CSTS: A Canonical Security Telemetry Substrate for AI-Native Cyber Detection

As the complexity and frequency of cyberattacks continue to increase, research in the field of cybersecurity has also evolved. In recent years, machine learning and graph-based methods have been increasingly applied in cybersecurity, particularly in tasks such as lateral movement detection, anomaly discovery, and zero-day threat detection. However, operational deployment of these methods remains challenging. Existing normalization frameworks, such as the Open Cybersecurity Schema Framework (OCSF), have made some progress in reducing syntactic inconsistencies but remain primarily focused on event-level attribute alignment, lacking higher-order semantic abstraction.

AI-driven cybersecurity systems often face challenges in cross-environment deployments, particularly due to the fragmentation of event-centric telemetry representations. Models that perform well in one enterprise environment frequently degrade when moved to another, even when the underlying threat behaviors are similar. This degradation often persists across changes in topology, telemetry vendors, and logging configurations, suggesting that the limiting factor is not model architecture alone.

This paper introduces the Canonical Security Telemetry Substrate (CSTS), an entity-relational abstraction layer designed to address the shortcomings of existing methods. CSTS enforces identity persistence, typed relationships, and temporal state invariants, providing a stable integration boundary for AI detection across heterogeneous environments. Specifically, CSTS maps heterogeneous telemetry sources into canonical entities and typed relationships via thin adapters, allowing detection systems to consume CSTS primitives rather than vendor-specific event fields.

• �� CSTS adopts an entity-first paradigm: security-relevant objects are first-class constructs rather than implicit artifacts reconstructed from events.
• �� CSTS materializes typed relationships as explicit substrate constructs rather than deriving them ad hoc inside model pipelines.
• �� CSTS incorporates temporal continuity at the substrate boundary by representing entity and relationship state as time-indexed updates.
• �� CSTS addresses feature instability through schema governance and feature stability contracts.
• �� CSTS decouples telemetry integration from detection logic, with vendor feeds mapped through thin adapters into canonical entities and relationships.

In the experimental design, researchers used a synthetic two-environment benchmark (Env A→Env B) to isolate representational effects. CSTS significantly reduces transfer degradation for identity-centric detection (e.g., lateral movement) relative to an event-centric baseline and remains operable under targeted schema perturbations. Additionally, for flow-centric zero-day detection, CSTS preserves schema alignment but reveals a distinct portability boundary: directional stability of graph-derived statistics under domain shift remains a separate modeling challenge.

Experimental results show that CSTS significantly reduces transfer degradation for identity-centric detection in a synthetic two-environment benchmark and remains operable under targeted schema perturbations. Additionally, for flow-centric zero-day detection, CSTS reveals a distinct portability boundary, indicating that directional stability of graph-derived statistics under domain shift remains a separate modeling challenge. On public real-log corpora, CSTS validates pipeline behavior under realistic telemetry heterogeneity through external robustness/smoke tests and a producer-divergence case study (TC E3), surfacing cross-producer distributional mismatch.

Application scenarios for CSTS include:

1. Enterprise Security Monitoring: By providing a stable integration boundary, CSTS can enhance the reliability of AI systems in heterogeneous enterprise environments.

2. Zero-Day Threat Detection: CSTS can help identify and detect previously unseen attack patterns.

3. Anomaly Detection: Through entity-relational modeling, CSTS can improve the accuracy and stability of anomaly detection.

CSTS may face challenges in handling extremely heterogeneous environments, especially as the complexity of mapping at the adapter layer increases. Additionally, CSTS may require additional computational resources to maintain updates and manage its entity-relational graph. Future research directions include further optimizing CSTS's adapter layer to handle a broader range of heterogeneous environments and exploring how CSTS can be integrated with existing Security Information and Event Management systems.