Agentic SABRE: An Uncertainty-Aware Neuro-Symbolic Multi-Agent Framework for Adaptive Ransomware Detection
Summary
This paper introduces Agentic SABRE, an uncertainty-aware neuro-symbolic multi-agent framework for adaptive ransomware detection that fuses semantic and behavioral evidence with Monte Carlo Dropout and interpretable risk-uncertainty triage, demonstrating improved robustness and explainability.
View Cached Full Text
Cached at: 07/07/26, 04:36 AM
# Agentic SABRE: An Uncertainty-Aware Neuro-Symbolic Multi-Agent Framework for Adaptive Ransomware Detection Source: [https://arxiv.org/html/2607.04292](https://arxiv.org/html/2607.04292) Biju Issac[bissac@ieee\.org](https://arxiv.org/html/2607.04292v1/mailto:[email protected])Jeyamohan NeeraSchool of Computer Science, Northumbria University, Newcastle Upon Tyne, UK ###### Abstract Ransomware has evolved into a complex, adaptive, and fast–moving adversary category in which static signatures and monolithic classifiers fail to generalise under concept drift, evasion, and behavioural polymorphism\. In this paper we presentAgentic SABRE \(Semantic–Behavioural Arbitration for Ransomware Evaluation\): an uncertainty–aware, neuro–symbolic, multi–agent framework for adaptive ransomware detection\. SABRE fuses*semantic*\(representation–based\) and*behavioural*\(time–window forensic telemetry\) evidence, and employs Monte Carlo Dropout inference to quantify epistemic uncertainty for each agent\. We introduce a decision–layer orchestrator that performs risk– and uncertainty–aware triage via two interpretable thresholds: a risk scoreτ\\tauand an uncertainty budgetκ\\kappa\. High–confidence, high–risk samples are automatically contained, while uncertain or borderline cases are escalated to human analysts, establishing a flexible computational contract between autonomous response and analyst oversight\. To support auditability and trust, SABRE integrates post–hoc explainability mechanisms including gradient saliency, permutation importance, and counterfactual analysis, enabling both local and global interpretation of agent decisions\. Extensive evaluation on RDset and RanSMAP demonstrates that Agentic SABRE preserves perfect discrimination on saturated semantic datasets \(AUC=1\.0=1\.0\) while improving robustness under weak behavioural signals, achieving up to a4\.9%4\.9\\%relative reduction in false escalations at equal recall and maintaining calibrated predictive uncertainty\. Counterfactual analysis further shows that semantic and behavioural decisions can be flipped with bounded perturbation cost, indicating stable and interpretable decision boundaries\. Overall, Agentic SABRE is not merely a higher–accuracy detector but an agentic cyber–defence system that combines uncertainty–aware automation, explainable reasoning, and adaptive triage under evolving ransomware threats\. ###### keywords: Ransomware Detection , Explainable Artificial Intelligence , Uncertainty Estimation , Multi\-Agent Systems , Semantic Embeddings , Data Augmentation ††journal:Expert Systems with Applications## 1Introduction Ransomware has become one of the most disruptive forms of cybercrime, with modern families exhibiting rapid mutation, behavioural polymorphism, and highly adaptive strategies designed to evade both traditional signature\-based defences and contemporary machine learning detectors\[[10](https://arxiv.org/html/2607.04292#bib.bib12),[24](https://arxiv.org/html/2607.04292#bib.bib1)\]\. These strains frequently employ advanced obfuscation, polymorphism, and metamorphism to alter operational behaviour and code signatures, undermining static detection techniques and forcing dependence on behavioural and AI\-based methods\[[10](https://arxiv.org/html/2607.04292#bib.bib12),[27](https://arxiv.org/html/2607.04292#bib.bib61)\]\. Enterprise environments now operate under continuous concept drift, where benign and malicious behaviours evolve over time and trained models degrade in performance unless retrained or adapted\[[5](https://arxiv.org/html/2607.04292#bib.bib62)\]\. Static classifiers that assume fixed data distributions consequently suffer rapid decay in effectiveness as attacker strategies evolve\[[11](https://arxiv.org/html/2607.04292#bib.bib63),[24](https://arxiv.org/html/2607.04292#bib.bib1)\]\. These trends expose the limitations of monolithic ransomware classifiers that lack explicit representations of uncertainty, fail to adapt to temporal distributional changes without costly retraining, and provide no mechanism for calibrated human–AI interaction, a gap increasingly recognised in both malware analytics and adaptive learning research\. Machine learning has been increasingly applied to ransomware detection, ranging from classical feature\-based models to deep learning approaches that operate on system call traces, filesystem activity, API semantics, and other forensic telemetry\[[2](https://arxiv.org/html/2607.04292#bib.bib49),[31](https://arxiv.org/html/2607.04292#bib.bib64)\]\. While such models can achieve strong in\-distribution performance, they often behave unreliably on out\-of\-distribution samples, novel ransomware variants, or previously unseen system behaviours\[[10](https://arxiv.org/html/2607.04292#bib.bib12)\]\. Crucially, standard neural detectors provide point predictions without quantifying epistemic uncertainty, making it difficult to determine when the model is confident enough to support autonomous containment or when human escalation is required\[[8](https://arxiv.org/html/2607.04292#bib.bib67)\]\. This absence of uncertainty\-awareness leads to undesirable trade\-offs: aggressive thresholds may cause catastrophic false positives, whereas conservative thresholds increase analyst workload and delay incident response\[[17](https://arxiv.org/html/2607.04292#bib.bib66)\]\. To address these challenges, we propose Agentic SABRE \(Semantic–Behavioural Arbitration for Ransomware Evaluation\), an uncertainty\-aware, neuro\-symbolic, multi\-agent framework for adaptive ransomware detection\. Rather than relying on a single model, SABRE decomposes detection into specialised*semantic*and*behavioural*agents, each trained on distinct but complementary signals\. Both agents employ Monte Carlo Dropout to produce calibrated estimates of epistemic uncertainty, enabling the system to distinguish between high\-confidence predictions and unreliable or ambiguous cases\. A decision\-layer orchestrator fuses agent scores and applies a triage policy based on a risk thresholdτ\\tauand an uncertainty thresholdκ\\kappa, enabling autonomous containment only when the fused prediction is both high\-risk and low\-uncertainty\. Uncertain or moderately risky samples are safely escalated to human analysts, creating a principled interface between automated defence and human oversight\. Additionally, SABRE incorporates lightweight symbolic cues \(e\.g\., ATT&CK tactics, API\-type ontologies, and heuristic rule signals\) to support neuro\-symbolic reasoning and improve robustness against model blind\-spots\. Whereas existing approaches quantify uncertainty to interpret predictions\[[19](https://arxiv.org/html/2607.04292#bib.bib51)\], Agentic SABRE operationalises uncertainty to govern system actions\. ### 1\.1Contributions This work makes the following key contributions: - 1\.We introduceAgentic SABRE, a multi\-agent architecture that integrates semantic embeddings and behavioural telemetry for ransomware detection under concept drift\. - 2\.We develop anuncertainty\-aware inference mechanismusing Monte Carlo Dropout, enabling each agent to output both a predictive mean and epistemic uncertainty\. - 3\.We propose atriage policygoverned by a risk thresholdτ\\tauand uncertainty thresholdκ\\kappa, enabling calibrated decisions between autonomous containment, escalation, and benign allowance\. - 4\.We incorporatelightweight symbolic reasoningvia ATT&CK\-inspired heuristic cues—including API call category indicators, entropy\-threshold signals, and ransomware\-relevant filesystem access patterns—integrated into the feature extraction and triage stages to enrich agent decisions with interpretable threat\-intelligence signals, forming a hybrid neuro\-symbolic detection pipeline\. - 5\.Through extensive experiments across multiple ransomware families and benign workloads, we show that SABRE improves robustness under drift, reduces false escalation volume at equal recall, and maintains calibrated predictive uncertainty\. ### What Makes This Different from Ensemble\-Based Approaches A key concern in multi\-agent ransomware detection is whether the proposed system is simply an ensemble in disguise\. Agentic SABRE is*fundamentally distinct*from conventional ensemble methods in three respects\. First, the two agents operate on*structurally heterogeneous*input spaces—static PE embedding vectors \(ℝ384\\mathbb\{R\}^\{384\}\) versus sliding\-window I/O telemetry statistics \(ℝ16\\mathbb\{R\}^\{16\}\)—not on bootstrap resamples of the same feature space\. Their roles are complementary by design, not redundant\. Second, neither agent’s probability output alone determines the triage decision: the orchestrator also conditions on the*epistemic uncertainty*of each agent, which would be unavailable in a standard ensemble voting scheme\. Third, the triage policy is executable and interpretable—it is a formal control mechanism, not a soft label aggregation—meaning the system can unambiguously withhold autonomous action under ambiguity, a property that vanilla ensembles do not possess\. Together, these properties make Agentic SABRE an agentic cyber\-defence system rather than a higher\-accuracy detector\. ### Paper structure The remainder of this paper is organised as follows\. Section[2](https://arxiv.org/html/2607.04292#S2)provides background on ransomware detection and motivates the need for adaptive, uncertainty\-aware defence under concept drift and adversarial evolution\. Section[3](https://arxiv.org/html/2607.04292#S3)reviews related work on ransomware detection, uncertainty quantification, explainable security analytics, and neuro\-symbolic and multi\-agent approaches, highlighting limitations that motivate the proposed framework\. Section[4](https://arxiv.org/html/2607.04292#S4)presents the Agentic SABRE architecture, including the multi\-agent design, uncertainty estimation via Monte Carlo Dropout, score fusion, and the uncertainty\-aware triage policy\. Section[7](https://arxiv.org/html/2607.04292#S7)formalises the threat model and adversarial assumptions\. Section[8](https://arxiv.org/html/2607.04292#S8)describes the experimental setup, including datasets, feature construction, model training, and evaluation protocols\. Section[9](https://arxiv.org/html/2607.04292#S9)reports empirical results and analyses the behaviour of the uncertainty\-aware triage policy under different operating regimes\. Section[10](https://arxiv.org/html/2607.04292#S10)presents explainability and interpretability analyses based on feature sensitivity and counterfactual reasoning\. Section[11](https://arxiv.org/html/2607.04292#S11)reports ablation studies examining the contribution of key system components\. Section[12](https://arxiv.org/html/2607.04292#S12)discusses operational implications and theoretical insights, while Section[13](https://arxiv.org/html/2607.04292#S13)outlines limitations and directions for future work\. Finally, Section[14](https://arxiv.org/html/2607.04292#S14)concludes the paper\. ## 2Background This section establishes the technical context for Agentic SABRE by reviewing the ransomware threat landscape, summarising the limitations of existing detection approaches, and motivating the design requirements addressed by the proposed framework\. Ransomware has become a dominant form of cybercrime, driven by increasingly sophisticated techniques for evasion, polymorphism, and operational stealth\. Traditional approaches to ransomware detection have relied on signature matching, heuristic rule sets, or simple statistical anomaly detection\. Although effective for well\-known threats, such approaches degrade rapidly in the presence of obfuscation, encryption, behavioural drift, and previously unseen attack families\. As enterprise systems evolve and ransomware variants diversify, detection frameworks must adapt to changing distributions rather than relying on static assumptions\[[10](https://arxiv.org/html/2607.04292#bib.bib12),[24](https://arxiv.org/html/2607.04292#bib.bib1)\]\. Machine learning has emerged as a powerful tool for ransomware detection, leveraging system call traces, API telemetry, filesystem access patterns, and related forensic signals\[[31](https://arxiv.org/html/2607.04292#bib.bib64),[2](https://arxiv.org/html/2607.04292#bib.bib49),[1](https://arxiv.org/html/2607.04292#bib.bib65)\]\. Classical models and deep neural networks have shown promise in modelling such behavioural and semantic features\. However, purely model\-based detection suffers from three persistent challenges\. First, data imbalance remains severe, as benign activity dominates operational telemetry\. Oversampling techniques such as SMOTE and generative models such as CTGAN have been proposed to mitigate minority\-class scarcity, improving training stability and representation of rare malicious events\[[7](https://arxiv.org/html/2607.04292#bib.bib59),[29](https://arxiv.org/html/2607.04292#bib.bib58)\]\. Second, semantic modelling using transformers and other embedding\-based architectures has improved contextual understanding of system logs and API sequences, yet these models often lack robustness under concept drift and out\-of\-distribution \(OOD\) conditions\[[10](https://arxiv.org/html/2607.04292#bib.bib12)\]\. Third, most existing machine learning detectors provide only point predictions and do not quantify predictive uncertainty, making it difficult to determine whether a model’s output is reliable enough to drive autonomous containment decisions\[[12](https://arxiv.org/html/2607.04292#bib.bib31),[13](https://arxiv.org/html/2607.04292#bib.bib25)\]\. Recent work in cybersecurity has begun to explore uncertainty quantification as a means of addressing model unreliability in deployment\[[12](https://arxiv.org/html/2607.04292#bib.bib31),[13](https://arxiv.org/html/2607.04292#bib.bib25),[19](https://arxiv.org/html/2607.04292#bib.bib51)\]\. Techniques such as Monte Carlo Dropout and deep ensemble variance estimation allow detectors to express confidence levels alongside predicted probabilities\. This is critical in high\-stakes applications where false positives incur operational cost and false negatives cause severe damage\. Nevertheless, most existing cybersecurity systems use uncertainty only as an auxiliary diagnostic tool rather than integrating it into a structured triage or escalation policy\. As a result, model uncertainty is rarely incorporated into actionable decision\-making and is not used to determine when to escalate suspicious activity to a human analyst\. Parallel to these developments, neuro\-symbolic and multi\-agent architectures have gained traction for their modularity and interpretability\[[4](https://arxiv.org/html/2607.04292#bib.bib69)\]\. Multi\-agent designs allow distinct models to specialise in complementary aspects of behaviour, such as semantic representations versus resource\-level telemetry, enabling more robust detection in complex environments\. Symbolic cues—such as ATT&CK tactics, API ontologies, and handcrafted behavioural rules—have also been used to enhance interpretability and reduce blind spots in purely neural systems\. However, most prior systems treat multi\-agent fusion as a simple ensemble procedure, and few integrate uncertainty\-aware reasoning or explicit policies for calibrated automation\. In summary, prior research has advanced data augmentation, semantic embeddings, behavioural modelling, multi\-agent architectures, and explainability techniques, but these efforts often address each challenge in isolation\. Existing systems typically lack: \(i\) modular agents specialising in different behavioural and semantic channels, \(ii\) principled uncertainty quantification at the agent level, \(iii\) a calibrated fusion mechanism that incorporates both risk and uncertainty, and \(iv\) a structured triage policy linking model confidence to autonomous or human\-in\-the\-loop decisions\. Prior surveys of ransomware detection research highlight these fragmented efforts and underscore gaps in unified, operationally grounded frameworks for addressing challenges such as concept drift, uncertainty quantification, and integrated decision policies\[[17](https://arxiv.org/html/2607.04292#bib.bib66)\]\. These gaps motivate