Skip to main content

From intuition to implementation

How Behavioral Sequence Modeling Works

仕組み

The idea is simple: treat security logs like language and let a transformer learn what normal looks like. The implementation takes that intuition through formalization, preprocessing, and training.

Selected implementation details are available in a private technical walkthrough.

A security engineering portfolio project by Vyshyvka Studio

The Shift

The question changed.

AI-Native

Does this match a known pattern?

Approach

LLM enrichment, IOC correlation, agentic triage

Output

847 findings/day

Narrative

Does this sequence make sense?

Approach

Behavioral sequence modeling, perplexity detection

Output

5 stories/day

AI-Native Assessment

Auth: LogonLOW RISK

Kerberos auth. No IOC match.

File: Read — quarterly_report.pdfLOW RISK

In user's access scope. DLP clean.

Auth: Logon (failed)LOW RISK

1/5 threshold. No brute force pattern.

Auth: LogonLOW RISK

Post-failure re-auth. Normal retry.

File: Read — customer_list.xlsxLOW RISK

Valid RBAC. UEBA score normal.

Device: Mount — USB_DRIVEMEDIUM

T1052.001. USB policy — verify.

File: Copy → USB_DRIVEMEDIUM

T1048 possible. DLP — no trigger.

Device: Unmount — USB_DRIVELOW RISK

Device removal. No data in motion.

2 medium-risk findings. Dispatching triage agent...

Read it as a story. See it now?

01Auth: Logonjsmith
02File: Read — quarterly_report.pdfjsmith
03Auth: Logon (failed)jsmith
04Auth: Logonjsmith
05File: Read — customer_list.xlsxjsmith
06Device: Mount — USB_DRIVEjsmith
07File: Copy → USB_DRIVEjsmith
08Device: Unmount — USB_DRIVEjsmith

Every assessment is thorough. IOC lookups, MITRE mapping, DLP cross-references, UEBA scoring — genuinely good per-event analysis. But the sequence is a textbook exfiltration, and no amount of per-event enrichment can surface it.

The Language

Events become words.

Raw logs are messy, unbounded, infinite in variety. OCSF normalization extracts categorical fields. Categorical fields become template keys. Template keys map to token IDs. The result: a closed vocabulary.

1Raw Log
{"EventID":4624,"LogonType":3,"AuthPkg":"Kerberos","Status":"0x0","TargetUser":"jsmith","WorkStation":"WS-4421","IpAddress":"10.0.1.47"}
2OCSF Fields
class_uid=3001
activity_id=1
auth_protocol_id=1
logon_type_id=3
status_id=1
3Template Key

AUTH|Logon|Kerberos|Network|Success

4Token ID
4
2000templates from OCSF categorical fields

Just as English has ~50,000 common words, behavioral language has 2000 words. Finite. Bounded. Learnable.

Not unbounded log patterns. A closed vocabulary. 2000 words. Enough to describe every security-relevant action a user can take.

Private technical disclosure

OCSF formalization and behavior language levels

The detailed schema formalization, vocabulary construction, and representation boundaries are available in a private technical walkthrough.

Request access

The Sequence

Words become stories.

Tokenized events are grouped into per-user session chains — one action after another, forming a behavioral sentence. The model never sees individual events. It reads complete user stories.

09:01Auth:Logon
09:14File:Read
09:32File:Read
10:15File:Write
17:30Auth:Logoff
Natural Language
The cat sat on the
mat
75%
roof
15%
keyboard
8%
quantum singularity
0.1%
Behavioral Language
Auth:Logon → File:Read → File:Write →
File:Read
65%
Auth:Logoff
25%
Device:Mount
5%
Process:Elevate
0.1%

When the model is surprised — when the next event has very low probability — the story stopped making sense. We call this perplexity.

Process:Elevate has 0.1% probability given this user's history. The narrative just broke. Perplexity spiked. That is the signal.

Private technical disclosure

Sequence probability and mathematical foundations

The probability formulation, score construction, and worked examples are reserved for a focused technical discussion.

Request access

The Break

Same events. Different understanding.

AI-Native Analysis
09:01:23Auth: LogonLOW

Kerberos. No IOC correlation.

09:01:45File: ReadLOW

Config read. Standard admin.

09:12:08File: ReadLOW

Valid RBAC. UEBA: normal.

09:14:33File: WriteLOW

Temp write. No persistence IOC.

09:15:01Device: MountMEDIUM

T1052.001. USB policy — verify.

09:15:18File: CopyMEDIUM

T1048 candidate. DLP clean.

2 findings. Auto-enriched with MITRE + threat intel. Queued for analyst.
Events analyzed individually
Narrative Analysis
09:01:23Auth: LogonLogin Success
09:01:45File: ReadRead config.json
09:12:08File: ReadRead quarterly_report.xlsx
09:14:33File: WriteWrite temp_data.csv
09:15:01Device: MountUSB Drive Connected
09:15:18File: CopyCopy to Removable Media
Narrative Probability
ANALYZING

They classify events. We read stories.

The Threshold Trap

Why traditional detection fails

All Metrics Normal

Login Frequency12 / 50/day
Data Volume2.3 / 10GB
Failed Logins1 / 5/day
Off-Hours Access3 / 15%

Every metric is below threshold. Traditional systems see nothing wrong.

