- The paper introduces a neuro-symbolic framework combining a constrained LLM semantic generator with deterministic verification to reconstruct compromised attack traces.
- It employs a cost-bounded heuristic graph search under partial observability, using calibrated epistemic budgets to balance semantic inference with hard evidence.
- Experiments demonstrate significant gains over baselines, with up to 86.1% F1, precision improvements, and a reduction in hallucination from 61.5% to 6.4%.
Neuro-Symbolic Threat-Hunting: An Expert Analysis of "HunterAgent: Neuro-Symbolic Attack Trace Reconstruction under Anti-Forensics"
Introduction and Motivation
The HunterAgent framework addresses a core deficiency in post-compromise threat investigation: the limitations of both deterministic provenance graph analysis and free-form LLM generative agents in reconstructing attack traces under conditions of severe anti-forensics. Traditional analytic pipelines—tag-propagation, rule-based reconstruction, or GNN-based link predictors—suffer catastrophic recall drops when essential log events are targeted by attacker's evasion tactics such as parent process ID spoofing, process hollowing, or aggressive log wiping. Autonomous LLM agents can bridge gaps via semantic inference, but relax physical constraints and thus hallucinate forensically inadmissible causal chains. The research reframes trace completion as a cost-bounded heuristic graph search under partial observability, rigorously separating soft semantic generation from hard, auditable verification.
Figure 1: Conceptual comparison of threat-hunting paradigms—deterministic graphs fail under anti-forensics, unconstrained LLMs hallucinate, HunterAgent enforces neuro-symbolic search with an epistemic budget.
HunterAgent Architecture
HunterAgent implements an Asymmetric Generator--Verifier pipeline. The operational core is a constrained LLM-based semantic Generator that only proposes candidate nodes/actions within a strictly-typed system ontology. All candidate causal edges must be instantiated via a deterministic Verifier, which enforces identifier-level dependency checks across surviving orthogonal telemetry (e.g., ETW, NetFlow, file inodes). The search procedure emits a stratified provenance graph, clearly distinguishing between physically grounded links and those introduced by inference, annotated by their cost and evidentiary status.
Figure 2: Overall architecture of HunterAgent as an asymmetric Generator--Verifier pipeline decoupling semantic proposal and deterministic verification.
The semantic Generator operates on RAG (Retrieval-Augmented Generation) over ATT&CK-aligned graphlet fragments, generating only attribute fields, never physical identifiers. The Verifier leverages cross-telemetry identifier collisions, schema-validity checks, and OS-consistent temporal criteria. If no orthogonal evidence grounds an inferred edge, the hypothesis accrues a deviation cost composed of contextual semantic divergence and an empirical log-normal delay fitted on benign I/O events.
Crucially, all inference chains are bounded by an epistemic budget calibrated to benign leave-one-out reconstruction: if cumulative deviation for a path exceeds Bmax​, the process halts and emits an explicit INSUFFICIENT_EVIDENCE. This design structurally eliminates hallucination spirals and audit-hegemony violations observed in unconstrained agentic approaches.
Methodological Advances
Structured Search Under Partial Observability
The system models enterprise telemetry as a temporally unfolded DAG over process, file, net, and registry node types. The asymmetric pipeline ensures no latent entity or state transition enters the explanation chain purely via LLM proposal without either hard evidence or explicit representation of uncertainty with bounded drift.
Calibrated Cost and Epistemic Budget
Deviation cost function Cdev​ integrates two z-score-normalized terms: semantic divergence (cosine distance in a graphlet-embedded space) and a log-normal latency tail probability. These are independently calibrated on benign data to maintain distributional stability across deployment environments.
Budget Bmax​ is set to the $99$th percentile of benign reconstruction costs. The cumulative budget with a length-discounting factor ensures that per-hop drift does not compound through long, speculative paths—robustly guarding against overfitting or uncontrolled chain extension.
Forensic Stratification
HunterAgent outputs two layers: (i) a verified graph subcomponent (directly OS-grounded, admissible as evidence), and (ii) an inferred layer with explicit cost/semantics annotation—a core property for operational SOC audit or legal review.