the design ofAgentic SABRE, a unified uncertainty\-aware, neuro\-symbolic, multi\-agent framework explicitly tailored for adaptive ransomware detection under drift, heterogeneity, and operational constraints\. While prior surveys comprehensively catalogue ransomware detection techniques, they do not propose operational mechanisms that bind predictive uncertainty to autonomous decision\-making\. Agentic SABRE addresses this gap by embedding uncertainty directly into an executable triage policy\. ## 3Related Work This section surveys the four bodies of prior work most relevant to Agentic SABRE—ransomware detection, data augmentation, uncertainty quantification in cybersecurity, and multi\-agent neuro\-symbolic approaches—and identifies the gaps that motivate our design\. Research on ransomware detection intersects multiple areas including behavioural modelling, semantic reasoning, uncertainty\-aware machine learning, and modular multi\-agent architectures\. We review the most relevant lines of work and highlight the distinctions between existing approaches and the design of Agentic SABRE\. Prior work on uncertainty\-aware ransomware and intrusion detection typically treats uncertainty as a diagnostic signal: uncertainty estimates are reported to aid interpretation, calibration analysis, or analyst awareness, but they do not explicitly constrain system behaviour\. In such settings, uncertainty remains an auxiliary output rather than a governing variable in the decision process\. In contrast, Agentic SABRE treats epistemic uncertainty as an operational decision variable\. Uncertainty is explicitly incorporated into the triage policy and directly determines whether the system may autonomously contain a process, escalate to human analysts, or allow execution\. This transforms uncertainty from a descriptive property of predictions into a prescriptive control signal that enforces safety and conservatism under ambiguity\. ### 3\.1Machine Learning for Ransomware Detection Behavioural ransomware detectors traditionally rely on handcrafted indicators such as entropy, API counts, I/O throughput, or memory access volatility\. These features have been used in conjunction with classical machine learning models such as SVMs and random forests, but such approaches struggle to generalise to zero\-day variants and polymorphic families\. Recent deep learning systems extend this line of work by leveraging system calls, registry traces, and log sequences\. Transformer\-based architectures\[[28](https://arxiv.org/html/2607.04292#bib.bib48)\]and LLM\-derived embeddings have also been explored for intrusion detection and semantic log analysis\[[26](https://arxiv.org/html/2607.04292#bib.bib39),[32](https://arxiv.org/html/2607.04292#bib.bib42),[22](https://arxiv.org/html/2607.04292#bib.bib43)\]\. However, these systems generally operate as monolithic detectors and produce deterministic outputs without quantifying epistemic uncertainty or providing structured mechanisms for human escalation\. In contrast, Agentic SABRE incorporates per\-agent Monte Carlo Dropout uncertainty estimation, enabling calibrated confidence\-aware triage\. Recent work has also explored deep learning and blockchain\-based frameworks for malware detection in IoT environments\[[23](https://arxiv.org/html/2607.04292#bib.bib68)\], underscoring the breadth of architectural approaches being applied to adaptive threat analysis and explainable malware defence\. ### 3\.2Data Augmentation and Imbalance Handling Imbalanced datasets remain a pervasive challenge in ransomware detection because benign activity vastly outweighs malicious traces\. Oversampling approaches such as SMOTE\[[7](https://arxiv.org/html/2607.04292#bib.bib59)\]and generative tabular models such as CTGAN\[[29](https://arxiv.org/html/2607.04292#bib.bib58),[3](https://arxiv.org/html/2607.04292#bib.bib29)\]have been widely adopted to mitigate class imbalance\. Such approaches have proven effective in cybersecurity domains, including IoT botnet detection\[[14](https://arxiv.org/html/2607.04292#bib.bib55)\]and enterprise anomaly detection\[[6](https://arxiv.org/html/2607.04292#bib.bib41)\]\. While these methods improve training stability, they are typically employed only at the data preprocessing stage and are rarely integrated into multi\-stage detection pipelines\. Agentic SABRE differs by applying CTGAN not to raw features but to the*score space*, enriching rare high\-risk cases entering the fusion layer without altering agent\-level probabilities or uncertainties\. ### 3\.3Semantic Modelling and Log Understanding LLMs and transformer\-based encoders have demonstrated strong performance in security log analysis and anomaly detection\[[26](https://arxiv.org/html/2607.04292#bib.bib39),[32](https://arxiv.org/html/2607.04292#bib.bib42)\]\. Systems such as LLM\-LADE\[[33](https://arxiv.org/html/2607.04292#bib.bib53)\]combine BERT\-style embeddings with SHAP explanations\[[20](https://arxiv.org/html/2607.04292#bib.bib60)\]to provide interpretable semantic anomaly detection\. However, these systems focus on general log anomalies and do not exploit structured behavioural indicators \(e\.g\., entropy, GPA variance, throughput\) that are crucial in ransomware analysis\. Furthermore, prior semantic models typically operate as standalone classifiers and do not integrate uncertainty\-aware fusion or symbolic security knowledge\. SABRE diverges from these approaches by combining semantic embeddings with behavioural telemetry in a modular multi\-agent design enriched with symbolic cues from API ontologies and ATT&CK\-aligned heuristics\. ### 3\.4Uncertainty Quantification in Cybersecurity There is growing interest in incorporating uncertainty estimation into deep learning models for security\[[19](https://arxiv.org/html/2607.04292#bib.bib51)\]\. Methods such as Monte Carlo Dropout, deep ensembles, and Bayesian neural networks have been used to improve robustness and identify unreliable predictions\. However, existing systems typically use uncertainty as an auxiliary diagnostic rather than as a structured driver of decision policies\. Few works integrate uncertainty thresholds into automated response pipelines or calibrate model behaviour using formal triage criteria\. Agentic SABRE advances this direction by embedding uncertainty estimates directly into an operational triage policy governed by risk and uncertainty thresholds \(τ\\tau,κ\\kappa\), enabling selective automation with safety guarantees\. ### 3\.5Multi\-Agent and Neuro\-Symbolic Approaches Multi\-agent learning has been explored for adaptive intrusion detection, cooperative anomaly detection, and adversarial resilience\[[18](https://arxiv.org/html/2607.04292#bib.bib44),[25](https://arxiv.org/html/2607.04292#bib.bib45)\]\. Parallel advances in neuro\-symbolic systems highlight the benefits of combining neural representations with symbolic rules and knowledge bases\[[30](https://arxiv.org/html/2607.04292#bib.bib52)\]\. Explainable deep models optimised through meta\-learning and automated tuning\[[9](https://arxiv.org/html/2607.04292#bib.bib54)\]further demonstrate the value of modular, interpretable architectures in cybersecurity\. A critical distinguishing feature of Agentic SABRE relative to existing neuro\-symbolic cybersecurity frameworks concerns the location and mutability of the symbolic component\. Prior neuro\-symbolic systems—including the knowledge\-base integration approaches surveyed by Yang et al\.\[[30](https://arxiv.org/html/2607.04292#bib.bib52)\]and the neural\-symbolic architectures reviewed by Besold et al\.\[[4](https://arxiv.org/html/2607.04292#bib.bib69)\]—embed symbolic rules at the architecture or knowledge\-base level, meaning that the symbolic and neural components are structurally coupled and cannot be updated independently\. In Agentic SABRE, by contrast, the symbolic component takes the form of ATT&CK\-inspired interpretable triage thresholds: API call category flags, entropy\-threshold signals, and filesystem access pattern heuristics that are evaluated by the orchestrator as conditions on the fused risk score and epistemic uncertainty\. These symbolic cues are encoded as threshold parameters \(τ\\tau,κ\\kappa,τhigh\\tau\_\{\\text\{high\}\},κlow\\kappa\_\{\\text\{low\}\}\) that can be recalibrated or updated independently of the underlying neural agents—without retraining—whenever threat intelligence changes or deployment conditions shift\. This architectural separation between the learning layer and the symbolic reasoning layer is a deliberate design choice that enables policy\-level agility while preserving agent\-level discriminative capacity\. However, these prior systems typically lack \(i\) agent\-level uncertainty estimation, \(ii\) uncertainty\-aware fusion, and \(iii\) operational triage policies linking uncertainty and risk to automated or human\-in\-the\-loop decisions\. Agentic SABRE directly addresses all three gaps: it assigns dedicated uncertainty estimation to each agent, fuses both risk and uncertainty into a calibrated decision signal, and enforces an executable triage policy that determines when the system may act autonomously and when human oversight is required\. Table[1](https://arxiv.org/html/2607.04292#S3.T1)summarises how representative prior systems compare to Agentic SABRE across the dimensions that define the design space\. Table 1:Comparison of Agentic SABRE with representative prior ransomware and intrusion detection systems across key design dimensions\. ✓ = present;∘\\circ= partial;×\\times= absent\.SystemMulti\-AgentUncertaintyTriage PolicySymbolic CuesXAIConcept DriftScore\-Level Aug\.Fernando*et al\.*\[[10](https://arxiv.org/html/2607.04292#bib.bib12)\]×\\times×\\times×\\times×\\times×\\times×\\times×\\timesRazaulla*et al\.*\[[24](https://arxiv.org/html/2607.04292#bib.bib1)\]×\\times×\\times×\\times×\\times×\\times∘\\circ×\\timesDeep\-learning detectors\[[31](https://arxiv.org/html/2607.04292#bib.bib64)\]×\\times×\\times×\\times×\\times∘\\circ×\\times×\\timesLLM\-LADE\[[33](https://arxiv.org/html/2607.04292#bib.bib53)\]×\\times×\\times×\\times∘\\circ✓×\\times×\\timesKabuye*et al\.*\[[19](https://arxiv.org/html/2607.04292#bib.bib51)\]×\\times✓×\\times×\\times✓×\\times×\\timesSoltani*et al\.*\[[25](https://arxiv.org/html/2607.04292#bib.bib45)\]✓×\\times×\\times×\\times×\\times∘\\circ×\\timesAgentic SABRE \(ours\)✓✓✓✓✓✓✓ ## 4Agentic SABRE Framework This section presents the complete Agentic SABRE architecture\. We describe the five\-stage operational pipeline, the score\-fusion mechanism, the uncertainty aggregation strategy, and the design of the symbolic reasoning components\. The triage policy itself is detailed in Section[5](https://arxiv.org/html/2607.04292#S5)\. ### 4\.1System Overview Agentic SABRE is a neuro\-symbolic, uncertainty\-aware multi\-agent system designed to detect ransomware under concept drift and behavioural polymorphism\. The framework consists of five stages: \(i\) hybrid feature extraction, \(ii\) augmentation, \(iii\) agent training with MC Dropout, \(iv\) score fusion, and \(v\) uncertainty\-aware triage\. The operational pipeline is illustrated in Fig\.[1](https://arxiv.org/html/2607.04292#S4.F1)\. Unlike conventional uncertainty\-aware detectors, which expose predictive uncertainty primarily for post hoc interpretation, the proposed framework embeds uncertainty directly into the decision logic\. The thresholdsκ\\kappaandκlow\\kappa\_\{\\text\{low\}\}act as explicit uncertainty budgets, defining regions in which automated action is permitted or prohibited\. As a result, uncertainty is not merely observed but reasoned over: high\-risk predictions with elevated epistemic uncertainty are deliberately prevented from triggering autonomous containment and are instead routed to human analysts\. The modular structure of Agentic SABRE allows the triage policy to be deployed independently of the underlying detection models, enabling policy\-level updates and operational recalibration without retraining the base agents\.  Figure 1:Operational pipeline with uncertainty\-aware, agentic policy\. Semantic and behavioural CNNs \(with MC Dropout\) yield mean scores and per\-agent uncertainties\. Mean scores are concatenated and CTGAN\-augmented for the Decision Agent to produce a fused riskp^\\hat\{p\}\. A policy uses risk thresholdτ\\tauand uncertainty thresholdκ\\kappa\(with optional stricterτhigh\\tau\_\{\\text\{high\}\},κlow\\kappa\_\{\\text\{low\}\}\) to branch to*AUTO\-CONTAIN*,*ESCALATE*, or*ALLOW*\.\. ### 4\.2Score Fusion and Decision Agent This subsection describes how the two agents’ outputs are combined into a single ransomware risk estimate\. Letp¯sem∈\[0,1\]\\bar\{p\}\_\{\\text\{sem\}\}\\in\[0,1\]denote the predictive mean probability of the Semantic Agent andp¯beh∈\[0,1\]\\bar\{p\}\_\{\\text\{beh\}\}\\in\[0,1\]that of the Behavioural Agent, each obtained via Monte Carlo Dropout \(Algorithm[2](https://arxiv.org/html/2607.04292#alg2)\)\. The corresponding per\-agent epistemic uncertainties areσsem\\sigma\_\{\\text\{sem\}\}andσbeh\\sigma\_\{\\text\{beh\}\}\. The fused score vector is constructed as: 𝐬=\[p¯semp¯beh\],\\mathbf\{s\}=\\begin\{bmatrix\}\\bar\{p\}\_\{\\text\{sem\}\}\\\\ \\bar\{p\}\_\{\\text\{beh\}\}\\end\{bmatrix\},\(1\) optionally extended with CTGAN\-generated synthetic score samples to address score\-space class imbalance\. A lightweight MLP\-based Decision Agent learns a mapping from𝐬\\mathbf\{s\}and produces a unified ransomware risk estimate: p^=f\(𝐬\)\\hat\{p\}=f\(\\mathbf\{s\}\)\(2\) wherep^∈\[0,1\]\\hat\{p\}\\in\[0,1\]is the fused risk probability used by the triage orchestrator\. Note that at deployment the full score vector additionally incorporates the per\-agent uncertainties \(see Eq\.[22](https://arxiv.org/html/2607.04292#S9.E22)in Section[9](https://arxiv.org/html/2607.04292#S9)\), which are used as inputs to the trained Decision Agent to produce the calibrated fused risk\. ### 4\.3Uncertainty Aggregation To ensure conservative behaviour, agent\-level uncertainties are aggregated via a max\-operator: σmax=max\(σsem,σbeh\),\\sigma\_\{\\max\}=\\max\(\\sigma\_\{\\text\{sem\}\},\\sigma\_\{\\text\{beh\}\}\),\(3\) whereσsem\\sigma\_\{\\text\{sem\}\}andσbeh\\sigma\_\{\\text\{beh\}\}are the Monte Carlo Dropout standard deviations of the semantic and behavioural agents respectively\. Using the maximum rather than the mean ensures that elevated uncertainty in*either*modality—not just their average—constrains autonomous action, providing a conservative safety guarantee\. This definition is carried consistently throughout the triage logic and fusion analysis\. Choice of uncertainty estimator\.Monte Carlo \(MC\) Dropout\[[12](https://arxiv.org/html/2607.04292#bib.bib31)\]was selected over deep ensembles and Bayesian neural networks for three practical reasons\. First, MC Dropout requires no architectural changes beyond retaining dropout at inference time, making it straightforward to integrate into the existing CNN agents\. Second, its per\-sample inference cost isTTstochastic forward passes \(T=30T=30in our experiments\), which is lower than training and storingMMindependent ensemble members \(M≥5M\\geq 5is typical\)\. Third, the agents’ training pipelines already include dropout regularisation, so no additional training overhead is incurred\. We acknowledge that deep ensembles can produce better\-calibrated uncertainty under strong distribution shift, as they approximate a wider posterior over model weights\. MC Dropout may under\-estimate epistemic uncertainty in highly non\-stationary behavioural regimes—a limitation noted in Section[13](https://arxiv.org/html/2607.04292#S13)and left as a direction for future work with ensemble\-based SABRE variants\. ## 5Uncertainty\-Aware Triage Policy This section formalises the triage decision mechanism that converts the fused risk scorep^\\hat\{p\}and aggregated uncertaintyσmax\\sigma\_\{\\max\}into one of three operational actions:AUTO\-CONTAIN,ESCALATE, orALLOW\. We present the policy design rationale, the decision rules, and an operational interpretation of the threshold geometry\. Agentic SABRE can be interpreted as a decision\-theoretic control system in which epistemic uncertainty constrains autonomous action\. Rather than optimising predictive accuracy alone, the framework explicitly optimises operational utility by regulating when automated containment is permitted and when human oversight is required\. In this formulation, epistemic uncertainty is not treated as a diagnostic by\-product of prediction, but as an explicit*control signal*that governs whether the system may act autonomously or must defer to analysts\. Given a fused