User C625 - Event Timeline

09:15SSH login (workstation)low
09:22Access project fileslow
10:45Query database (routine)low
14:30Bulk download (within quota)medium
14:32External transferhigh
14:33Log rotation (covering tracks)critical

Consider User C625 from the LANL dataset. Over three weeks, they exfiltrated sensitive data while every metric stayed comfortably below threshold. Login frequency? Normal. Data access volume? Within bounds. Time-of-day patterns? Unremarkable.

The problem isn't the thresholds—it's the assumption that threats manifest as extreme values. Sophisticated insiders operate in the statistical middle, exploiting the blind spots created by univariate thinking.

The Narrative Hypothesis

"Insider threats manifest as narrative violations—sequences that are syntactically valid but semantically incoherent with a user's established behavioral story."

The Preprocessing Pipeline

From raw logs to semantic events

Three services transform chaotic log streams into structured behavioral sequences using OCSF categorical tokenization.

Gateway

Traffic Cop
Problem

80% of logs are noise (heartbeats, health checks)

Solution

Multi-layer filtering + OCSF normalization + consistent hashing

100K/sec
inputRate
20K/sec
outputRate
80%
reduction

Tokenizer

Translator
Problem

Infinite log variations → unbounded vocabulary

Solution

OCSF categorical tokenization: template key = class_uid|activity_id|status_id|...

144
vocabSize
10
minFrequency
OCSF
schemaBased

Profiler

Memory
Problem

"Anomaly" is relative to role—what's normal for DevOps isn't for Finance

Solution

Template frequency distribution (L2-normalized) + K-Means clustering into peer groups

12148
users
47
peerGroups
258
avgGroupSize
Gateway Implementation
python
# Gateway Service: Log filtering and routing
def process_log(raw_log: str) -> Optional[GatewayOutput]:
# Layer 1: Fast regex rejection (heartbeats, health checks)
if NOISE_PATTERNS.match(raw_log):
return None
# Layer 2: Parse and normalize fields
parsed = parse_log_format(raw_log) # JSON, syslog, CEF, etc.
normalized = {
"timestamp": parse_timestamp(parsed.time),
"user": normalize_user(parsed.user or parsed.src_user),
"action": normalize_action(parsed.event_type),
"resource": normalize_resource(parsed.target),
"source_ip": parsed.src_ip,
"metadata": extract_metadata(parsed)
}
# Layer 3: Route via consistent hashing
partition = consistent_hash(normalized.user) % NUM_PARTITIONS
return GatewayOutput(
event=normalized,
partition=partition,
trace_id=generate_trace_id()
)
25 lines

Gateway Filtering

Input Rate
100K/sec
↓ 80% filtered
Output Rate
20K/sec

Heartbeats, health checks, and routine polling are filtered out, leaving only security-relevant events.

Private technical walkthrough

The Transformer Architecture

The public overview stops at the architectural boundary. The model topology, contextual embedding strategy, sequence handling, and inference tradeoffs are reserved for a focused walkthrough.

Model topology and context composition
Sequence representation and attention behavior
Training-to-inference compatibility
Design tradeoffs and rejected approaches
Request a walkthrough

Available for focused technical discussions and interviews.

Private technical walkthrough

Dual Training Objectives

The training strategy is discussed privately, including how the objectives interact, how negative examples are constructed, and how scoring behavior is evaluated.

Objective design and weighting
Negative-example construction
Calibration and evaluation strategy
Failure modes and future experiments
Request a walkthrough

Available for focused technical discussions and interviews.

The Output

Five stories. Not eight hundred findings.

AI-Native
F-0412MEDIUM

Removable Media Data Staging (T1052.001)

USB device on WS-4421 by jsmith at 09:15 UTC. File transfer: customer_list.xlsx (2.3MB). MITRE: T1052.001. DLP: no policy trigger — file within RBAC scope. Threat intel: no active IOC. Recommend: verify business justification, check USB history...

F-0413LOW

Failed Auth → Success Sequence

jsmith Kerberos fail at 08:58 then success at 09:01 from 10.0.1.47. MITRE: T1110 — below threshold (1/5). No concurrent source IPs. Behavioral baseline: 3 similar patterns this month. Risk score: 12/100. Likely benign...

F-0414LOW

PII-Tagged File Access

jsmith accessed customer_list.xlsx (PII-SENSITIVE) at 09:12. Valid RBAC. DLP scan: clean. UEBA: normal for role. Logged for SOX compliance. No action required unless correlated with exfiltration event...

...and 844 more findings today
847findings/day
$14,400/month inference
Narrative
jsmith@acme.corp#1

Auth:Logon → File:Read → Device:Mount → File:Copy → USB_EJECT

Perplexity: 847CRITICAL
mchen@acme.corp#2

Auth:Logon → Auth:Logon → Auth:Logon (3 hosts)

Perplexity: 312HIGH
agarcia@acme.corp#3

File:Read → File:Read → File:Read (47 files, 12 min)

Perplexity: 284HIGH
rwilson@acme.corp#4

Auth:Logon → Process:Elevate → Registry:Write

Perplexity: 156MEDIUM
tkumar@acme.corp#5

Auth:Logon (02:47 UTC) → File:Read → Email:Send

Perplexity: 98LOW

The findings are thorough — MITRE mappings, IOC lookups, risk scores, UEBA baselines. Genuinely good per-event analysis. But an analyst still faces 847 of them every day. Better enrichment didn't solve the volume problem. Comprehension does.