Experimental Evaluation and Numerical Results
HunterAgent is validated on three public anti-forensics-augmented benchmarks (DARPA TC E3, DARPA OpTC, ATLAS) and a custom multi-source APT dataset (APT-Eval-Trace), with anti-forensic perturbation profiles (EvadeKit) emulating realistic APTs (e.g., APT29 PPID spoofing, FIN7 fileless injection). All experiments use strict Leave-One-Family-Out (LOFO) splits: no family overlap between training/calibration and test.
Key outcomes:
- Mean F1 = 86.1% across four datasets (D1†, D2†, D3†, D4), with precision 91.3% and recall 82.7% (D4 in-house).
- HunterAgent outperforms Tool-Augmented ReAct (agentic GPT-4o) by +28.4 F1 and KAIROS (GNN-learned provenance) by +19.0 F1, while suppressing path-level hallucination from 61.5% to 6.4%.
- Under 70% targeted log wiping, recall degrades but precision remains ≥84%; notably, 95.7% of searches halt explicitly rather than fabricate causal narratives.
- These results generalize across LLM backbones: with Llama-3-70B-Instruct, F1 is 77.9%, precision 85.0%—only a modest drop with open-source weights.
Figure 3: Ablation—removing the semantic Generator (LLM) collapses recall while precision is retained by the Verifier.
Figure 4: Effect of varying the epistemic budget Bmax​ on F1 and hallucination rate.
Figure 5: Path-level hallucination (PHR) is artificially inflated by K-fold leakage; HunterAgent maintains low PHR under proper LOFO splits.
Figure 6: Case study—Cobalt Strike trace: deterministic graphs break, unconstrained agents hallucinate, HunterAgent grounds plausible inference via ETW.
Figure 7: F1 degrades gracefully with increasing causal path length; HunterAgent avoids catastrophic precision/recall decline unlike deterministic or unconstrained baselines.
Discussion and Implications
Theoretical Implications
HunterAgent brings a principled notion of counterfactual forensic reasoning to security operations, drawing clear boundaries between evidence and hypothesis, and making explicit the distributional conditions under which guarantees hold. The calibration of budget and costs exclusively on benign, LOFO-split data is theoretically rigorous, avoiding data leakage artifacts that confound many prior LLM-evaluation setups.
The explicit stratification of graph layers and the deterministic reification of all proposed causal links make model outputs directly consumable in high-assurance operational and adversarial review settings.
Practical Impact
Operationally, HunterAgent drastically reduces cost and latency versus agentic baselines—$\$0.19Cdev​0\$C_{dev}$1 and 185s for ReAct). Its defensive posture ensures that, under bounded-evidence assumptions, the system is immune to fabrication risk—a nontrivial property for SOCs under regulated audit requirements.
Ablation and adaptive adversarial pressure analyses confirm that: (i) soundness is enforced by the hard-constrained Verifier, not the LLM backbone; (ii) the epistemic budget yields graceful degradation under extreme log loss, preferentially refusing uncertain trace completions.
Future Trajectories
Pushing beyond current boundaries, the authors highlight two tractable future research directions:
- Integrating active dynamic sandboxing as a fallback Verifier when no orthogonal telemetry survives, extending capability to genuine zero-day attack behaviors;
- Deploying online, PHR-aware budget adaptation to smoothly follow tradecraft drift in adversarial environments.
Additionally, extending the methodology to settings where data-plane DoS or supply-chain attacks target the Verifier logic itself would be the next leap in robust autonomous forensics.
Conclusion
HunterAgent establishes a new paradigm for forensic-grade trace reconstruction under anti-forensic evasion, combining the generalization power of LLMs with deterministic, distribution-calibrated grounding on physical evidence. Its cost-bounded graph search approach, strict stratification of verified and inferred explanations, and robust audit-ready outputs set a benchmark both for future research into neuro-symbolic agents and for practical deployment of autonomous investigation layers in adversarial SOC environments. Theoretical transparency, operational efficiency, and audit assurance jointly position the approach as a canonical reference for the fusion of symbolic and neural reasoning in security automation.