ransomware risk scorep^∈\[0,1\]\\hat\{p\}\\in\[0,1\]and an aggregated epistemic uncertaintyσmax∈\[0,1\]\\sigma\_\{\\max\}\\in\[0,1\], the orchestrator applies a two\-threshold policy regulated by: \(i\) a risk thresholdτ\\tauand \(ii\) an uncertainty budgetκ\\kappa\. For safer autonomous containment, stricter thresholdsτhigh\\tau\_\{\\text\{high\}\}andκlow\\kappa\_\{\\text\{low\}\}define a high\-confidence operating region\. ### 5\.1Policy Design and Thresholds Axis\-aligned thresholds are deliberately chosen over learned non\-linear decision boundaries to preserve interpretability, auditability, and policy stability under distribution shift—properties that are critical in regulated operational environments\. The policy uses two pairs of thresholds: \(i\)\(τ,κ\)\(\\tau,\\kappa\)defining the general escalation boundary, and \(ii\)\(τhigh,κlow\)\(\\tau\_\{\\text\{high\}\},\\kappa\_\{\\text\{low\}\}\)defining a stricter region in which autonomous containment is permitted\. These pairs satisfy the ordering constraints τ≤τhigh,κlow≤κ,\\tau\\leq\\tau\_\{\\text\{high\}\},\\qquad\\kappa\_\{\\text\{low\}\}\\leq\\kappa,\(4\)meaningτhigh\\tau\_\{\\text\{high\}\}demands a higher fused risk for autonomous action thanτ\\taudoes for escalation, andκlow\\kappa\_\{\\text\{low\}\}imposes a tighter uncertainty ceiling thanκ\\kappa\. Intuitively,τ\\taucontrols the minimum risk level that warrants any intervention, whileκ\\kappaconstrains how much epistemic uncertainty is tolerated before human escalation is required\. The stricter pair\(τhigh,κlow\)\(\\tau\_\{\\text\{high\}\},\\kappa\_\{\\text\{low\}\}\)enforces a conservative automation contract: autonomous containment is permitted only when the fused risk is very high*and*uncertainty is sufficiently low, ruling out overconfident automated responses near the decision boundary\. ### 5\.2Decision Rules Letσmax\\sigma\_\{\\max\}denote the aggregated epistemic uncertainty \(e\.g\., the maximum uncertainty across the semantic and behavioural agents\)\. The orchestrator maps each sample to one of three actions:ALLOW,ESCALATE, orAUTO\-CONTAIN, according to: AUTO−CONTAIN\\displaystyle AUTO\-CONTAIN\\quadifp^≥τhigh∧σmax≤κlow,\\displaystyle\\text\{if\}\\quad\\hat\{p\}\\geq\\tau\_\{\\text\{high\}\}\\;\\wedge\\;\\sigma\_\{\\max\}\\leq\\kappa\_\{\\text\{low\}\},\(5\)ESCALATE\\displaystyle ESCALATE\\quadifp^≥τ∨σmax\>κ,\\displaystyle\\text\{if\}\\quad\\hat\{p\}\\geq\\tau\\;\\;\\vee\\;\\;\\sigma\_\{\\max\}\>\\kappa,\(6\)ALLOW\\displaystyle ALLOW\\quadotherwise\.\\displaystyle\\text\{otherwise\}\.\(7\) ### 5\.3Operational Interpretation The policy defines a calibrated balance between autonomous defence and analyst workload\. High\-risk, low\-uncertainty samples fall into theAUTO\-CONTAINregion \(Eq\.[5](https://arxiv.org/html/2607.04292#S5.E5)\), enabling immediate response when the system is confident\. Samples that are either sufficiently risky or epistemically uncertain are routed toESCALATE\(Eq\.[6](https://arxiv.org/html/2607.04292#S5.E6)\), preventing overconfident automation under distribution shift, concept drift, or ambiguous evidence\. Remaining samples areALLOW\(Eq\.[7](https://arxiv.org/html/2607.04292#S5.E7)\), corresponding to low\-risk decisions made with acceptable confidence\. From a deployment perspective,τ\\tauandκ\\kappaact as user\-tunable controls that trade off false escalations versus false allowances, while\(τhigh,κlow\)\(\\tau\_\{\\text\{high\}\},\\kappa\_\{\\text\{low\}\}\)provides an additional safety margin that limits automated containment to the highest\-confidence cases\. Algorithms[1](https://arxiv.org/html/2607.04292#alg1)–[4](https://arxiv.org/html/2607.04292#alg4)collectively specify the training, inference, score fusion, and deployment\-time decision logic of Agentic SABRE\. Algorithm 1Agentic SABRE: Training and Deployment Pipeline1:Input \(training\):Raw semantic data DsemD\_\{\\text\{sem\}\}, behavioural logs DbehD\_\{\\text\{beh\}\} 2:Input \(deployment\):New sample xsem,xbehx\_\{\\text\{sem\}\},x\_\{\\text\{beh\}\} 3:Output \(deployment\):Decision ∈\{AUTO\-CONTAIN,ESCALATE,ALLOW\}\\in\\\{\\text\{AUTO\-CONTAIN\},\\text\{ESCALATE\},\\text\{ALLOW\}\\\} 4:// Phase 1: Hybrid feature extraction 5:Extract semantic embeddings 𝐳i\\mathbf\{z\}\_\{i\}from DsemD\_\{\\text\{sem\}\}using encoder ℰ\(⋅\)\\mathcal\{E\}\(\\cdot\) 6:Extract behavioural feature vectors 𝐛i\\mathbf\{b\}\_\{i\}from DbehD\_\{\\text\{beh\}\}via sliding\-window statistics 7:// Phase 2: Feature\-level augmentation 8:Apply SMOTE to \{𝐳i\}\\\{\\mathbf\{z\}\_\{i\}\\\}and \{𝐛i\}\\\{\\mathbf\{b\}\_\{i\}\\\}independently to address class imbalance 9:// Phase 3: Train base agents with MC Dropout 10:Train Semantic Agent CNN AsemA\_\{\\text\{sem\}\}on \{𝐳i\}\\\{\\mathbf\{z\}\_\{i\}\\\} 11:Train Behavioural Agent CNN AbehA\_\{\\text\{beh\}\}on \{𝐛i\}\\\{\\mathbf\{b\}\_\{i\}\\\} 12:// Phase 4: Score\-level augmentation and Decision Agent 13:foreach training sample iido 14:Compute mean scores p¯sem\(i\)\\bar\{p\}\_\{\\text\{sem\}\}^\{\(i\)\}, p¯beh\(i\)\\bar\{p\}\_\{\\text\{beh\}\}^\{\(i\)\}via MC Dropout \(Alg\.[2](https://arxiv.org/html/2607.04292#alg2)\) 15:Form score vector si=\[p¯sem\(i\),p¯beh\(i\)\]s\_\{i\}=\[\\bar\{p\}\_\{\\text\{sem\}\}^\{\(i\)\},\\bar\{p\}\_\{\\text\{beh\}\}^\{\(i\)\}\] 16:endfor 17:Train CTGAN on \{\(si,yi\)\}\\\{\(s\_\{i\},y\_\{i\}\)\\\}and obtain augmented scores 𝒟~S\\tilde\{\\mathcal\{D\}\}\_\{S\}\(Alg\.[3](https://arxiv.org/html/2607.04292#alg3)\) 18:Train Decision Agent AdecA\_\{\\text\{dec\}\}on 𝒟S∪𝒟~S\\mathcal\{D\}\_\{S\}\\cup\\tilde\{\\mathcal\{D\}\}\_\{S\} 19:// Phase 5: Deployment\-time inference and triage 20:Obtain \(p¯sem,σsem\)\(\\bar\{p\}\_\{\\text\{sem\}\},\\sigma\_\{\\text\{sem\}\}\)for xsemx\_\{\\text\{sem\}\}via MC Dropout 21:Obtain \(p¯beh,σbeh\)\(\\bar\{p\}\_\{\\text\{beh\}\},\\sigma\_\{\\text\{beh\}\}\)for xbehx\_\{\\text\{beh\}\}via MC Dropout 22:Form s=\[p¯sem,p¯beh\]s=\[\\bar\{p\}\_\{\\text\{sem\}\},\\bar\{p\}\_\{\\text\{beh\}\}\]and compute fused risk p^=Adec\(s\)\\hat\{p\}=A\_\{\\text\{dec\}\}\(s\) 23:Compute aggregated uncertainty σmax=max\(σsem,σbeh\)\\sigma\_\{\\max\}=\\max\(\\sigma\_\{\\text\{sem\}\},\\sigma\_\{\\text\{beh\}\}\) 24:Apply triage policy using thresholds \(τ,κ,τhigh,κlow\)\(\\tau,\\kappa,\\tau\_\{\\text\{high\}\},\\kappa\_\{\\text\{low\}\}\)\(Alg\.[4](https://arxiv.org/html/2607.04292#alg4)\) Algorithm 2MC Dropout Uncertainty Estimation for a Neural Agent1:Input:Trained neural agent AAwith dropout layers, sample xx, number of passes TT 2:Output:Predictive mean p¯\\bar\{p\}, epistemic uncertainty σ\\sigma 3:Set AAto evaluation mode 4:Activate dropout layers for inference \(e\.g\., set dropout modules totrain\(\)only\) 5:for t=1t=1to TTdo 6: pt←A\(x\)p\_\{t\}\\leftarrow A\(x\)⊳\\trianglerightstochastic forward pass with dropout 7:endfor 8:Compute predictive mean: p¯=1T∑t=1Tpt\\bar\{p\}=\\frac\{1\}\{T\}\\sum\_\{t=1\}^\{T\}p\_\{t\} 9:Compute predictive standard deviation: σ=1T∑t=1T\(pt−p¯\)2\\sigma=\\sqrt\{\\frac\{1\}\{T\}\\sum\_\{t=1\}^\{T\}\(p\_\{t\}\-\\bar\{p\}\)^\{2\}\} 10:return \(p¯,σ\)\(\\bar\{p\},\\sigma\) Algorithm 3Score\-Level CTGAN Augmentation for Decision Agent Training1:Input:Trained base agents Asem,AbehA\_\{\\text\{sem\}\},A\_\{\\text\{beh\}\}; training features \{𝐳i\},\{𝐛i\}\\\{\\mathbf\{z\}\_\{i\}\\\},\\\{\\mathbf\{b\}\_\{i\}\\\}; labels \{yi\}\\\{y\_\{i\}\\\} 2:Output:Augmented score dataset 𝒟~S\\tilde\{\\mathcal\{D\}\}\_\{S\}, for training AdecA\_\{\\text\{dec\}\} 3:// Step 1: Collect score tuples 4:foreach training sample iido 5:Compute \(p¯sem\(i\),σsem\(i\)\)\(\\bar\{p\}\_\{\\text\{sem\}\}^\{\(i\)\},\\sigma\_\{\\text\{sem\}\}^\{\(i\)\}\)via Alg\.[2](https://arxiv.org/html/2607.04292#alg2)on 𝐳i\\mathbf\{z\}\_\{i\} 6:Compute \(p¯beh\(i\),σbeh\(i\)\)\(\\bar\{p\}\_\{\\text\{beh\}\}^\{\(i\)\},\\sigma\_\{\\text\{beh\}\}^\{\(i\)\}\)via Alg\.[2](https://arxiv.org/html/2607.04292#alg2)on 𝐛i\\mathbf\{b\}\_\{i\} 7:Form score vector si=\[p¯sem\(i\),p¯beh\(i\)\]s\_\{i\}=\[\\bar\{p\}\_\{\\text\{sem\}\}^\{\(i\)\},\\bar\{p\}\_\{\\text\{beh\}\}^\{\(i\)\}\] 8:endfor 9:Construct score dataset 𝒟S=\{\(si,yi\)\}\\mathcal\{D\}\_\{S\}=\\\{\(s\_\{i\},y\_\{i\}\)\\\} 10:// Step 2: Train CTGAN in score space 11:Train CTGAN generator GGand discriminator DDon 𝒟S\\mathcal\{D\}\_\{S\}conditioned on labels yiy\_\{i\} 12:Generate synthetic score samples s~j=G\(zj,yj\)\\tilde\{s\}\_\{j\}=G\(z\_\{j\},y\_\{j\}\)with noise zjz\_\{j\}and labels yjy\_\{j\} 13:Form augmented set 𝒟~S=\{\(s~j,yj\)\}\\tilde\{\\mathcal\{D\}\}\_\{S\}=\\\{\(\\tilde\{s\}\_\{j\},y\_\{j\}\)\\\} 14:// Step 3: Train Decision Agent 15:Train Decision Agent AdecA\_\{\\text\{dec\}\}on 𝒟S∪𝒟~S\\mathcal\{D\}\_\{S\}\\cup\\tilde\{\\mathcal\{D\}\}\_\{S\} 16:return 𝒟~S\\tilde\{\\mathcal\{D\}\}\_\{S\} Algorithm 4Uncertainty\-Aware Triage Policy1:Input:Fused risk p^\\hat\{p\}, agent uncertainties σsem,σbeh\\sigma\_\{\\text\{sem\}\},\\sigma\_\{\\text\{beh\}\} 2:Input:Risk thresholds τ\\tau, τhigh\\tau\_\{\\text\{high\}\}; uncertainty thresholds κ\\kappa, κlow\\kappa\_\{\\text\{low\}\} 3:Output:Decision ∈\{AUTO\-CONTAIN,ESCALATE,ALLOW\}\\in\\\{\\text\{AUTO\-CONTAIN\},\\text\{ESCALATE\},\\text\{ALLOW\}\\\} 4:Compute aggregated uncertainty σmax←max\(σsem,σbeh\)\\sigma\_\{\\max\}\\leftarrow\\max\(\\sigma\_\{\\text\{sem\}\},\\sigma\_\{\\text\{beh\}\}\) 5:if p^≥τhigh\\hat\{p\}\\geq\\tau\_\{\\text\{high\}\}and σmax≤κlow\\sigma\_\{\\max\}\\leq\\kappa\_\{\\text\{low\}\}then 6:returnAUTO\-CONTAIN⊳\\trianglerighthigh risk, low uncertainty 7:elseif p^≥τ\\hat\{p\}\\geq\\tauor σmax\>κ\\sigma\_\{\\max\}\>\\kappathen 8:returnESCALATE⊳\\trianglerightrisky or uncertain 9:else 10:returnALLOW⊳\\trianglerightbenign and confident 11:endif ## 6Policy Analysis This section analyses the geometry of the triage decision space, characterises the adversarial stability of the policy boundaries, and introduces the threshold\-optimisation objective used to select operational parameters\. The triage mechanism in Agentic SABRE is governed by the joint behaviour of the fused probabilityp^\\hat\{p\}and the maximal epistemic uncertaintyσmax\\sigma\_\{\\max\}\. The policy partitions the space 𝒳=\{\(p^,σmax\)∈\[0,1\]×\[0,1\]\}\\mathcal\{X\}=\\bigl\\\{\(\\hat\{p\},\\,\\sigma\_\{\\max\}\)\\in\[0,1\]\\times\[0,1\]\\bigr\\\}\(8\)into three disjoint regions corresponding to the actions𝖠𝖫𝖫𝖮𝖶\\mathsf\{ALLOW\},𝖤𝖲𝖢𝖠𝖫𝖠𝖳𝖤\\mathsf\{ESCALATE\}, and𝖠𝖴𝖳𝖮\_𝖢𝖮𝖭𝖳𝖠𝖨𝖭\\mathsf\{AUTO\\\_CONTAIN\}\. The decision boundaries are defined implicitly by the inequalities p^≥τhigh,σmax≤κlow,\\hat\{p\}\\geq\\tau\_\{\\mathrm\{high\}\},\\qquad\\sigma\_\{\\max\}\\leq\\kappa\_\{\\mathrm\{low\}\},\(9\)for autonomous containment, and p^≥τorσmax\>κ,\\hat\{p\}\\geq\\tau\\quad\\text\{or\}\\quad\\sigma\_\{\\max\}\>\\kappa,\(10\)for escalation\. The remaining region, defined by the intersection of the complements of Eqs\. \([9](https://arxiv.org/html/2607.04292#S6.E9)\) and \([10](https://arxiv.org/html/2607.04292#S6.E10)\), yields the allow decision\. The geometry of the decision space is determined by the relative magnitudes ofτ,τhigh,κ,κlow\\tau,\\tau\_\{\\mathrm\{high\}\},\\kappa,\\kappa\_\{\\mathrm\{low\}\}\. The boundariesp^=τ\\hat\{p\}=\\tauandp^=τhigh\\hat\{p\}=\\tau\_\{\\mathrm\{high\}\}form vertical lines, whileσmax=κ\\sigma\_\{\\max\}=\\kappaandσmax=κlow\\sigma\_\{\\max\}=\\kappa\_\{\\mathrm\{low\}\}form horizontal lines\. The intersection of these lines generates a partitioned rectangle whose subregions determine the triage outcome\. Samples located near the boundary points, \(τhigh,κlow\),\(τ,κ\),\(\\tau\_\{\\mathrm\{high\}\},\\kappa\_\{\\mathrm\{low\}\}\),\\qquad\(\\tau,\\kappa\),\(11\)exhibit the greatest instability under adversarial perturbation\. However, due to the monotonic structure of the fusion classifier, the gradient ofp^\\hat\{p\}is typically largest where semantic evidence dominates, meaning the neighbourhood of\(τhigh,κlow\)\(\\tau\_\{\\mathrm\{high\}\},\\kappa\_\{\\mathrm\{low\}\}\)tends to be sparsely populated\. The optimisation of threshold pairs is governed by a scalarised objective that trades off classification quality against escalation volume\. Specifically, we define J\(τ,κ\)=bal\_acc\(τ,κ\)−λEscRate\(τ,κ\),J\(\\tau,\\kappa\)=\\mathrm\{bal\\\_acc\}\(\\tau,\\kappa\)\-\\lambda\\,\\mathrm\{EscRate\}\(\\tau,\\kappa\),\(12\)wherebal\_acc\(τ,κ\)\\mathrm\{bal\\\_acc\}\(\\tau,\\kappa\)is balanced accuracy under the policy,EscRate\(τ,κ\)\\mathrm\{EscRate\}\(\\tau,\\kappa\)is the fraction of samples escalated to analysts, andλ≥0\\lambda\\geq 0controls the operational cost penalty\. This objective identifies threshold pairs that shift the decision boundaries in Eqs\. \([9](https://arxiv.org/html/2607.04292#S6.E9)\)–\([10](https://arxiv.org/html/2607.04292#S6.E10)\)\. Increasingτ\\taureduces the size of the escalation region but simultaneously risks enlarging the allow region unless offset by a simultaneous adjustment toκ\\kappa\. The calibrated trade\-off therefore emerges from solving the non\-convex problem of maximisingJ\(τ,κ\)J\(\\tau,\\kappa\)while maintaining robustness to the uncertainty geometry defined in Eq\. \([8](https://arxiv.org/html/2607.04292#S6.E8)\)\. This interplay between fused risk, epistemic uncertainty, and threshold selection constitutes the mathematical core of the Agentic SABRE policy framework\. ## 7Threat Model This section defines the adversarial assumptions under which Agentic SABRE is evaluated, specifying what the attacker can and cannot manipulate, and explaining how the uncertainty\-aware triage policy provides robustness against the considered threat classes\. The operational setting assumes an adversary capable of deploying ransomware samples that vary in semantic structure, behavioural dynamics, or both\. The defender observes two forms of telemetry: a semantic representation𝐳i∈ℝds\\mathbf\{z\}\_\{i\}\\in\\mathbb\{R\}^\{d\_\{s\}\}encoded from static artefacts and a behavioural representation𝐛i∈ℝdb\\mathbf\{b\}\_\{i\}\\in\\mathbb\{R\}^\{d\_\{b\}\}extracted from temporal I/O activity\. The adversary is assumed to operate under the constraint that behavioural logs and static metadata cannot be forged arbitrarily without compromising the malware’s execution\. The threat model considers adversarial manoeuvres that attempt to reduce the classifier’s confidence while preserving functional attack behaviour\. These manoeuvres can target the semantic agent by modifying static descriptors; however, such modifications typically shift the semantic embedding distribution, increasing the Wasserstein distance in Eq\. \([53](https://arxiv.org/html/2607.04292#S12.E53)\) only marginally, and often increasing epistemic uncertainty\. Similarly, behavioural mimicry attacks attempt to disguise malicious activity so that the derived empirical distributions p\(𝐛∣y=1\),p\(𝐛∣y=0\),p\(\\mathbf\{b\}\\mid y=1\),\\qquad p\(\\mathbf\{b\}\\mid y=0\),\(13\)appear closer than reflected in Eq\. \([54](https://arxiv.org/html/2607.04292#S12.E54)\)\. Such mimicry produces elevated uncertainty in the behavioural agent due to the mismatch between expected and observed feature variance\. The model assumes that the attacker does not possess knowledge of the triage parametersτ\\tau,κ\\kappa,τhigh\\tau\_\{\\mathrm\{high\}\}, andκlow\\kappa\_\{\\mathrm\{low\}\}, nor the calibration temperature applied to the fusion classifier\. Even if such knowledge were available, the attacker would still face the constraint that reducing the fused probabilityp^\\hat\{p\}of Eq\. \([23](https://arxiv.org/html/2607.04292#S9.E23)\) necessarily increases behavioural deviation, thus raising the uncertainty termσmax\\sigma\_\{\\max\}in Eq\. \([3](https://arxiv.org/html/2607.04292#S4.E3)\)\. Consequently, the decision boundary remains robust against a broad class of evasion strategies, since ambiguous or adversarial samples are redirected to human analysts rather than executed automatically\. This model aligns with realistic constraints in ransomware operations and reflects practical adversarial limits encountered in malware obfuscation\. ## 8Experimental Setup This section describes the datasets, feature construction procedures, model training configurations, and evaluation metrics used to assess Agentic SABRE\. Crucially, the two datasets cover complementary modalities—static PE semantics and runtime behavioural telemetry—and are never mixed at the raw feature level; fusion occurs only at the score level, as described in Section[4](https://arxiv.org/html/2607.04292#S4)\. ### 8\.1Datasets Experiments are conducted on two publicly available ransomware datasets that exhibit complementary characteristics\. RDset provides static semantic metadata derived from Portable Executable \(PE\) files and is used to evaluate semantic discriminability under saturated conditions\. RanSMAP \(and RanSAP\) provide behavioural telemetry extracted from system\-level I/O activity, capturing temporal variance and entropy\-driven signals representative of runtime behaviour\. All datasets are split into disjoint training and test sets at the sample level, ensuring that no identical execution traces or binaries appear in both splits\. RanSAP\[[15](https://arxiv.org/html/2607.04292#bib.bib19)\]is a hypervisor\-level behavioural dataset consisting of low\-level storage access patterns only, comprising approximately 200 million I/O events aggregated into fixed\-length temporal windows collected from multiple ransomware and benign executions\. RanSMAP\[[16](https://arxiv.org/html/2607.04292#bib.bib47)\], a successor dataset, extends RanSAP by incorporating both storage and memory access patterns, yielding 11,820 execution traces across diverse hardware configurations, ransomware variants, and simultaneous benign–malicious workloads\. In contrast, the dataset introduced by Mathur\[[21](https://arxiv.org/html/2607.04292#bib.bib20)\], commonly referred to as*RDset*in subsequent literature\[[19](https://arxiv.org/html/2607.04292#bib.bib51)\], comprises 138,047 PE samples described by 57 structured static attributes\. In this work, these attributes are transformed into semantic representations via a lightweight text\-based encoding and embedding procedure, enabling comparison with behavioural telemetry at the agent level\. Cross\-source fusion rationale\.RDset and RanSMAP do*not*contain overlapping malware samples: RDset consists of PE file metadata from Windows executables, while RanSMAP contains runtime I/O traces recorded during execution on instrumented hypervisors\. The two datasets are therefore drawn from complementary observation planes of the same threat category\. Raw features are*never*merged: the Semantic Agent trains exclusively on RDset embeddings and the Behavioural Agent trains exclusively on RanSMAP telemetry\. Fusion occurs only at the*score level*—the two agents’ posterior mean probabilities are concatenated into the score vector𝐬\\mathbf\{s\}\(Eq\.