![[2601.22983] PIDSMaker: Building and Evaluating Provenance-based Intrusion Detection Systems](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2601.22983] PIDSMaker: Building and Evaluating Provenance-based Intrusion Detection Systems
Summary
PIDSMaker is an open-source framework designed for building and evaluating provenance-based intrusion detection systems (PIDSs), addressing inconsistencies in prior evaluations.
Why It Matters
This framework enhances the reproducibility and comparability of PIDSs, which are crucial for detecting advanced persistent threats. By standardizing evaluation protocols, PIDSMaker supports researchers in developing more effective security systems, ultimately improving cybersecurity measures.
Key Takeaways
- PIDSMaker consolidates eight PIDSs into a modular architecture for better evaluation.
- Standardized preprocessing and ground-truth labels enhance reproducibility.
- The framework supports rapid prototyping with a YAML-based configuration interface.
- Includes utilities for hyperparameter tuning and visualization to improve research methodologies.
- Preprocessed datasets and labels are provided to facilitate shared evaluations.
Computer Science > Cryptography and Security arXiv:2601.22983 (cs) [Submitted on 30 Jan 2026 (v1), last revised 13 Feb 2026 (this version, v2)] Title:PIDSMaker: Building and Evaluating Provenance-based Intrusion Detection Systems Authors:Tristan Bilot, Baoxiang Jiang, Thomas Pasquier View a PDF of the paper titled PIDSMaker: Building and Evaluating Provenance-based Intrusion Detection Systems, by Tristan Bilot and 2 other authors View PDF Abstract:Recent provenance-based intrusion detection systems (PIDSs) have demonstrated strong potential for detecting advanced persistent threats (APTs) by applying machine learning to system provenance graphs. However, evaluating and comparing PIDSs remains difficult: prior work uses inconsistent preprocessing pipelines, non-standard dataset splits, and incompatible ground-truth labeling and metrics. These discrepancies undermine reproducibility, impede fair comparison, and impose substantial re-implementation overhead on researchers. We present PIDSMaker, an open-source framework for developing and evaluating PIDSs under consistent protocols. PIDSMaker consolidates eight state-of-the-art systems into a modular, extensible architecture with standardized preprocessing and ground-truth labels, enabling consistent experiments and apples-to-apples comparisons. A YAML-based configuration interface supports rapid prototyping by composing components across systems without code changes. PIDSMaker also includes utilities for ablation studies, hyp...
