARI evaluation challenges and develop a deterministic validator alongside a large language model (LLM) behavioral compliance detection mechanism. In experiments involving 200 SOCpilot incidents, our framework uncovered LLM non-compliant actions undetected by human baselines, enabling reproducible and verifiable evaluation of autonomous defense systems.
📝 Abstract
Operational evidence is not automatically scientific evidence. The most realistic Security Operations Center (SOC) data is production telemetry, yet it remains scientifically inaccessible because raw logs cannot be released; as a result, research relies on synthetic or dated datasets. We treat the boundary between private production telemetry and reusable research artifacts as the design object: a methodology that extracts, anonymizes, structures, and validates Security Information and Event Management (SIEM) data from a production financial SOC while preserving task-relevant investigative structure within a declared privacy boundary. Two consumers stress the same artifact. As training material, it fails loudly: 37 MITRE ATT&CK-mapped HIKARI challenges work only when anonymization preserves temporal order and entity consistency. As a measurement substrate, it fails quietly: across 200 SOCpilot incidents, a deterministic verifier detects non-compliant Large Language Model (LLM) actions that are absent from the human baseline. The result is a measurable privacy-utility boundary rather than a formal anonymity claim.
Problem

Research questions and friction points this paper is trying to address.

transferability
autonomous cyber defense
privacy-preserving data
SIEM data
Security Operations Center
Innovation

Methods, ideas, or system contributions that make the work stand out.

Transferability
Privacy-Preserving Data Extraction
SIEM Anonymization
LLM Evaluation in Cyber Defense
Operational-to-Research Data Bridge
🔎 Similar Papers
No similar papers found.
S
Sidnei Barbieri
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
Á
Ágney Lopes Roth Ferraz
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
W
Wagner Comin Sonaglio
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
G
Gioliano de Oliveira Braga
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
H
Henrique Curi de Miranda
Computer Science Division, Aeronautics Institute of Technology (ITA), São José dos Campos/SP - Brazil
Lourenço Alves Pereira Júnior
Lourenço Alves Pereira Júnior
Aeronautics Institute of Technology - ITA, Brazil
CybersecurityAI/ML5G/6GMobile SystemsInternet of Things