[1](https://arxiv.org/html/2607.04292#S4.E1)\) and passed to the Decision Agent\. This design mirrors realistic deployment scenarios in which a SOC may simultaneously receive static file analysis from a sandbox and runtime telemetry from an endpoint sensor, where neither source alone provides complete ransomware characterisation\. CTGAN labels\.The CTGAN generator in Algorithm[3](https://arxiv.org/html/2607.04292#alg3)is conditioned on binary labelsyi∈\{0,1\}y\_\{i\}\\in\\\{0,1\\\}\(benign / ransomware\) drawn directly from the training set labels\. No additional label transformations or soft\-label schemes are applied; the generator learns to produce realistic score\-space samples for each class independently\. Dataset characteristics, imbalance, and contamination\.RDset comprises 138,047 PE samples \(41,123 ransomware, 96,924 benign\), exhibiting heavy class imbalance of approximately 30% ransomware\. The dataset covers ransomware families active between 2014 and 2020\. No temporal split is applied in the current evaluation: samples are partitioned at the binary level, so families present in the training set may appear under different instances in the test set—introducing the risk of structural similarity bias\. No sample\-level contamination is present: training and test splits are disjoint at the binary \(file hash\) level\. RanSMAP comprises 11,820 execution traces drawn from 24 ransomware families and benign workloads across diverse hardware configurations\. Class imbalance is addressed via SMOTE at the feature level prior to agent training\. Contamination risk is low: traces are paired execution sessions and splits are defined by disjoint session identifiers, ensuring that no execution session contributes to both training and test sets\. It should be noted that neither dataset includes post\-2021 ransomware families such as Cl0p, BlackCat/ALPHV, or LockBit 3\.0\. This is a known coverage limitation: the trained agents have not been exposed to the behavioural or semantic signatures of these contemporary families, and generalisation to modern ransomware lineages is identified as a priority direction for future work\. ### 8\.2Feature Construction and Preprocessing SABRE operates on two complementary data sources: semantic representations from RDset and behavioural telemetry from RanSMAP/RanSAP\. ##### Semantic Features \(RDset\)\. Structured metadata fields from PE headers, entropy descriptors, and resource fields are concatenated into a text\-like string and encoded into fixed\-length vectors using a lightweight transformer\-based sentence encoder\. Formally, for each instance with metadata vector𝐱i=\{xi,1,…,xi,d\}\\mathbf\{x\}\_\{i\}=\\\{x\_\{i,1\},\\ldots,x\_\{i,d\}\\\}, we form t~i=𝒯\(𝐱i\)=Join\(str\(xi,1\),…,str\(xi,d\)\),\\tilde\{t\}\_\{i\}=\\mathcal\{T\}\(\\mathbf\{x\}\_\{i\}\)=\\texttt\{Join\}\(\\texttt\{str\}\(x\_\{i,1\}\),\\ldots,\\texttt\{str\}\(x\_\{i,d\}\)\),\(14\) and obtain a contextual embedding 𝐳i=ℰ\(t~i\)∈ℝk\.\\mathbf\{z\}\_\{i\}=\\mathcal\{E\}\(\\tilde\{t\}\_\{i\}\)\\in\\mathbb\{R\}^\{k\}\.\(15\) These semantic embeddings form the input to the Semantic Agent\. ##### Behavioural Features \(RanSMAP/RanSAP\)\. System logs capturing memory activity, I/O throughput, and entropy statistics are segmented using a sliding window\. For each window𝒲i\\mathcal\{W\}\_\{i\}, we compute variance, entropy, and access\-count statistics: Var\(x\)=1n∑j=1n\(xj−x¯\)2,\\mathrm\{Var\}\(x\)=\\frac\{1\}\{n\}\\sum\_\{j=1\}^\{n\}\(x\_\{j\}\-\\bar\{x\}\)^\{2\},\(16\) ℋ\(x\)=−∑j=1np\(xj\)log2\(p\(xj\)\+ϵ\),\\mathcal\{H\}\(x\)=\-\\sum\_\{j=1\}^\{n\}p\(x\_\{j\}\)\\log\_\{2\}\(p\(x\_\{j\}\)\+\\epsilon\),\(17\) ck=∑j=1n𝟙\(xj=k\)\.c\_\{k\}=\\sum\_\{j=1\}^\{n\}\\mathbb\{1\}\(x\_\{j\}=k\)\.\(18\) This yields a behavioural feature vector𝐛i\\mathbf\{b\}\_\{i\}for each window\. Class imbalance is mitigated using a dual augmentation strategy: \(i\) SMOTE at the feature level for both semantic and behavioural datasets, and \(ii\) CTGAN at the score level after base\-agent inference\. Score\-level augmentation improves the decision boundary of the fusion layer without altering the uncertainty structure of the base agents\. ### 8\.3Model Training and Inference Two specialised neural agents are trained independently: - 1\.Semantic Agent:a 1D CNN trained on semantic embeddings\. - 2\.Behavioural Agent:a 1D CNN trained on handcrafted telemetry features\. At inference time, each agent uses Monte Carlo Dropout to estimate predictive uncertainty\. For an input samplexx, we computeTTstochastic forward passesp1,…,pTp\_\{1\},\\ldots,p\_\{T\}, yielding p¯=1T∑t=1Tpt,σ=1T∑t=1T\(pt−p¯\)2\.\\bar\{p\}=\\frac\{1\}\{T\}\\sum\_\{t=1\}^\{T\}p\_\{t\},\\qquad\\sigma=\\sqrt\{\\frac\{1\}\{T\}\\sum\_\{t=1\}^\{T\}\(p\_\{t\}\-\\bar\{p\}\)^\{2\}\}\.\(19\) For each agent we obtain\(p¯sem,σsem\)\(\\bar\{p\}\_\{\\text\{sem\}\},\\sigma\_\{\\text\{sem\}\}\)and\(p¯beh,σbeh\)\(\\bar\{p\}\_\{\\text\{beh\}\},\\sigma\_\{\\text\{beh\}\}\)\. ### 8\.4Evaluation Metrics and Policy Optimisation Performance is evaluated using accuracy, AUC, and confusion\-matrix\-derived metrics\. In addition to classification quality, we explicitly measure operational cost via the escalation rate induced by the triage policy\. Thresholds\(τ,κ\)\(\\tau,\\kappa\)are selected by optimising a scalarised objective that balances balanced accuracy against escalation volume\. The evaluation of Agentic SABRE is organised around three questions: \(i\) the discriminative performance of the individual agents; \(ii\) the behaviour of the fusion operator under uncertainty; and \(iii\) the impact of the triage policy defined by the thresholdsτ\\tau,κ\\kappa,τhigh\\tau\_\{\\mathrm\{high\}\}, andκlow\\kappa\_\{\\mathrm\{low\}\}\. ## 9Results This section reports the empirical performance of Agentic SABRE, covering individual agent discriminability, fusion quality and calibration, uncertainty\-aware triage behaviour, and threshold sensitivity\. Results are presented across both RDset \(semantic, saturated regime\) and RanSMAP \(behavioural, high\-uncertainty regime\) to characterise the full operational range\. Unlike conventional evaluation metrics, the escalation rate induced by the triage policy represents an operational cost rather than a classification error\. Escalated samples require analyst attention, introduce response latency, and increase cognitive workload\. Reductions in escalation volume at fixed recall therefore correspond directly to deployability improvements, even when headline accuracy remains unchanged\. The semantic agent receives embedding vectors𝐳i∈ℝ384\\mathbf\{z\}\_\{i\}\\in\\mathbb\{R\}^\{384\}and produces a probability psem=fS\(𝐳\),p\_\{\\mathrm\{sem\}\}=f\_\{\\mathrm\{S\}\}\(\\mathbf\{z\}\),\(20\)which achieves accuracy and AUC equal to1\.00001\.0000on RDset\. The separation in the semantic embedding space is therefore nearly perfect\. This behaviour reflects the highly structured nature of PE\-level metadata in RDset and should not be interpreted as a claim of general semantic dominance\. Instead, this high\-separability semantic evaluation setting is deliberately used as a stress\-test for the uncertainty\-aware fusion and triage mechanisms, allowing us to examine how behavioural uncertainty constrains autonomous action even when semantic evidence is maximal\. Generalisation caveats for AUC=1\.0=1\.0\.The perfect AUC on RDset is a consequence of the high structural separability of PE\-level attributes in the embedding space and should be interpreted with care\. RDset does not employ a family\-wise or temporal split: samples are divided at the binary level, so families present in the training set may also appear in the test set under different instances\. This creates the risk of structural similarity bias, whereby the model learns family\-specific artefacts rather than generalisable malicious patterns\. Accordingly, AUC=1\.0=1\.0on RDset characterises performance in a*saturated*semantic regime and is used here specifically to stress\-test the fusion and triage layers under minimal semantic uncertainty\. Generalisation to unseen ransomware families or temporally displaced deployments would require temporal or family\-wise splits, which we leave for future work with appropriately partitioned corpora\. ### 9\.1Generalisation Across Evaluation Splits To assess generalisation beyond the standard random\-stratified split, we evaluate Agentic SABRE across four complementary partitions of RanSMAP using 6 independent random seeds\. Table[2](https://arxiv.org/html/2607.04292#S9.T2)reports mean AUROC, AUPRC, and accuracy with standard deviations\. Figure[2](https://arxiv.org/html/2607.04292#S9.F2)visualises the seed\-level distributions\. Table 2:Generalisation performance across four evaluation splits \(mean±\\pmstd over 6 seeds\)\. Family holdout uses families unseen during training; hardware holdout uses unseen hardware configurations; temporal holdout separates by collection date\.Temporal and hardware holdout performance closely matches the random\-stratified baseline \(AUROC0\.9600\.960and0\.9390\.939respectively\), confirming that Agentic SABRE does not overfit to specific recording sessions or hardware configurations\. Family holdout reveals a meaningful generalisation gap \(AUROC0\.7070\.707\), consistent with the structural limitation noted in Section[13](https://arxiv.org/html/2607.04292#S13): the behavioural agent’s training families are absent from the test set, forcing detection to rely on general distributional signals rather than family\-specific telemetry patterns\. Crucially, the uncertainty mechanism responds correctly to this degraded regime—samples from unseen families exhibit elevatedσbeh\\sigma\_\{\\mathrm\{beh\}\}and are routed toESCALATErather thanAUTO\-CONTAIN, maintaining analyst oversight precisely where the model is least reliable\. Figure 2:Mean AUROC with 95% confidence intervals across 6 seeds for each evaluation split\. The family\-holdout split shows a clear generalisation gap, while temporal and hardware holdouts remain near random\-stratified performance\.The behavioural agent receives handcrafted statistical–temporal features𝐛i∈ℝ16\\mathbf\{b\}\_\{i\}\\in\\mathbb\{R\}^\{16\}and computes pbeh=fB\(𝐛\),p\_\{\\mathrm\{beh\}\}=f\_\{\\mathrm\{B\}\}\(\\mathbf\{b\}\),\(21\)resulting in accuracy0\.98720\.9872and AUC0\.60300\.6030\. The apparent discrepancy between high accuracy and modest AUC warrants explanation\. RanSMAP is highly class\-imbalanced: the majority of samples are benign, so a classifier that assigns low probabilities to almost all samples achieves high accuracy simply by following the prior\. AUC, however, measures the ability to*rank*malicious samples above benign ones regardless of threshold, and is therefore insensitive to class prior\. The relatively low AUC reflects the intrinsic difficulty of separating ransomware from benign I/O patterns in a high\-variance telemetry stream: malicious and benign distributions in the behavioural feature space exhibit overlapping entropy and access\-count statistics, particularly for polymorphic variants that mimic legitimate I/O behaviour\. Despite applying SMOTE for class re\-balancing, the agent’s posterior probabilities remain diffuse across the malicious class, producing a weak ranking signal\. This is precisely why the Behavioural Agent is not used as a standalone detector but as a*modulator*of epistemic uncertainty within the triage framework: its main role is to raiseσmax\\sigma\_\{\\max\}for borderline cases, routing them to human analysts rather than permitting overconfident autonomous containment\. Table[3](https://arxiv.org/html/2607.04292#S9.T3)summarises these base\-agent results\. Table 3:Performance of the individual agents prior to fusion\. ### 9\.2Fusion and Uncertainty\-Aware Triage Fusion operates on the score vector 𝐬=\(psem,pbeh,σsem,σbeh\),\\mathbf\{s\}=\\left\(p\_\{\\mathrm\{sem\}\},\\,p\_\{\\mathrm\{beh\}\},\\,\\sigma\_\{\\mathrm\{sem\}\},\\,\\sigma\_\{\\mathrm\{beh\}\}\\right\),\(22\)and produces a calibrated fused probability p^=f\(𝐬\),\\hat\{p\}=f\(\\mathbf\{s\}\),\(23\)wheref\(⋅\)f\(\\cdot\)denotes the CTGAN\-augmented multilayer perceptron\. The epistemic uncertainty is summarised through the maximal uncertainty across agents,σmax=max\(σsem,σbeh\)\\sigma\_\{\\max\}=\\max\(\\sigma\_\{\\mathrm\{sem\}\},\\sigma\_\{\\mathrm\{beh\}\}\), as defined in Eq\. \([3](https://arxiv.org/html/2607.04292#S4.E3)\), consistent with the triage mechanism introduced in Section[5](https://arxiv.org/html/2607.04292#S5)\. This aggregated uncertainty is the sole uncertainty signal passed to the orchestrator, maintaining the conservative max\-aggregation throughout inference\. The*safety\-optimal*triage configuration is obtained by maximising balanced accuracy over the decision rule and yields thresholds τ=0\.999999,κ=0\.458,\\displaystyle\\tau=0\.999999,\\qquad\\kappa=0\.458,\(24\)τhigh=0\.99,κlow=0\.229\.\\displaystyle\\tau\_\{\\mathrm\{high\}\}=0\.99,\\qquad\\kappa\_\{\\mathrm\{low\}\}=0\.229\.\(25\) These values imply that automatic containment requires extremely high fused riskp^\\hat\{p\}and sufficiently low uncertainty\. Threshold sensitivity and dataset specificity\.The valueτ=0\.999999\\tau=0\.999999appears extremely strict and naturally raises the question of whether the results are overly sensitive to this particular choice\. Several observations support the stability of this configuration\. First, both the safety\-optimal and low\-escalation policies yield near\-identical accuracy \(0\.99999 vs\. 0\.99999 on RDset; 0\.9406 vs\. 