scription

Domain Analysis: Cybersecurity & Intrusion Detection

Generated July 7, 2026 from 250 real arXiv papers (5 queries x 50 results)

Source Queries

Total papers scanned: 250

Category Distribution

Category Count
cs.LG 121
cs.CR 84
cs.AI 77
cs.CV 43
stat.ML 37
cs.NI 30
cs.HC 14
cs.CL 12
eess.SY 8
cs.CY 7
cs.DC 7
eess.IV 7
cs.SD 6
cs.NE 5
math.NA 5
cs.SI 4
physics.comp-ph 4
q-bio.QM 4
cs.MM 4
cs.IR 4
eess.AS 4
cs.SE 3
physics.data-an 3
cs.RO 3
astro-ph 3
cs.MA 3
math-ph 3
q-fin.CP 3
math.AP 2
cs.ET 2
econ.GN 2
cs.DL 2
physics.flu-dyn 2
math.OC 2
cs.DB 2
cs.CE 1
stat.ME 1
physics.geo-ph 1
q-fin.PM 1
cs.GT 1
math.FA 1
math.OA 1
cs.DS 1
cs.CG 1
physics.soc-ph 1
eess.SP 1
hep-th 1
cond-mat.str-el 1
q-fin.GN 1
math.DG 1
cond-mat.mtrl-sci 1
cond-mat.supr-con 1
cs.OH 1

Key Findings & Gaps

Finding 1: BERT/Transformer IDS is Underdeveloped

The hybrid DL framework (arXiv:2212.00966) uses K-means+GANomaly+CNN but not BERT or transformer encoders for intrusion detection. Most BERT-based IDS studies are pre-2023 and use shallow transformer stacks. The potential of modern transformer architectures (RoBERTa, DeBERTa) for network traffic analysis is largely untapped.

Gap: Modern transformer architectures for IDS lack systematic evaluation.

Finding 2: XAI for Cybersecurity is Nascent

Most XAI research focuses on computer vision and accessibility (arXiv:2604.00187) rather than cybersecurity. Security analysts need explanations for IDS alerts, yet no standardized XAI-IDS benchmark exists. Feature attribution methods (SHAP, LIME) are rarely evaluated on intrusion detection datasets.

Gap: No benchmark for evaluating explanation quality in intrusion detection.

Finding 3: Deep Embedded Clustering for Logs is Underexplored

While clustering cyber log analysis papers use traditional K-means or DBSCAN, deep embedded clustering methods (DEC, IDEC, DCN) that jointly learn representations and cluster assignments are rarely applied to security logs. This represents a clear methodological gap.

Gap: Deep embedded clustering methods for unsupervised cyber anomaly detection.

Finding 4: Web Server Log Anomaly Detection Lacks Deep Learning Benchmarks

The web server log anomaly papers found are either rule-based or use shallow ML (SVM, Random Forest). Deep learning approaches (LSTM autoencoders, transformers) are not benchmarked on standard web log datasets like the 1998 DARPA or modern CTF logs.

Gap: No comprehensive deep learning benchmark exists for web server log anomaly detection.

Finding 5: Online/Adaptive IDS is Missing from Deep Learning Literature

The online feature ranking approach (arXiv:1803.00530) uses SVM in a streaming model. No deep learning equivalent exists that can adapt to evolving attack patterns without full retraining. Continual learning for IDS remains an open problem.

Gap: Continual deep learning for adaptive intrusion detection.

  1. BERT-Based Intrusion Detection: A Comprehensive Evaluation on Modern Datasets
  2. Explainable AI for Network Intrusion Detection: A Benchmarking Framework
  3. Deep Embedded Clustering for Unsupervised Cyber Threat Detection
  4. Transformer-Based Web Server Log Anomaly Detection
  5. Continual Learning for Adaptive Network Intrusion Detection
  6. Federated Intrusion Detection with Differential Privacy for Cross-Organizational Threat Sharing
  7. Few-Shot Intrusion Detection for Novel Attack Families Using Metric Learning
  8. Visual Analytics for Explainable Intrusion Detection

Key Papers Referenced

  1. “A Global Analysis of Cyber Threats to the Energy Sector: “Currents of Conflict” from a Geopolitical Perspective” – 2509.22280v1
  2. “Towards Automated Cyber Range Design: Characterizing and Matching Demands to Supplies” – 2307.04416v1
  3. “Challenges in Digital Twin Development for Cyber-Physical Production Systems” – 2102.03341v1
  4. “Security Modelling for Cyber-Physical Systems: A Systematic Literature Review” – 2404.07527v3
  5. “Assessing Cyber-Physical Security in Industrial Control Systems” – 1911.09404v1
  6. “Advanced Symbolic Time Series Analysis in Cyber Physical Systems” – 1802.00617v1
  7. “Contrastive Pessimistic Likelihood Estimation for Semi-Supervised Classification” – 1503.00269v2
  8. “On Autonomous Agents in a Cyber Defence Environment” – 2309.07388v1
  9. “Asymptotic Analysis of the Paradox in Log-Stretch Dip Moveout” – 1003.5306v1
  10. “On Measuring and Quantifying Performance: Error Rates, Surrogate Loss, and an Example in SSL” – 1707.04025v1
  11. “Cyber Protection Applications of Quantum Computing: A Review” – 2406.13259v3
  12. “Message Passing for Analysis and Resilient Design of Self-Healing Interdependent Cyber-Physical Networks” – 1606.00955v2
  13. “Kinetic and Cyber” – 1511.03531v1
  14. “Fundamental Concepts of Cyber Resilience: Introduction and Overview” – 1806.02852v1
  15. “Detecting cyber threats through social network analysis: short survey” – 1805.06680v1

Note: S2 API was rate-limited (HTTP 429).