CSTS: A Canonical Security Telemetry Substrate for AI-Native Cyber Detection
2026-03-24 • Cryptography and Security
Cryptography and SecurityMachine Learning
AI summaryⓘ
The authors highlight that AI security tools often struggle when used in different settings because they rely on inconsistent event data. They propose the Canonical Security Telemetry Substrate (CSTS), which organizes security data based on entities and their relationships, keeping identities consistent over time. This approach helps the system better detect threats across varied environments and fixes issues when underlying data formats change. The authors also show that some detection problems are due to modeling challenges rather than data format issues, which helps clarify what is needed for more reliable threat detection.
AI-driven cybersecuritytelemetryentity-relational modelidentity persistencezero-day detectionschema perturbationcross-environment deploymentsemantic orientationtemporal state invariants
Authors
Abdul Rahman
Abstract
AI-driven cybersecurity systems often fail under cross-environment deployment due to fragmented, event-centric telemetry representations. We introduce the Canonical Security Telemetry Substrate (CSTS), an entity-relational abstraction that enforces identity persistence, typed relationships, and temporal state invariants. Across heterogeneous environments, CSTS improves cross-topology transfer for identity-centric detection and prevents collapse under schema perturbation. For zero-day detection, CSTS isolates semantic orientation instability as a modeling, not schema, phenomenon, clarifying layered portability requirements.