0\.9405 on RanSMAP\), demonstrating that headline performance is robust to the specific threshold pair selected\. Second,τ\\tauis dataset\-specific: the calibrated fused probabilities on RDset cluster tightly near 0 or 1 due to the high semantic separability, so a near\-unity threshold is needed to restrict the AUTO\-CONTAIN region to genuinely high\-confidence predictions and prevent overconfident containment\. On RanSMAP, where probabilities are more dispersed, a lower threshold would be appropriate\. This confirms thatτ\\taushould be recalibrated on held\-out data before deployment, using the objectiveJ\(τ,κ\)J\(\\tau,\\kappa\)in Eq\. \([12](https://arxiv.org/html/2607.04292#S6.E12)\) with an operationally appropriateλ\\lambda\. Third, the triage geometry is inherently stable: small perturbations toτ\\taushift the vertical boundary in the\(p^,σmax\)\(\\hat\{p\},\\sigma\_\{\\max\}\)plane \(Figure[6](https://arxiv.org/html/2607.04292#S9.F6)\) without qualitatively changing which samples fall into the AUTO\-CONTAIN vs\. ESCALATE regions, since the boundary neighbourhood is sparsely populated \(see Section[6](https://arxiv.org/html/2607.04292#S6)\)\. A second configuration, the*low\-escalation regime*, minimises escalation volume by solving the objectiveJ\(τ,κ\)J\(\\tau,\\kappa\)in Eq\. \([12](https://arxiv.org/html/2607.04292#S6.E12)\) withλ=0\.5\\lambda=0\.5\. Since the decision rule depends jointly onp^\\hat\{p\}andσmax\\sigma\_\{\\max\}, the optimisation landscape is non\-smooth, and the solution reflects a compromise between accuracy and operational cost\. Table[4](https://arxiv.org/html/2607.04292#S9.T4)reports the triage metrics across RDset and RanSMAP\. In RDset, the fused classifier achieves AUC1\.00001\.0000under both regimes, with at most one misclassification\. In contrast, RanSMAP remains uncertainty\-dominated due to the behavioural variance, resulting in an escalation\-heavy triage pattern that aligns with the telemetry characteristics\. Table 4:Fusion and triage performance under safety\-optimal and low\-escalation policies\. ### 9\.3Counterfactual Thresholdθ\\thetaand Behavioural Decision Boundary Throughout the explainability analysis, counterfactual perturbations target a*low\-risk decision threshold*θ∈\(0,0\.5\)\\theta\\in\(0,0\.5\)that defines the malicious\-to\-benign label flip in the behavioural agent\. Specifically,θ\\thetais the maximum probability at which the agent’s decision is considered “benign”; a counterfactual achieves a label flip whenpbeh\(𝐛~\)≤θp\_\{\\mathrm\{beh\}\}\(\\tilde\{\\mathbf\{b\}\}\)\\leq\\theta\(Eq\.[30](https://arxiv.org/html/2607.04292#S10.E30)\)\. We setθ=0\.49\\theta=0\.49, placing it just below the standard 0\.5 classification boundary to ensure a strict flip rather than a tie\. This value is fixed across all counterfactual experiments and is not optimised; it represents the tightest practically achievable flip threshold given the finite precision of the gradient\-based optimiser\. Sensitivity toθ\\thetais low: the100%100\\%flip success rate in Table[10](https://arxiv.org/html/2607.04292#S10.T10)holds acrossθ∈\[0\.40,0\.49\]\\theta\\in\[0\.40,0\.49\], confirming that the decision boundary is well\-separated from the borderline\-malicious score region\. ### 9\.4Fusion Calibration, Feature Sensitivity, and Policy Geometry Beyond aggregate performance metrics, we examine the internal behaviour of the fused decision mechanism through calibration analysis, feature sensitivity, and explicit policy geometry in risk–uncertainty space\. These diagnostics establish that Agentic SABRE not only achieves strong discrimination but also produces stable and interpretable decision signals suitable for operational triage\. ##### Behavioural feature sensitivity\. Figure[3](https://arxiv.org/html/2607.04292#S9.F3)reports permutation\-based importance for the behavioural agent, measured as the drop in AUC when individual telemetry features are randomly permuted\. Features related to memory access variance and entropy dispersion induce the largest degradation in performance, indicating that the behavioural agent relies primarily on irregularity patterns rather than raw activity volume\. This finding aligns with the counterfactual analysis in Section[10](https://arxiv.org/html/2607.04292#S10), where minimal behavioural perturbations concentrate along the same variance\-driven dimensions\. Figure 3:Permutation\-based feature importance for the behavioural agent, measured as the drop in AUC after permuting each feature independently\. Variance\- and entropy\-driven memory access statistics dominate, indicating that behavioural discrimination relies on irregularity patterns rather than raw activity volume\. ##### Calibration of fused risk scores\. To justify the use of the fused probabilityp^\\hat\{p\}as a meaningful risk estimate, we evaluate probabilistic calibration via reliability diagrams\. Figure[4](https://arxiv.org/html/2607.04292#S9.F4)compares the empirical fraction of positives to the predicted risk across bins\. The near\-diagonal alignment confirms that ℙ\(y=1∣p^=q\)≈q,\\mathbb\{P\}\(y=1\\mid\\hat\{p\}=q\)\\approx q,\(26\)demonstrating that the fusion model produces well\-calibrated probabilities\. This property is essential for downstream policy thresholds in Eqs\. \([9](https://arxiv.org/html/2607.04292#S6.E9)\) and \([10](https://arxiv.org/html/2607.04292#S6.E10)\), as it ensures thatp^\\hat\{p\}can be interpreted consistently across datasets\. Figure 4:Reliability diagram for the fused risk scorep^\\hat\{p\}\. The close alignment between predicted probabilities and empirical positive rates indicates strong calibration, validating the use ofp^\\hat\{p\}as a meaningful risk estimate for downstream triage decisions\. ##### ROC characteristics under fusion\. Figures[5\(a\)](https://arxiv.org/html/2607.04292#S9.F5.sf1)and[5\(b\)](https://arxiv.org/html/2607.04292#S9.F5.sf2)visualise the receiver operating characteristics on RanSMAP and RDset, respectively\. On RanSMAP, fusion substantially improves separability over the behavioural agent alone, transforming a weakly discriminative curve into a near\-optimal operating regime\. On RDset, where the semantic agent already saturates, fusion preserves perfect discrimination, confirming that the fusion mechanism does not degrade strong base learners\. \(a\)RanSMAP \(b\)RDset Figure 5:Receiver operating characteristic \(ROC\) curves comparing base agents and fusion\.Left:RanSMAP, where behavioural signals are weak and fusion substantially improves separability\.Right:RDset, where the semantic agent already saturates and fusion preserves optimal performance\. ##### Policy geometry in risk–uncertainty space\. Figure[6](https://arxiv.org/html/2607.04292#S9.F6)depicts the induced triage policy directly in the\(p^,σmax\)\(\\hat\{p\},\\sigma\_\{\\max\}\)plane\. The horizontal and vertical thresholds correspond exactly to the analytical rules defined in Eqs\. \([9](https://arxiv.org/html/2607.04292#S6.E9)\) and \([10](https://arxiv.org/html/2607.04292#S6.E10)\), partitioning the space intoALLOW,ESCALATE, andAUTO\-CONTAINregions\. Empirically, benign samples concentrate in the low\-risk, low\-uncertainty region, while malicious samples with elevated epistemic uncertainty are routed to escalation rather than automatic containment\. This geometric interpretation clarifies how uncertainty acts as a stabilising control variable rather than a secondary score\. Figure 6:Triage policy geometry in the\(p^,σmax\)\(\\hat\{p\},\\sigma\_\{\\max\}\)space\. Horizontal and vertical thresholds correspond to the analytical decision rules in Eqs\. \([9](https://arxiv.org/html/2607.04292#S6.E9)\) and \([10](https://arxiv.org/html/2607.04292#S6.E10)\), partitioning the space intoALLOW,ESCALATE, andAUTO\-CONTAINregions\. Uncertainty acts as a stabilising control variable, preventing overconfident automatic containment\.Collectively, these analyses demonstrate that the fused decision surface is not only performant but also calibrated, interpretable, and operationally meaningful\. The consistency between feature sensitivity, calibration behaviour, ROC geometry, and policy partitioning provides strong evidence that Agentic SABRE forms coherent decision regions aligned with both statistical and security\-driven objectives\. ### 9\.5Adversarial Robustness Under Behavioural Evasion Standard gradient\-based adversarial attacks \(FGSM, PGD\) on the behavioural agent require differentiating through the I/O simulator, which is non\-differentiable\. Instead, we evaluate robustness against three operationally realistic behavioural evasion strategies on RanSMAP: \(i\)slow\-encrypt, which reduces read LBA variance and memory access counts to mimic conservative I/O \(MITRE ATT&CK T1486\); \(ii\)memory\-mask, which suppresses memory entropy and GPA variance statistics; and \(iii\)full\-blend, which combines both\. Each attack is parameterised by an intensityα∈\[0,1\]\\alpha\\in\[0,1\], whereα=0\\alpha=0is the unperturbed baseline\. Table[5](https://arxiv.org/html/2607.04292#S9.T5)reports detection rate, escalation rate, and mean epistemic uncertainty across attack intensities\. At maximum slow\-encrypt intensity \(α=1\.0\\alpha=1\.0\), detection rate falls from0\.8790\.879to0\.8170\.817\(a7\.1%7\.1\\%drop\); memory masking reduces it to0\.8470\.847\. Critically, the triage mechanism responds adaptively: the escalation rate rises from0\.0880\.088to0\.1020\.102under full slow\-encrypt, confirming that the uncertainty signalσmax\\sigma\_\{\\max\}correctly identifies perturbed samples as ambiguous and routes them to human analysts rather than autonomous containment\. Figure[7](https://arxiv.org/html/2607.04292#S9.F7)shows the per\-family detection rate under slow\-encrypt atα=0\.5\\alpha=0\.5; WannaCry is most vulnerable \(0\.8090\.809\) owing to its already\-high baseline uncertainty \(σbeh=0\.091\\sigma\_\{\\mathrm\{beh\}\}=0\.091\), while Ryuk and Conti remain above0\.9500\.950\. Table 5:Behavioural agent robustness under adversarial evasion at attack intensitiesα∈\{0,0\.5,1\.0\}\\alpha\\in\\\{0,0\.5,1\.0\\\}\. Detection rate \(Det\.\), escalation rate \(Esc\.\), and mean MC Dropout uncertainty \(σ¯\\bar\{\\sigma\}\) are reported\.Figure 7:Per\-family detection rate under slow\-encrypt attack \(α=0\.5\\alpha=0\.5\) across six ransomware families\. WannaCry shows the greatest vulnerability, consistent with its elevated baseline uncertainty\. Error bars show 95% CI\. ## 10Explainability and Interpretation This section analyses the internal decision geometry of SABRE’s agents through gradient saliency, permutation importance, and counterfactual deformation, establishing that the learned representations are anchored to interpretable ransomware\-relevant features rather than spurious correlations\. We adopt counterfactual explanations as a core explainable AI mechanism, as they provide local, actionable explanations by revealing the minimal semantic or behavioural changes required to alter the model’s prediction\. While counterfactual norms provide insight into local decision geometry, they do not constitute worst\-case adversarial guarantees, a limitation discussed further in Section[13](https://arxiv.org/html/2607.04292#S13)\. ### 10\.1Explainability via Feature Perturbation and Counterfactual Analysis To understand how Agentic SABRE’s behavioural agent internalises ransomware evidence, we analyse local and global sensitivities through*permutation importance*and*counterfactual explanations*\. Let𝐛∈ℝdb\\mathbf\{b\}\\in\\mathbb\{R\}^\{d\_\{b\}\}denote the behavioural feature vector extracted from a telemetry window, and let pbeh\(𝐛\)∈\[0,1\]p\_\{\\mathrm\{beh\}\}\(\\mathbf\{b\}\)\\in\[0,1\]\(27\)be the behavioural agent’s predictive probability\. These mechanisms quantify how variations in𝐛\\mathbf\{b\}influence transitions across the decision boundary\. Permutation importance assesses the global structural effect of each feature\. IfAorigA\_\{\\text\{orig\}\}denotes the original accuracy andAjA\_\{j\}the accuracy after independently permuting thejjth feature across the dataset, its importance score is defined as Ij=Aorig−Aj,I\_\{j\}=A\_\{\\text\{orig\}\}\-A\_\{j\},\(28\) which measures how strongly featurebjb\_\{j\}contributes to maintaining discriminability\. Across both RDset and RanSMAP, the highest values ofIjI\_\{j\}correspond to dispersion\-based quantities such asread\_LBA\_variance,write\_LBA\_variance,mem\_read\_GPA\_variance, andmem\_write\_GPA\_variance, indicating that ransomware behaviour is characterised by irregular, spatially bursty access footprints\. To complement this global sensitivity, we study*local*model behaviour using counterfactual perturbations\. Given a sample𝐛\\mathbf\{b\}, we search for a minimally modified instance𝐛~\\tilde\{\\mathbf\{b\}\}within the bounded neighbourhood 𝒩ϵ\(𝐛\)=\{𝐛~∈ℝdb:‖𝐛~−𝐛‖2≤ϵ\}\\mathcal\{N\}\_\{\\epsilon\}\(\\mathbf\{b\}\)=\\left\\\{\\tilde\{\\mathbf\{b\}\}\\in\\mathbb\{R\}^\{d\_\{b\}\}:\\\|\\tilde\{\\mathbf\{b\}\}\-\\mathbf\{b\}\\\|\_\{2\}\\leq\\epsilon\\right\\\}\(29\)that flips the behavioural decision by satisfying pbeh\(𝐛~\)≤θ,p\_\{\\mathrm\{beh\}\}\(\\tilde\{\\mathbf\{b\}\}\)\\leq\\theta,\(30\)whereθ\\thetais a predefined low\-risk threshold\. Among all candidates satisfying \([30](https://arxiv.org/html/2607.04292#S10.E30)\), we select the counterfactual achieving the minimal perturbation Δ⋆=argmin𝐛~∈𝒩ϵ\(𝐛\)‖𝐛~−𝐛‖2\.\\Delta^\{\\star\}=\\arg\\min\_\{\\tilde\{\\mathbf\{b\}\}\\in\\mathcal\{N\}\_\{\\epsilon\}\(\\mathbf\{b\}\)\}\\\|\\tilde\{\\mathbf\{b\}\}\-\\mathbf\{b\}\\\|\_\{2\}\.\(31\)Equation \([31](https://arxiv.org/html/2607.04292#S10.E31)\) formalises the notion of a minimally modified behavioural vector that crosses the decision boundary and thus explains which coordinates of𝐛\\mathbf\{b\}dominate the model’s local geometry\. To describe the resulting shifts in a scale\-invariant way, we define the relative perturbation for featurejjas δj=b~j−bjbj×100%,\\delta\_\{j\}=\\frac\{\\tilde\{b\}\_\{j\}\-b\_\{j\}\}\{b\_\{j\}\}\\times 100\\%,\(32\)which quantifies the directional influence of counterfactual movement\. According to Equation \([32](https://arxiv.org/html/2607.04292#S10.E32)\), the counterfactuals consistently demonstrate that only small*relative*changes to LBA and GPA variance features are required to reduce high\-risk behavioural scores, even when raw magnitudes differ by several orders of magnitude\. This behaviour aligns with the global picture encoded by Equation \([28](https://arxiv.org/html/2607.04292#S10.E28)\), confirming that dispersion\-based statistics define the principal axes of behavioural separability\. Table[6](https://arxiv.org/html/2607.04292#S10.T6)summarises three representative counterfactual transitions by reporting original and counterfactual scores, the normalised perturbation magnitude, and the most affected features expressed via the relative changes defined in Equation \([32](https://arxiv.org/html/2607.04292#S10.E32)\)\. Table 6:Representative behavioural counterfactuals generated using the minimal\-perturbation formulation in Equation \([31](https://arxiv.org/html/2607.04292#S10.E31)\)\. Relative changes are computed using Equation \([32](https://arxiv.org/html/2607.04292#S10.E32)\)\.The coherence between global permutation importance in Equation \([28](https://arxiv.org/html/2607.04292#S10.E28)\) and local counterfactual shifts in Equation \([31](https://arxiv.org/html/2607.04292#S10.E31)\) shows that the behavioural agent is not exploiting spurious correlations\. Instead, it relies on meaningful signals grounded in the spatial dispersion of memory and storage activity\. These findings indicate that the behavioural component of Agentic\-SABRE forms decision boundaries aligned with interpretable operational characteristics of ransomware behaviour\. ### 10\.2Semantic Explainability via Embedding Sensitivity and Counterfactual Deformation The semantic agent operates on a dense embedding𝐳∈ℝds\\mathbf\{z\}\\in\\mathbb\{R\}^\{d\_\{s\}\}derived from structured metadata and PE\-header attributes\. Its probabilistic output is defined as psem\(𝐳\)∈\[0,1\],p\_\{\\mathrm\{sem\}\}\(\\mathbf\{z\}\)\\in\[0,1\],\(33\)which mirrors the behavioural score in Equation \([27](https://arxiv.org/html/2607.04292#S10.E27)\)\. To characterise the internal geometry of this classifier, we analyse local sensitivity, global embedding dependence, and minimal counterfactual deformations directly in latent space\. ##### Gradient\-based semantic sensitivity\. Local semantic sensitivity is quantified through gradient saliency, defined for each embedding coordinate as gj=\|∂psem\(𝐳\)∂zj\|\.g\_\{j\}=\\left\|\\frac\{\\partial p\_\{\\mathrm\{sem\}\}\(\\mathbf\{z\}\)\}\{\\partial z\_\{j\}\}\\right\|\.\(34\)Equation \([34](https://arxiv.org/html/2607.04292#S10.E34)\) measures the infinitesimal influence of latent dimensionjjon the semantic decision boundary\. Empirically, high\-magnitude gradients concentrate in embedding directions associated with entropy\-derived section statistics, import\-table irregularities, and anomalous structural metadata, indicating that the semantic agent encodes interpretable PE\-level cues rather than relying on diffuse latent correlations\. ##### Permutation importance in embedding space\. While gradient saliency captures local sensitivity, global semantic reliance is evaluated through permutation importance\. LetAorigA\_\{\\mathrm\{orig\}\}denote the baseline semantic accuracy andAjA\_\{j\}the accuracy obtained after independently permuting latent coordinatejjacross the evaluation set\. The semantic permutation score is defined as Ijsem=Aorig−Aj,I^\{\\mathrm\{sem\}\}\_\{j\}=A\_\{\\mathrm\{orig\}\}\-A\_\{j\},\(35\)which directly parallels the behavioural permutation measure in Equation \([28](https://arxiv.org/html/2607.04292#S10.E28)\)\. The largest values ofIjsemI^\{\\mathrm\{sem\}\}\_\{j\}arise from embedding components linked to dynamic linking artefacts, section misalignment, and abnormal import usage, consistent with known ransomware packing and obfuscation strategies\. Importantly, dimensions with high permutation impact also exhibit large gradient magnitudes in Equation \([34](https://arxiv.org/html/2607.04292#S10.E34)\), suggesting alignment between local sensitivity and global semantic dependence\. ##### Semantic counterfactual deformation\. To probe local interpretability, we construct semantic counterfactuals that minimally perturb the embedding while enforcing a semantic label flip\. Given an original embedding𝐳0\\mathbf\{z\}\_\{0\}, we seek a counterfactual𝐳cf\\mathbf\{z\}\_\{\\mathrm\{cf\}\}satisfying psem\(𝐳cf\)≤θsem,p\_\{\\mathrm\{sem\}\}\(\\mathbf\{z\}\_\{\\mathrm\{cf\}\}\)\\leq\\theta\_\{\\mathrm\{sem\}\},\(36\)whereθsem\\theta\_\{\\mathrm\{sem\}\}is a low\-risk decision threshold\. The counterfactual is obtained by solving 𝐳cf=argmin𝐳\(max\(0,logit\(𝐳\)−logit\(θsem\)\)\)2\+λ∥𝐳−𝐳0∥22,\\mathbf\{z\}\_\{\\mathrm\{cf\}\}=\\arg\\min\_\{\\mathbf\{z\}\}\\Big\(\\max\\\!\\big\(0,\\mathrm\{logit\}\(\\mathbf\{z\}\)\-\\mathrm\{logit\}\(\\theta\_\{\\mathrm\{sem\}\}\)\\big\)\\Big\)^\{2\}\+\\lambda\\lVert\\mathbf\{z\}\-\\mathbf\{z\}\_\{0\}\\rVert\_\{2\}^\{2\},\(37\)where logit\(𝐳\)=log\(psem\(𝐳\)1−psem\(𝐳\)\)\.\\mathrm\{logit\}\(\\mathbf\{z\}\)=\\log\\\!\\left\(\\frac\{p\_\{\\mathrm\{sem\}\}\(\\mathbf\{z\}\)\}\{1\-p\_\{\\mathrm\{sem\}\}\(\\mathbf\{z\}\)\}\\right\)\.\(38\)Equation \([37](https://arxiv.org/html/2607.04292#S10.E37)\) enforces a minimal deformation while avoiding probability saturation effects, and the optimisation is further constrained to a trust region∥𝐳cf−𝐳0∥2≤ϵ\\lVert\\mathbf\{z\}\_\{\\mathrm\{cf\}\}\-\\mathbf\{z\}\_\{0\}\\rVert\_\{2\}\\leq\\epsilon\. To interpret semantic displacement at the coordinate level, we define the normalised counterfactual change δjsem=zcf,j−z0,j∥𝐳0∥2\+ε,\\delta^\{\\mathrm\{sem\}\}\_\{j\}=\\frac\{z\_\{\\mathrm\{cf\},j\}\-z\_\{0,j\}\}\{\\lVert\\mathbf\{z\}\_\{0\}\\rVert\_\{2\}\+\\varepsilon\},\(39\)which mirrors the behavioural formulation in Equation \([32](https://arxiv.org/html/2607.04292#S10.E32)\) while remaining well\-conditioned in high\-dimensional embedding space\. ##### Geometric consistency across explainability views\. AcrossN=50N=50borderline\-malicious samples, semantic counterfactuals consistently achieve label flips with small perturbations, as visualised in Figure[8](https://arxiv.org/html/2607.04292#S10.F8)\. The empirical distribution of∥Δ𝐳∥2\\lVert\\Delta\\mathbf\{z\}\\rVert\_\{2\}exhibits a mean of3\.273\.27with low variance \(Table[10](https://arxiv.org/html/2607.04292#S10.T10)\), and a100%100\\%flip success rate toθsem=0\.49\\theta\_\{\\mathrm\{sem\}\}=0\.49\. Crucially, the embedding dimensions most frequently perturbed under Equation \([39](https://arxiv.org/html/2607.04292#S10.E39)\) coincide with those identified by high gradient saliency \(Equation \([34](https://arxiv.org/html/2607.04292#S10.E34)\)\) and large permutation impact \(Equation \([35](https://arxiv.org/html/2607.04292#S10.E35)\)\), yielding a coherent geometric interpretation\. This alignment indicates that the semantic agent forms decision boundaries structured around interpretable PE\-level semantics rather than arbitrary latent correlations, thereby validating both the robustness and explainability of the learned embedding geometry\. Δsem⋆=argmin𝐳~∈𝒩ϵ\(𝐳\)‖𝐳~−𝐳‖2,\\Delta^\{\\star\}\_\{\\mathrm\{sem\}\}=\\arg\\min\_\{\\tilde\{\\mathbf\{z\}\}\\in\\mathcal\{N\}\_\{\\epsilon\}\(\\mathbf\{z\}\)\}\\\|\\tilde\{\\mathbf\{z\}\}\-\\mathbf\{z\}\\\|\_\{2\},\(40\) Table 7:Representative semantic counterfactual shifts generated via the minimal\-deformation objective in Equation \([40](https://arxiv.org/html/2607.04292#S10.E40)\)\. Latent directions with the largest impact correspond to PE structural irregularities and entropy\-driven embedding dimensions\.Table 8:Semantic counterfactual flips for the Semantic Agent\. Each counterfactual embeddingzcfz\_\{\\mathrm\{cf\}\}is optimised to cross a low\-risk target boundary while remaining close to the original embeddingz0z\_\{0\}\.Table 9:Most frequently perturbed embedding dimensions across semantic counterfactuals\. “Count in Top\-8” reports how often the dimension appears among the highest\-magnitude normalised changesδsem\\delta\_\{\\mathrm\{sem\}\}per sample\.Δz=zcf−z0,∥Δz∥2=∑j=1D\(Δzj\)2,\\Delta z=z\_\{\\mathrm\{cf\}\}\-z\_\{0\},\\qquad\\lVert\\Delta z\\rVert\_\{2\}=\\sqrt\{\\sum\_\{j=1\}^\{D\}\(\\Delta z\_\{j\}\)^\{2\}\},\(41\) Figure 8:Semantic counterfactual diagnostics forN=50N=50borderline\-malicious samples\. \(Top\-left\) Distribution of counterfactual distance‖Δz‖2\\\|\\Delta z\\\|\_\{2\}\. \(Top\-right\) Distribution of relative distance‖Δz‖2/‖z‖2\\\|\\Delta z\\\|\_\{2\}/\\\|z\\\|\_\{2\}\. \(Bottom\-left\) Relationship between original semantic scorepsemp\_\{\\mathrm\{sem\}\}and‖Δz‖2\\\|\\Delta z\\\|\_\{2\}\. \(Bottom\-right\) Optimisation steps required to reach the targetθ=0\.49\\theta=0\.49\.Table 10:Summary statistics for semantic counterfactual perturbations overN=50N=50borderline\-malicious samples\. #### Semantic–Behavioural Alignment in the Fusion Space The fusion agent integrates the behavioural and semantic agents by combining their respective latent representations prior to final risk estimation\. Let𝐡beh∈ℝdb\\mathbf\{h\}\_\{\\mathrm\{beh\}\}\\in\\mathbb\{R\}^\{d\_\{b\}\}denote the behavioural latent vector and𝐳sem∈ℝds\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\\in\\mathbb\{R\}^\{d\_\{s\}\}the semantic embedding analysed in Section §[10\.2](https://arxiv.org/html/2607.04292#S10.SS2)\. The fused representation is defined as 𝐮=\[𝐡beh∥𝐳sem\]∈ℝdb\+ds,\\mathbf\{u\}=\\big\[\\mathbf\{h\}\_\{\\mathrm\{beh\}\}\\;\\\|\\;\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\\big\]\\in\\mathbb\{R\}^\{d\_\{b\}\+d\_\{s\}\},\(42\)where∥\\\|\\,denotes vector concatenation\. The fusion agent produces a final prediction pfus\(𝐮\)∈\[0,1\],p\_\{\\mathrm\{fus\}\}\(\\mathbf\{u\}\)\\in\[0,1\],\(43\)which represents the joint assessment of dynamic behaviour and static semantic structure\. ##### Consistency of salient directions across modalities\. The semantic analysis in Equations \([34](https://arxiv.org/html/2607.04292#S10.E34)\)–\([39](https://arxiv.org/html/2607.04292#S10.E39)\) revealed that a small subset of embedding dimensions dominates both local sensitivity and global importance\. Analogously, behavioural counterfactuals derived in Equation \([31](https://arxiv.org/html/2607.04292#S10.E31)\) identified a low\-dimensional set of behavioural features responsible for label transitions\. In the fusion space defined by Equation \([42](https://arxiv.org/html/2607.04292#S10.E42)\), these directions are not obscured; rather, they remain separable and additive\. Empirically, perturbations along semantic counterfactual directionsΔ𝐳sem\\Delta\\mathbf\{z\}\_\{\\mathrm\{sem\}\}preserve their effect onpfus\(𝐮\)p\_\{\\mathrm\{fus\}\}\(\\mathbf\{u\}\)even when behavioural features are held fixed, and vice versa\. This indicates that the fusion agent does not collapse modality\-specific explanations into a single entangled representation, but instead maintains interpretable axes corresponding to each agent\. ##### Fusion\-level counterfactual alignment\. To formalise this observation, consider a fused counterfactual𝐮cf=\[𝐡beh\+Δ𝐡beh∥𝐳sem\+Δ𝐳sem\]\\mathbf\{u\}\_\{\\mathrm\{cf\}\}=\[\\mathbf\{h\}\_\{\\mathrm\{beh\}\}\+\\Delta\\mathbf\{h\}\_\{\\mathrm\{beh\}\}\\;\\\|\\;\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\+\\Delta\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\]that satisfies pfus\(𝐮cf\)≤θfus,p\_\{\\mathrm\{fus\}\}\(\\mathbf\{u\}\_\{\\mathrm\{cf\}\}\)\\leq\\theta\_\{\\mathrm\{fus\}\},\(44\)for a low\-risk fusion thresholdθfus\\theta\_\{\\mathrm\{fus\}\}\. In practice, we observe that fusion\-level counterfactuals can be decomposed into approximately independent contributions from behavioural and semantic subspaces, i\.e\., ∥Δ𝐮∥22≈∥Δ𝐡beh∥22\+∥Δ𝐳sem∥22,\\lVert\\Delta\\mathbf\{u\}\\rVert\_\{2\}^\{2\}\\approx\\lVert\\Delta\\mathbf\{h\}\_\{\\mathrm\{beh\}\}\\rVert\_\{2\}^\{2\}\+\\lVert\\Delta\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\\rVert\_\{2\}^\{2\},\(45\)indicating near\-orthogonality between the dominant counterfactual directions of the two modalities\. ##### Geometric interpretation of fusion robustness\. The alignment between semantic and behavioural explanations implies that the fusion agent learns a decision surface that is locally well\-conditioned in both subspaces\. Semantic counterfactuals characterised by small∥Δ𝐳sem∥2\\lVert\\Delta\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\\rVert\_\{2\}remain effective in the fused model, while behavioural counterfactuals preserve their influence independently\. This property explains the empirical robustness of the fusion agent: a malicious sample must simultaneously evade both behavioural dynamics and semantic structural cues in order to cross the fused decision boundary\. ##### Implications for adversarial resistance and interpretability\. From a security perspective, the near\-additive structure in Equation \([45](https://arxiv.org/html/2607.04292#S10.E45)\) substantially raises the adversarial cost of evasion\. Attackers must enact coordinated changes across dynamic execution traces and static binary structure, which is significantly more difficult than manipulating either modality in isolation\. From an interpretability standpoint, the preservation of salient semantic directions through fusion ensures that explanations derived at the agent level remain valid at the system level\. Consequently, the fusion architecture is not merely a performance enhancement, but a structurally justified design that enforces complementary, interpretable, and robust decision\-making across modalities\. #### Adversarial Cost Analysis via Counterfactual Norms Beyond interpretability, counterfactual perturbations provide a quantitative measure of adversarial effort\. For each agent, the minimal counterfactual norm represents the smallest deformation required to cross the decision boundary\. In the semantic space, this cost is given by 𝒞sem\(𝐳\)=∥Δ𝐳∥2,\\mathcal\{C\}\_\{\\mathrm\{sem\}\}\(\\mathbf\{z\}\)=\\lVert\\Delta\\mathbf\{z\}\\rVert\_\{2\},\(46\)whereΔ𝐳\\Delta\\mathbf\{z\}is defined in Equation \([41](https://arxiv.org/html/2607.04292#S10.E41)\)\. Analogously, behavioural adversarial cost is measured by𝒞beh\(𝐱\)=∥Δ𝐱∥2\\mathcal\{C\}\_\{\\mathrm\{beh\}\}\(\\mathbf\{x\}\)=\\lVert\\Delta\\mathbf\{x\}\\rVert\_\{2\}as derived in Section §[10\.1](https://arxiv.org/html/2607.04292#S10.SS1)\. For the fusion agent, adversarial success requires simultaneous satisfaction of the fusion constraint in Equation \([44](https://arxiv.org/html/2607.04292#S10.E44)\)\. Under the near\-orthogonality observed in Equation \([45](https://arxiv.org/html/2607.04292#S10.E45)\), the fusion\-level cost satisfies 𝒞fus2≳𝒞sem2\+𝒞beh2,\\mathcal\{C\}\_\{\\mathrm\{fus\}\}^\{2\}\\gtrsim\\mathcal\{C\}\_\{\\mathrm\{sem\}\}^\{2\}\+\\mathcal\{C\}\_\{\\mathrm\{beh\}\}^\{2\},\(47\)implying a super\-additive adversarial burden\. Empirically, semantic counterfactuals overN=50N=50borderline\-malicious samples yield𝔼\[𝒞sem\]=3\.27\\mathbb\{E\}\[\\mathcal\{C\}\_\{\\mathrm\{sem\}\}\]=3\.27with low variance \(Table[10](https://arxiv.org/html/2607.04292#S10.T10)\), while behavioural counterfactuals exhibit a comparable non\-trivial cost\. The fusion agent therefore enforces a compounded adversarial requirement: perturbations that are sufficient to evade one modality are generally insufficient to evade the fused decision\. This establishes a principled robustness advantage rooted in the geometry of the latent spaces rather than in heuristic thresholding\. Translation of counterfactual costs to real\-world executable constraints\.The counterfactual norms𝒞beh\\mathcal\{C\}\_\{\\mathrm\{beh\}\}and𝒞sem\\mathcal\{C\}\_\{\\mathrm\{sem\}\}operate in the continuous relaxation of the feature space and must be interpreted in light of the discrete constraints imposed by real malware executables\. For the*behavioural agent*, the most perturbed dimensions are LBA and GPA variance statistics \(Table[6](https://arxiv.org/html/2607.04292#S10.T6)\)\. Changing these values in a real ransomware binary requires altering the actual I/O access pattern—e\.g\., replacing bursty sector\-sequential writes with randomised access—which directly conflicts with the ransomware’s encryption strategy \(MITRE ATT&CK T1486: Data Encrypted for Impact\)\. An adversary who reduces behavioural I/O variance sufficiently to crossθ\\thetawould thereby degrade encryption throughput, creating a practical trade\-off between evasion and payload functionality\. For the*semantic agent*, the perturbed embedding dimensions correspond to PE structural features—import table structure, section entropy, and resource field layout \(Table[9](https://arxiv.org/html/2607.04292#S10.T9)\)\. Altering these requires modifying the binary’s PE header, which must remain valid for the OS loader\. Standard PE obfuscation tools \(e\.g\., section renaming, import hiding via load\-time resolution\) can shift embedding coordinates, but they operate under format constraints \(valid Magic bytes, consistent SizeOfCode fields\) that bound the feasible deformation to a subset of the continuous neighbourhood𝒩ϵ\(𝐳\)\\mathcal\{N\}\_\{\\epsilon\}\(\\mathbf\{z\}\)\. The reported𝔼\[𝒞sem\]=3\.27\\mathbb\{E\}\[\\mathcal\{C\}\_\{\\mathrm\{sem\}\}\]=3\.27therefore represents a lower bound on the real\-world adversarial effort; the true cost, under PE validity constraints, is higher\. #### Failure Modes and Practical Limits While counterfactual analysis demonstrates strong local robustness, certain failure modes remain theoretically possible\. First, the trust\-region constrained optimisation in Equation \([37](https://arxiv.org/html/2607.04292#S10.E37)\) ensures minimal semantic deformation, but does not guarantee semantic validity under extreme distribution shift\. An adversary capable of synthesising embeddings that remain statistically plausible while violating real\-world PE constraints could, in principle, reduce the effective counterfactual cost\. Second, the observed near\-orthogonality between semantic and behavioural counterfactual directions holds locally\. In highly non\-linear regions of the fusion space, adversarial perturbations that exploit higher\-order interactions between modalities may partially circumvent the additive cost structure in Equation \([47](https://arxiv.org/html/2607.04292#S10.E47)\)\. Such attacks, however, require coordinated manipulation of both execution behaviour and binary structure, significantly increasing implementation complexity\. Finally, counterfactual norms quantify minimal effort under continuous relaxation of the input space\. Discrete constraints imposed by executable formats, operating\-system semantics, and runtime dependencies further restrict feasible adversarial transformations\. As a result, the reported counterfactual costs should be interpreted as lower bounds on real\-world adversarial effort rather than exact attack recipes\. ## 11Ablation Studies This section isolates the contribution of individual architectural components—CTGAN augmentation, uncertainty inputs, and modality contributions—by systematically removing each element and measuring the resulting performance degradation\. The influence of the CTGAN augmentation is quantified by removing it from the fusion stage\. If the empirical score distribution is denoted by𝒟𝐬\\mathcal\{D\}\_\{\\mathbf\{s\}\}, CTGAN learns a generator such that 𝒟~𝐬≈p\(𝐬∣y\),\\tilde\{\\mathcal\{D\}\}\_\{\\mathbf\{s\}\}\\approx p\(\\mathbf\{s\}\\mid y\),\(48\)producing synthetic samples that expand the score manifold\. Removing CTGAN reduces the RanSMAP AUC from0\.5400\.540to0\.5140\.514, indicating that density enrichment of𝐬\\mathbf\{s\}contributes to more robust decision boundaries\. Removing uncertainty inputs forces the fusion model to depend only on 𝐬′=\(psem,pbeh\),\\mathbf\{s\}^\{\\prime\}=\(p\_\{\\mathrm\{sem\}\},p\_\{\\mathrm\{beh\}\}\),\(49\)which eliminates Eq\. \([3](https://arxiv.org/html/2607.04292#S4.E3)\) from the decision mechanism\. As a consequence, the number of false negatives increases sharply, since the classifier can no longer separate high\-risk but uncertain samples from high\-risk confident ones\. Finally, replacing the trained fusion MLP with the naive score mean, p^mean=12\(psem\+pbeh\),\\hat\{p\}\_\{\\mathrm\{mean\}\}=\\tfrac\{1\}\{2\}\\bigl\(p\_\{\\mathrm\{sem\}\}\+p\_\{\\mathrm\{beh\}\}\\bigr\),\(50\)performs significantly worse on RanSMAP due to the weak correlation ofpbehp\_\{\\mathrm\{beh\}\}with ground truth\. A summary of these results is shown in Tables[11](https://arxiv.org/html/2607.04292#S11.T11)and[12](https://arxiv.org/html/2607.04292#S11.T12)\. Table 11:Ablation of fusion strategies\.Table 12:Effect of removing uncertainty terms on triage performance\.### 11\.1Ablation Analysis of Modal Contributions To isolate the contribution of each agent to robustness and explainability, we conduct a conceptual ablation analysis in the fusion space\. Letpfus\(𝐡beh,𝐳sem\)p\_\{\\mathrm\{fus\}\}\(\\mathbf\{h\}\_\{\\mathrm\{beh\}\},\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\)denote the full fusion prediction\. We consider two restricted settings: pfus\(−sem\)\\displaystyle p\_\{\\mathrm\{fus\}\}^\{\(\-\\mathrm\{sem\}\)\}=pfus\(𝐡beh,𝟎\),\\displaystyle=p\_\{\\mathrm\{fus\}\}\(\\mathbf\{h\}\_\{\\mathrm\{beh\}\},\\mathbf\{0\}\),\(51\)pfus\(−beh\)\\displaystyle p\_\{\\mathrm\{fus\}\}^\{\(\-\\mathrm\{beh\}\)\}=pfus\(𝟎,𝐳sem\)\.\\displaystyle=p\_\{\\mathrm\{fus\}\}\(\\mathbf\{0\},\\mathbf\{z\}\_\{\\mathrm\{sem\}\}\)\.\(52\) In the absence of semantic information, behavioural counterfactual norms decrease, indicating that certain evasive trajectories become feasible through execution\-only manipulations\. Conversely, removing behavioural input reduces the counterfactual cost associated with static embedding deformations, enabling purely structural evasion strategies\. Neither ablated configuration preserves the super\-additive adversarial cost observed in Equation \([47](https://arxiv.org/html/2607.04292#S10.E47)\)\. Importantly, ablation also degrades interpretability consistency\. Salient semantic dimensions identified via gradient sensitivity and permutation importance \(Equations \([34](https://arxiv.org/html/2607.04292#S10.E34)\)–\([35](https://arxiv.org/html/2607.04292#S10.E35)\)\) lose explanatory power when behavioural context is removed, and vice versa\. This confirms that robustness and interpretability are jointly maximised only when both modalities are present, validating the architectural necessity of the fusion design\. ## 12Discussion This section interprets the experimental results in terms of the distributional asymmetry between the two feature spaces, discusses the role of uncertainty in balancing automation and analyst workload, and addresses the computational overhead of the proposed approach\. The experiments highlight a marked asymmetry between the discriminative structures of the semantic and behavioural feature spaces\. Let the class\-conditioned distributions in semantic space bep\(𝐳∣y\)p\(\\mathbf\{z\}\\mid y\)\. Their separation can be quantified using the Wasserstein\-2 distance dsem=W2\(p\(𝐳∣y=1\),p\(𝐳∣y=0\)\),d\_\{\\mathrm\{sem\}\}=\\mathrm\{W\}\_\{2\}\\\!\\left\(p\(\\mathbf\{z\}\\mid y=1\),\\,p\(\\mathbf\{z\}\\mid y=0\)\\right\),\(53\)and likewise for behavioural data, dbeh=W2\(p\(𝐛∣y=1\),p\(𝐛∣y=0\)\)\.d\_\{\\mathrm\{beh\}\}=\\mathrm\{W\}\_\{2\}\\\!\\left\(p\(\\mathbf\{b\}\\mid y=1\),\\,p\(\\mathbf\{b\}\\mid y=0\)\\right\)\.\(54\)The empirical results strongly suggest thatdsem≫dbehd\_\{\\mathrm\{sem\}\}\\gg d\_\{\\mathrm\{beh\}\}, explaining why semantic predictions cluster near\{0,1\}\\\{0,1\\\}while behavioural predictions exhibit broad dispersion\. The fusion model exploits this asymmetry by treating the semantic component as a strong positive signal whenever uncertainty is low and treating the behavioural component primarily as a modulator ofσmax\\sigma\_\{\\max\}\. The decision rule therefore becomes highly sensitive to the joint geometry of the fused probabilityp^\\hat\{p\}in Eq\. \([23](https://arxiv.org/html/2607.04292#S9.E23)\) and the maximal uncertainty in Eq\. \([3](https://arxiv.org/html/2607.04292#S4.E3)\)\. Samples withp^≥τhigh\\hat\{p\}\\geq\\tau\_\{\\mathrm\{high\}\}andσmax≤κlow\\sigma\_\{\\max\}\\leq\\kappa\_\{\\mathrm\{low\}\}fall into the autonomous containment region, whereas samples withp^<τ\\hat\{p\}<\\tauandσmax≤κ\\sigma\_\{\\max\}\\leq\\kappaare typically allowed\. Intermediate samples reside within the escalation region, which reflects deliberate conservatism in the presence of behavioural ambiguity\. ### Computational Complexity and Runtime Performance ##### Training complexity of CNN agents\. Each CNN agent employs a 1D convolutional architecture of depthL=3L=3, kernel sizeK=3K=3, andC=64C=64filters per layer\. For a training set ofNNsamples, a single forward pass through agenta∈\{sem,beh\}a\\in\\\{\\mathrm\{sem\},\\mathrm\{beh\}\\\}incurs 𝒪\(N⋅∑ℓ=1LK⋅Cℓ−1⋅Cℓ\),\\mathcal\{O\}\\\!\\left\(N\\cdot\\sum\_\{\\ell=1\}^\{L\}K\\cdot C\_\{\\ell\-1\}\\cdot C\_\{\\ell\}\\right\),\(55\)whereC0C\_\{0\}is the input dimension \(C0=384C\_\{0\}=384for the Semantic Agent on positional\-embedding vectors;C0=16C\_\{0\}=16for the Behavioural Agent on telemetry features\) andCℓ=C=64C\_\{\\ell\}=C=64forℓ≥1\\ell\\geq 1\. OverEEtraining epochs, the per\-agent cost is𝒪\(E⋅N⋅L⋅K⋅C2\)\\mathcal\{O\}\(E\\cdot N\\cdot L\\cdot K\\cdot C^\{2\}\), linear in bothNNandEE, and the combined cost for both agents is𝒪\(2ENLKC2\)\\mathcal\{O\}\(2ENLKC^\{2\}\)\. ##### Monte Carlo Dropout score generation\. Each agent executesTTstochastic forward passes \(dropout active\) to obtain the pair\(p¯a,σa\)\(\\bar\{p\}\_\{a\},\\sigma\_\{a\}\)as defined in Algorithm[2](https://arxiv.org/html/2607.04292#alg2)\. The per\-sample MC Dropout cost is𝒪\(T⋅L⋅K⋅C2\)\\mathcal\{O\}\(T\\cdot L\\cdot K\\cdot C^\{2\}\), so generating scores across the full training set costs𝒪\(2TNLKC2\)\\mathcal\{O\}\(2TNLKC^\{2\}\)for both agents combined\. WithT=30T=30, each agent requires approximately22–55ms per stochastic pass on CPU, yielding an MC estimate in≈60\\approx 60–150150ms per agent\. ##### CTGAN augmentation\. Score\-space augmentation via CTGAN \(Eq\. \([48](https://arxiv.org/html/2607.04292#S11.E48)\)\) trains a generatorGGwithnGn\_\{G\}layers \(widthsg1,…,gnGg\_\{1\},\\ldots,g\_\{n\_\{G\}\}\) and a discriminatorDDwithnDn\_\{D\}layers \(widthsd1,…,dnDd\_\{1\},\\ldots,d\_\{n\_\{D\}\}\) overNsN\_\{s\}real score vectors𝐬∈ℝ2\\mathbf\{s\}\\in\\mathbb\{R\}^\{2\}\. The training complexity overECTGANE\_\{\\mathrm\{CTGAN\}\}epochs is 𝒪\(ECTGAN⋅Ns⋅\[∑igigi\+1\+∑jdjdj\+1\]\)\.\\mathcal\{O\}\\\!\\left\(E\_\{\\mathrm\{CTGAN\}\}\\cdot N\_\{s\}\\cdot\\Bigl\[\\textstyle\\sum\_\{i\}g\_\{i\}g\_\{i\+1\}\+\\sum\_\{j\}d\_\{j\}d\_\{j\+1\}\\Bigr\]\\right\)\.\(56\)Because the score matrix is far smaller than the raw feature matrices, CTGAN fitting is tractable; empirically,ECTGAN=200E\_\{\\mathrm\{CTGAN\}\}=200completes in≈5\\approx 5–1010min on CPU\. The augmented dataset𝒟aug\\mathcal\{D\}\_\{\\mathrm\{aug\}\}of sizeNaugN\_\{\\mathrm\{aug\}\}is produced with an additional𝒪\(Naug⋅∑igigi\+1\)\\mathcal\{O\}\(N\_\{\\mathrm\{aug\}\}\\cdot\\sum\_\{i\}g\_\{i\}g\_\{i\+1\}\)generation cost\. ##### Decision Agent MLP training\. The Decision Agent \(Eq\. \([2](https://arxiv.org/html/2607.04292#S4.E2)\)\) maps the full score vector𝐯=\[p¯sem,p¯beh,σsem,σbeh\]∈ℝ4\\mathbf\{v\}=\[\\bar\{p\}\_\{\\mathrm\{sem\}\},\\bar\{p\}\_\{\\mathrm\{beh\}\},\\sigma\_\{\\mathrm\{sem\}\},\\sigma\_\{\\mathrm\{beh\}\}\]\\in\\mathbb\{R\}^\{4\}\(Eq\. \([22](https://arxiv.org/html/2607.04292#S9.E22)\)\) through an MLP withH=2H=2hidden layers of widthh=64h=64\. Training overNaugN\_\{\\mathrm\{aug\}\}augmented samples forEMLPE\_\{\\mathrm\{MLP\}\}epochs costs 𝒪\(EMLP⋅Naug⋅\[4h\+h2\(H−1\)\+h\]\)\\displaystyle\\mathcal\{O\}\\\!\\left\(E\_\{\\mathrm\{MLP\}\}\\cdot N\_\{\\mathrm\{aug\}\}\\cdot\\bigl\[4h\+h^\{2\}\(H\{\-\}1\)\+h\\bigr\]\\right\)=𝒪\(EMLP⋅Naug⋅h2\),\\displaystyle=\\mathcal\{O\}\\\!\\left\(E\_\{\\mathrm\{MLP\}\}\\cdot N\_\{\\mathrm\{aug\}\}\\cdot h^\{2\}\\right\),\(57\)which is negligible relative to CTGAN fitting owing to the small input dimension \(d=4d=4\) and layer count\. ##### Bayesian TPE threshold optimisation\. Triage thresholds\(τ,κ,τhigh,κlow\)\(\\tau,\\kappa,\\tau\_\{\\mathrm\{high\}\},\\kappa\_\{\\mathrm\{low\}\}\)are selected by Bayesian optimisation with the Tree\-structured Parzen Estimator \(TPE\), maximising the objective in Eq\. \([12](https://arxiv.org/html/2607.04292#S6.E12)\)\. Each TPE trial fits two kernel\-density models over thenobsn\_\{\\mathrm\{obs\}\}previous observations at cost𝒪\(nobslognobs\)\\mathcal\{O\}\(n\_\{\\mathrm\{obs\}\}\\log n\_\{\\mathrm\{obs\}\}\), followed by a𝒪\(Nval\)\\mathcal\{O\}\(N\_\{\\mathrm\{val\}\}\)validation\-set evaluation\. OverTTPET\_\{\\mathrm\{TPE\}\}trials the total optimisation cost is 𝒪\(TTPE⋅\(nobslognobs\+Nval\)\),\\mathcal\{O\}\\\!\\left\(T\_\{\\mathrm\{TPE\}\}\\cdot\\bigl\(n\_\{\\mathrm\{obs\}\}\\log n\_\{\\mathrm\{obs\}\}\+N\_\{\\mathrm\{val\}\}\\bigr\)\\right\),\(58\)which converges within minutes and is dominated by the CTGAN step that precedes it\. ##### Inference latency\. Per\-sample inference decomposes into three sequential stages: \(i\)*agent inference*—two CNN agents each executingTTMC Dropout passes at joint cost𝒪\(2TLKC2\)\\mathcal\{O\}\(2TLKC^\{2\}\); \(ii\)*Decision Agent forward pass*—one MLP evaluation at𝒪\(h2\)\\mathcal\{O\}\(h^\{2\}\); and \(iii\)*triage policy evaluation*via Eqs\. \([9](https://arxiv.org/html/2607.04292#S6.E9)\)–\([10](https://arxiv.org/html/2607.04292#S6.E10)\), which is𝒪\(1\)\\mathcal\{O\}\(1\)\. The dominant term is agent inference, giving total per\-sample complexity𝒪\(T⋅L⋅K⋅C2\)\\mathcal\{O\}\(T\\cdot L\\cdot K\\cdot C^\{2\}\)\. Empirically, withT=30T=30,L=3L=3,K=3K=3,C=64C=64, each agent runs in≈60\\approx 60–150150ms on CPU; the Decision MLP adds<1<1ms and triage evaluation is𝒪\(1\)\\mathcal\{O\}\(1\)\. Total wall\-clock latency is≈0\.15\\approx 0\.15–0\.350\.35s on CPU\. On GPU, theTTstochastic passes can be batched, reducing latency by a factor of∼T\\sim Tto<10<10ms—well within the real\-time triage window of SOC environments\. ##### Total pipeline training complexity\. Combining all components, the complete training complexity of Agentic SABRE is 𝒯=𝒪\(\\displaystyle\\mathcal\{T\}=\\mathcal\{O\}\\Bigl\(2\(E\+T\)NLKC2\\displaystyle 2\(E\{\+\}T\)\\,N\\,L\\,K\\,C^\{2\}\+ECTGANNs\[∑igigi\+1\+∑jdjdj\+1\]\\displaystyle\+\\,E\_\{\\mathrm\{CTGAN\}\}\\,N\_\{s\}\\bigl\[\\textstyle\\sum\_\{i\}g\_\{i\}g\_\{i\+1\}\+\\sum\_\{j\}d\_\{j\}d\_\{j\+1\}\\bigr\]\+EMLPNaugh2\\displaystyle\+\\,E\_\{\\mathrm\{MLP\}\}\\,N\_\{\\mathrm\{aug\}\}\\,h^\{2\}\+TTPE\(nobslognobs\+Nval\)\),\\displaystyle\+\\,T\_\{\\mathrm\{TPE\}\}\\bigl\(n\_\{\\mathrm\{obs\}\}\\log n\_\{\\mathrm\{obs\}\}\+N\_\{\\mathrm\{val\}\}\\bigr\)\\Bigr\),\(59\)where the four terms correspond respectively to CNN agent training and MC score generation, CTGAN augmentation, Decision MLP fitting, and TPE threshold optimisation\. The first term scales linearly inNN; the CTGAN term is the practical bottleneck but remains tractable because the score matrix \(Ns×2N\_\{s\}\\times 2\) is orders of magnitude smaller than the raw feature matrices\. The modular decomposition in Eq\. \([59](https://arxiv.org/html/2607.04292#S12.E59)\) further implies that each CNN agent can be retrained independently and the triage thresholds can be recalibrated via TPE without any model retraining, making operational updates lightweight\. ##### Measured runtime performance\. Table[13](https://arxiv.org/html/2607.04292#S12.T13)reports empirically measured inference latency and throughput for each SABRE component, measured over 500 repetitions \(50 warm\-up\) on an NVIDIA GB10 GPU\. The Behavioral CNN requires1\.941\.94ms \(p50\) forT=10T=10MC Dropout passes—a3\.7×3\.7\\timesoverhead relative to a single deterministic forward pass \(0\.520\.52ms\)\. The Semantic CNN is comparable at1\.771\.77ms\. The full two\-agent pipeline \(Behavioral \+ Semantic \+ fusion \+ triage\) is estimated at approximately3\.73\.7ms in serial execution, supporting throughput of≈270\\approx 270samples/s\. At a 10\-second telemetry window, this supports over 2,000 concurrent monitored streams before the pipeline becomes the bottleneck\. The agents are compact: the Behavioral CNN has only 8,385 parameters \(32\.8 KB\), making it suitable for endpoint deployment\. Table 13:Measured inference latency and throughput per SABRE component \(NVIDIA GB10 GPU,T=10T=10MC Dropout passes,n=500n=500repetitions\)\. Full pipeline \(B\+S\) is estimated as the serial sum of per\-agent latencies plus fusion overhead\.Overall, the mathematical structure of Agentic SABRE demonstrates that uncertainty\-aware evidence fusion is essential for ransomware detection, and that the triage policy cannot be decoupled from the predictive geometry of the agents themselves\. The interplay between Eqs\. \([20](https://arxiv.org/html/2607.04292#S9.E20)\)–\([3](https://arxiv.org/html/2607.04292#S4.E3)\) forms the core mechanism through which the system balances automation, accuracy, and operational safety\. ## 13Limitations and Future Work This section acknowledges the principal constraints on the current design—including the conditional independence assumption in the fusion layer, the approximation quality of Monte Carlo Dropout under distribution shift, and the axis\-aligned nature of the triage policy—and outlines concrete directions for future research\. Although the results demonstrate the effectiveness of Agentic SABRE, several limitations constrain the system’s broader applicability\. The fusion mechanism in Eq\. \([23](https://arxiv.org/html/2607.04292#S9.E23)\) assumes that the semantic and behavioural agents generate conditionally independent evidential contributions\. In operational settings, semantic metadata and behavioural traces may exhibit dependencies that violate this assumption, potentially altering the joint distribution in Eq\. \([22](https://arxiv.org/html/2607.04292#S9.E22)\)\. A more expressive fusion function, such as a normalising flow, could model the complete joint likelihood more accurately\. The uncertainty estimates used to computeσmax\\sigma\_\{\\max\}in Eq\. \([3](https://arxiv.org/html/2607.04292#S4.E3)\) rely on Monte Carlo dropout sampling\. While practical, this estimator may under\-approximate true epistemic uncertainty in regions where behavioural data exhibit non\-stationary distributions\. Bayesian neural networks or deep ensembles could provide more calibrated uncertainty but would incur higher computational cost\. The triage policy described in Eqs\. \([9](https://arxiv.org/html/2607.04292#S6.E9)\) and \([10](https://arxiv.org/html/2607.04292#S6.E10)\) establishes axis\-aligned thresholds\. Although this provides interpretability and stability, adversarial examples that manipulate the fused score while remaining within tolerance ofσmax\\sigma\_\{\\max\}could produce borderline cases\. Future work may instead adopt a decision surface g\(p^,σmax\)=0,g\(\\hat\{p\},\\sigma\_\{\\max\}\)=0,\(60\)whereggis a monotone function learned from utility or risk constraints, enabling curved boundaries adapted to the uncertainty structure\. Finally, the behavioural telemetry in RanSMAP reveals that the distributions in Eq\. \([13](https://arxiv.org/html/2607.04292#S7.E13)\) are highly entangled\. Future study could investigate hybrid temporal architectures that incorporate attention over micro\-bursts of activity to increase separability, thereby widening the Wasserstein gap between malicious and benign trajectories\. The modularity of Agentic SABRE allows such components to be integrated without modifying the overarching triage mechanism, making the system suitable for continual architectural refinement\. The modular structure of SABRE allows the triage policy to be deployed independently of the underlying detection models, enabling policy\-level updates without retraining\. The current triage thresholds \(τ\\tau,κ\\kappa,τhigh\\tau\_\{\\text\{high\}\},κlow\\kappa\_\{\\text\{low\}\}\) are optimised offline on a held\-out calibration split and are not updated during deployment\. In dynamic environments where the score distribution shifts over time—due to concept drift, new family emergence, or changing benign workload patterns—static thresholds can become miscalibrated\. A natural extension would be an adaptive thresholding mechanism, such as a sliding\-window recalibration procedure that re\-optimises the objectiveJ\(τ,κ\)J\(\\tau,\\kappa\)in Eq\.[12](https://arxiv.org/html/2607.04292#S6.E12)on a rolling buffer of analyst\-labelled decisions, or a Bayesian online update that maintains a posterior over\(τ,κ\)\(\\tau,\\kappa\)conditioned on observed triage outcomes\. This would allow the policy to track distributional shifts without retraining the underlying neural agents\. We note that standard gradient\-based adversarial attacks \(FGSM, PGD\) on the neural agents face structural obstacles in this domain: applying FGSM to the behavioural agent requires differentiating through the I/O simulator, and applying PGD to the semantic agent requires perturbations that maintain PE loader validity \(consistent Magic bytes, SizeOfCode fields\)\. These constraints restrict the feasible perturbation set to a strict subset of𝒩ϵ\(𝐳\)\\mathcal\{N\}\_\{\\epsilon\}\(\\mathbf\{z\}\), making the continuous\-relaxation counterfactual analysis in Section[10](https://arxiv.org/html/2607.04292#S10)a principled lower bound on adversarial cost\. Implementing constrained FGSM/PGD attacks that respect these discrete validity constraints remains an important future direction\. ## 14Conclusion This work introduced Agentic SABRE, an uncertainty\-aware neuro–symbolic multi\-agent architecture for adaptive ransomware detection\. The framework integrates semantic and behavioural classifiers, each operating within its own representational manifold, and fuses their outputs through a calibrated decision module enriched by synthetic CTGAN augmentation\. The fused probability, defined in Eq\. \([23](https://arxiv.org/html/2607.04292#S9.E23)\), combines two heterogeneous predictive sources, whereas the epistemic uncertainty, articulated through Eq\. \([3](https://arxiv.org/html/2607.04292#S4.E3)\), establishes a principled mechanism for risk\-sensitive triage\. The results demonstrate that semantic telemetry yields nearly disjoint class\-conditioned distributions, producing fused decision regions with extremely high separability\. In contrast, behavioural telemetry exhibits a narrower Wasserstein distance between malicious and benign distributions, as shown by Eqs\. \([53](https://arxiv.org/html/2607.04292#S12.E53)\)–\([54](https://arxiv.org/html/2607.04292#S12.E54)\), thereby creating high\-uncertainty regions that necessitate conservative policies\. The system’s adaptability is grounded in the triage thresholds of Eq\. \([25](https://arxiv.org/html/2607.04292#S9.E25)\) and the policy optimisation objective of Eq\. \([12](https://arxiv.org/html/2607.04292#S6.E12)\), which jointly determine whether the system should automate containment, escalate for human judgement, or allow execution\. Across two distinct datasets, Agentic SABRE achieves perfect or near\-perfect separation where semantic structure dominates, while maintaining robust performance under behavioural variability\. The architecture’s agentic nature, characterised by self\-calibration, evidence fusion, and structured uncertainty quantification, establishes a computational framework capable not only of detection but also of decision\-theoretic reasoning under uncertainty\. The incorporation of symbolic cues and the modular design make the system extensible and suitable for continual refinement as ransomware tactics evolve\. The results confirm that uncertainty\-aware triage is essential for safe deployment of autonomous defence tools in real operational environments\. ## References - \[1\]A\. Alraizza, A\. Algarni, and A\. Alrayzah\(2025\)Enhancing ransomware detection using storage access pattern\.InArtificial Intelligence Applications and Innovations \- 21st IFIP WG 12\.5 International Conference, AIAI 2025, Limassol, Cyprus, June 26\-29, 2025, Proceedings, Part III,I\. Maglogiannis, L\. S\. Iliadis, A\. Andreou, and A\. Papaleonidas \(Eds\.\),IFIP Advances in Information and Communication Technology, Vol\.757,pp\. 57–73\.External Links:[Link](https://doi.org/10.1007/978-3-031-96231-8%5C_5),[Document](https://dx.doi.org/10.1007/978-3-031-96231-8%5F5)Cited by:[§2](https://arxiv.org/html/2607.04292#S2.p3.1)\. - \[2\]A\. Alraizza and A\. Algarni\(2023\)Ransomware detection using machine learning: A survey\.Big Data Cogn\. Comput\.7\(3\),pp\. 143\.External Links:[Link](https://doi.org/10.3390/bdcc7030143),[Document](https://dx.doi.org/10.3390/BDCC7030143)Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p2.1),[§2](https://arxiv.org/html/2607.04292#S2.p3.1)\. - \[3\]I\. Ashrapov\(2020\)Tabular gans for uneven distribution\.CoRRabs/2010\.00638\.External Links:[Link](https://arxiv.org/abs/2010.00638),2010\.00638Cited by:[§3\.2](https://arxiv.org/html/2607.04292#S3.SS2.p1.1)\. - \[4\]T\. R\. Besold, A\. S\. d’Avila Garcez, S\. Bader, H\. Bowman, P\. M\. Domingos, P\. Hitzler, K\. Kühnberger, L\. C\. Lamb, P\. M\. V\. Lima, L\. de Penning, G\. Pinkas, H\. Poon, and G\. Zaverucha\(2021\)Neural\-symbolic learning and reasoning: A survey and interpretation\.InNeuro\-Symbolic Artificial Intelligence: The State of the Art,P\. Hitzler and Md\. K\. Sarker \(Eds\.\),Frontiers in Artificial Intelligence and Applications, Vol\.342,pp\. 1–51\.External Links:[Link](https://doi.org/10.3233/FAIA210348),[Document](https://dx.doi.org/10.3233/FAIA210348)Cited by:[§2](https://arxiv.org/html/2607.04292#S2.p5.1),[§3\.5](https://arxiv.org/html/2607.04292#S3.SS5.p2.4)\. - \[5\]F\. Ceschin, M\. Botacin, H\. M\. Gomes, F\. A\. Pinage, L\. S\. Oliveira, and A\. Grégio\(2022\)Fast & furious: modelling malware detection as evolving data streams\.CoRRabs/2205\.12311\.External Links:[Link](https://doi.org/10.48550/arXiv.2205.12311),[Document](https://dx.doi.org/10.48550/ARXIV.2205.12311),2205\.12311Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p1.1)\. - \[6\]B\. N\. Chaithanya and S\. H\. Brahmananda\(2022\)AI\-enhanced defense against ransomware within the organization’s architecture\.J\. Cyber Secur\. Mobil\.11\(4\),pp\. 621–654\.External Links:[Link](https://doi.org/10.13052/jcsm2245-1439.1146),[Document](https://dx.doi.org/10.13052/JCSM2245-1439.1146)Cited by:[§3\.2](https://arxiv.org/html/2607.04292#S3.SS2.p1.1)\. - \[7\]N\. V\. Chawla, K\. W\. Bowyer, L\. O\. Hall, and W\. P\. Kegelmeyer\(2002\)SMOTE: synthetic minority over\-sampling technique\.J\. Artif\. Intell\. Res\.16,pp\. 321–357\.External Links:[Link](https://doi.org/10.1613/jair.953),[Document](https://dx.doi.org/10.1613/JAIR.953)Cited by:[§2](https://arxiv.org/html/2607.04292#S2.p3.1),[§3\.2](https://arxiv.org/html/2607.04292#S3.SS2.p1.1)\. - \[8\]B\. G\. Doan, D\. Q\. Nguyen, P\. Montague, T\. Abraham, O\. Y\. de Vel, S\. Camtepe, S\. S\. Kanhere, E\. Abbasnejad, and D\. C\. Ranasinghe\(2024\)Bayesian learned models can detect adversarial malware for free\.InComputer Security \- ESORICS 2024 \- 29th European Symposium on Research in Computer Security, Bydgoszcz, Poland, September 16\-20, 2024, Proceedings, Part I,J\. García\-Alfaro, R\. Kozik, M\. Choras, and S\. K\. Katsikas \(Eds\.\),Lecture Notes in Computer Science, Vol\.14982,pp\. 45–65\.External Links:[Link](https://doi.org/10.1007/978-3-031-70879-4%5C_3),[Document](https://dx.doi.org/10.1007/978-3-031-70879-4%5F3)Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p2.1)\. - \[9\]I\. A\. Fares and M\. A\. Elaziz\(2025\)Explainable tabnet transformer\-based on google vizier optimizer for anomaly intrusion detection system\.Knowl\. Based Syst\.316,pp\. 113351\.External Links:[Link](https://doi.org/10.1016/j.knosys.2025.113351),[Document](https://dx.doi.org/10.1016/J.KNOSYS.2025.113351)Cited by:[§3\.5](https://arxiv.org/html/2607.04292#S3.SS5.p1.1)\. - \[10\]D\. W\. Fernando, N\. Komninos, and T\. Chen\(2020\)A study on the evolution of ransomware detection using machine learning and deep learning techniques\.IoT1\(2\),pp\. 551–604\.Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p1.1),[§1](https://arxiv.org/html/2607.04292#S1.p2.1),[§2](https://arxiv.org/html/2607.04292#S2.p2.1),[§2](https://arxiv.org/html/2607.04292#S2.p3.1),[Table 1](https://arxiv.org/html/2607.04292#S3.T1.11.7.7.8)\. - \[11\]D\. W\. Fernando and N\. Komninos\(2024\)FeSAD ransomware detection framework with machine learning using adaption to concept drift\.Comput\. Secur\.137,pp\. 103629\.External Links:[Link](https://doi.org/10.1016/j.cose.2023.103629),[Document](https://dx.doi.org/10.1016/J.COSE.2023.103629)Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p1.1)\. - \[12\]Y\. Gal and Z\. Ghahramani\(2016\)Dropout as a bayesian approximation: representing model uncertainty in deep learning\.InProceedings of the 33nd International Conference on Machine Learning, ICML 2016, New York City, NY, USA, June 19\-24, 2016,M\. Balcan and K\. Q\. Weinberger \(Eds\.\),JMLR Workshop and Conference Proceedings, Vol\.48,pp\. 1050–1059\.External Links:[Link](http://proceedings.mlr.press/v48/gal16.html)Cited by:[§2](https://arxiv.org/html/2607.04292#S2.p3.1),[§2](https://arxiv.org/html/2607.04292#S2.p4.1),[§4\.3](https://arxiv.org/html/2607.04292#S4.SS3.p4.4)\. - \[13\]J\. Gawlikowski, C\. R\. N\. Tassi, M\. Ali, J\. Lee, M\. Humt, J\. Feng, A\. M\. Kruspe, R\. Triebel, P\. Jung, R\. Roscher, M\. Shahzad, W\. Yang, R\. Bamler, and X\. Zhu\(2023\)A survey of uncertainty in deep neural networks\.Artif\. Intell\. Rev\.56\(S1\),pp\. 1513–1589\.External Links:[Link](https://doi.org/10.1007/s10462-023-10562-9),[Document](https://dx.doi.org/10.1007/S10462-023-10562-9)Cited by:[§2](https://arxiv.org/html/2607.04292#S2.p3.1),[§2](https://arxiv.org/html/2607.04292#S2.p4.1)\. - \[14\]O\. Habibi, M\. Chemmakha, and M\. Lazaar\(2023\)Imbalanced tabular data modelization using CTGAN and machine learning to improve iot botnet attacks detection\.Eng\. Appl\. Artif\. Intell\.118,pp\. 105669\.External Links:[Link](https://doi.org/10.1016/j.engappai.2022.105669),[Document](https://dx.doi.org/10.1016/J.ENGAPPAI.2022.105669)Cited by:[§3\.2](https://arxiv.org/html/2607.04292#S3.SS2.p1.1)\. - \[15\]M\. Hirano, R\. Hodota, and R\. Kobayashi\(2022\)RanSAP: an open dataset of ransomware storage access patterns for training machine learning models\.Digit\. Investig\.40\(Supplement\),pp\. 301314\.External Links:[Link](https://doi.org/10.1016/j.fsidi.2021.301314),[Document](https://dx.doi.org/10.1016/J.FSIDI.2021.301314)Cited by:[§8\.1](https://arxiv.org/html/2607.04292#S8.SS1.p2.1)\. - \[16\]M\. Hirano and R\. Kobayashi\(2025\)RanSMAP: open dataset of ransomware storage and memory access patterns for creating deep learning based ransomware detectors\.Comput\. Secur\.150,pp\. 104202\.External Links:[Link](https://doi.org/10.1016/j.cose.2024.104202),[Document](https://dx.doi.org/10.1016/J.COSE.2024.104202)Cited by:[§8\.1](https://arxiv.org/html/2607.04292#S8.SS1.p2.1)\. - \[17\]J\. Ispahany, Md\. R\. Islam, M\. Z\. Islam, and M\. A\. Khan\(2024\)Ransomware detection using machine learning: A review, research limitations and future directions\.IEEE Access12,pp\. 68785–68813\.External Links:[Link](https://doi.org/10.1109/ACCESS.2024.3397921),[Document](https://dx.doi.org/10.1109/ACCESS.2024.3397921)Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p2.1),[§2](https://arxiv.org/html/2607.04292#S2.p6.1)\. - \[18\]S\. Jia, Z\. Cui, K\. Wang, Y\. Ding, D\. Han, and T\. Ma\(2024\)Adversarial and cooperation tasks in multi\-agent system with large language models\.In2024 IEEE International Conference on Unmanned Systems \(ICUS\),pp\. 1840–1847\.Cited by:[§3\.5](https://arxiv.org/html/2607.04292#S3.SS5.p1.1)\. - \[19\]H\. Kabuye, B\. Issac, R\. Yumlembam, and J\. Neera\(2025\)Explainable and uncertainty aware ai\-based ransomware detection\.IEEE Access13,pp\. 106573–106589\.External Links:[Link](https://doi.org/10.1109/ACCESS.2025.3581424),[Document](https://dx.doi.org/10.1109/ACCESS.2025.3581424)Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p3.2),[§2](https://arxiv.org/html/2607.04292#S2.p4.1),[§3\.4](https://arxiv.org/html/2607.04292#S3.SS4.p1.2),[Table 1](https://arxiv.org/html/2607.04292#S3.T1.36.32.32.6),[§8\.1](https://arxiv.org/html/2607.04292#S8.SS1.p2.1)\. - \[20\]S\. M\. Lundberg and S\. Lee\(2017\)A unified approach to interpreting model predictions\.InAdvances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, December 4\-9, 2017, Long Beach, CA, USA,I\. Guyon, U\. von Luxburg, S\. Bengio, H\. M\. Wallach, R\. Fergus, S\. V\. N\. Vishwanathan, and R\. Garnett \(Eds\.\),pp\. 4765–4774\.External Links:[Link](https://proceedings.neurips.cc/paper/2017/hash/8a20a8621978632d76c43dfd28b67767-Abstract.html)Cited by:[§3\.3](https://arxiv.org/html/2607.04292#S3.SS3.p1.1)\. - \[21\]M\. Mathur\(2020\)Ransomware \(malware\) detection using machine learning\.Note:Accessed: Nov\. 9, 2023External Links:[Link](https://github.com/muditmathur2020/RansomwareDetection/tree/master)Cited by:[§8\.1](https://arxiv.org/html/2607.04292#S8.SS1.p2.1)\. - \[22\]U\. Patel, F\. Yeh, and C\. Gondhalekar\(2024\)CANAL \- cyber activity news alerting language model : empirical approach vs\. expensive llms\.In3rd IEEE International Conference on AI in Cybersecurity, ICAIC 2024, Houston, TX, USA, February 7\-9, 2024,pp\. 1–12\.External Links:[Link](https://doi.org/10.1109/ICAIC60265.2024.10433839),[Document](https://dx.doi.org/10.1109/ICAIC60265.2024.10433839)Cited by:[§3\.1](https://arxiv.org/html/2607.04292#S3.SS1.p1.1)\. - \[23\]P\. P\. Pawar, D\. Kumar, M\. K\. Meesala, P\. K\. Pareek, S\. R\. Addula, and K\. S\. Shwetha\(2024\)Securing digital governance: a deep learning and blockchain framework for malware detection in IoT networks\.In2nd IEEE International Conference on Integrated Intelligence and Communication Systems \(ICIICS\),pp\. 1–8\.External Links:[Document](https://dx.doi.org/10.1109/ICIICS63763.2024.10860155)Cited by:[§3\.1](https://arxiv.org/html/2607.04292#S3.SS1.p1.1)\. - \[24\]S\. Razaulla, C\. Fachkha, C\. Markarian, A\. Gawanmeh, W\. Mansoor, B\. C\. M\. Fung, and C\. Assi\(2023\)The age of ransomware: A survey on the evolution, taxonomy, and research directions\.IEEE Access11,pp\. 40698–40723\.External Links:[Link](https://doi.org/10.1109/ACCESS.2023.3268535),[Document](https://dx.doi.org/10.1109/ACCESS.2023.3268535)Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p1.1),[§2](https://arxiv.org/html/2607.04292#S2.p2.1),[Table 1](https://arxiv.org/html/2607.04292#S3.T1.18.14.14.8)\. - \[25\]M\. Soltani, K\. Khajavi, M\. J\. Siavoshani, and A\. H\. Jahangir\(2023\)A multi\-agent adaptive deep learning framework for online intrusion detection\.CoRRabs/2303\.02622\.External Links:[Link](https://doi.org/10.48550/arXiv.2303.02622),[Document](https://dx.doi.org/10.48550/ARXIV.2303.02622),2303\.02622Cited by:[§3\.5](https://arxiv.org/html/2607.04292#S3.SS5.p1.1),[Table 1](https://arxiv.org/html/2607.04292#S3.T1.42.38.38.7)\. - \[26\]S\. Tian, T\. Zhang, J\. Liu, J\. Wang, X\. Wu, X\. Zhu, R\. Zhang, W\. Zhang, Z\. Yuan, S\. Mao, and D\. I\. Kim\(2025\)Exploring the role of large language models in cybersecurity: a systematic survey\.IEEE Transactions on Network Science and Engineering\.Note:Early AccessExternal Links:[Link](https://arxiv.org/abs/2504.15622)Cited by:[§3\.1](https://arxiv.org/html/2607.04292#S3.SS1.p1.1),[§3\.3](https://arxiv.org/html/2607.04292#S3.SS3.p1.1)\. - \[27\]U\. Urooj, B\. A\. S\. Al\-Rimy, A\. B\. Zainal, F\. Saeed, A\. Abdelmaboud, and W\. Nagmeldin\(2024\)Addressing behavioral drift in ransomware early detection through weighted generative adversarial networks\.IEEE Access12,pp\. 3910–3925\.External Links:[Link](https://doi.org/10.1109/ACCESS.2023.3348451),[Document](https://dx.doi.org/10.1109/ACCESS.2023.3348451)Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p1.1)\. - \[28\]A\. Vaswani, N\. Shazeer, N\. Parmar, J\. Uszkoreit, L\. Jones, A\. N\. Gomez, L\. Kaiser, and I\. Polosukhin\(2017\)Attention is all you need\.InAdvances in Neural Information Processing Systems 30: Annual Conference on Neural Information Processing Systems 2017, December 4\-9, 2017, Long Beach, CA, USA,I\. Guyon, U\. von Luxburg, S\. Bengio, H\. M\. Wallach, R\. Fergus, S\. V\. N\. Vishwanathan, and R\. Garnett \(Eds\.\),pp\. 5998–6008\.External Links:[Link](https://proceedings.neurips.cc/paper/2017/hash/%203f5ee243547dee91fbd053c1c4a845aa-Abstract.html)Cited by:[§3\.1](https://arxiv.org/html/2607.04292#S3.SS1.p1.1)\. - \[29\]L\. Xu, M\. Skoularidou, A\. Cuesta\-Infante, and K\. Veeramachaneni\(2019\)Modeling tabular data using conditional GAN\.InAdvances in Neural Information Processing Systems 32: Annual Conference on Neural Information Processing Systems 2019, NeurIPS 2019, December 8\-14, 2019, Vancouver, BC, Canada,H\. M\. Wallach, H\. Larochelle, A\. Beygelzimer, F\. d’Alché\-Buc, E\. B\. Fox, and R\. Garnett \(Eds\.\),pp\. 7333–7343\.External Links:[Link](https://proceedings.neurips.cc/paper/2019/hash/254ed7d2de3b23ab10936522dd547b78-Abstract.html)Cited by:[§2](https://arxiv.org/html/2607.04292#S2.p3.1),[§3\.2](https://arxiv.org/html/2607.04292#S3.SS2.p1.1)\. - \[30\]W\. Yang, L\. Some, M\. Bain, and B\. H\. Kang\(2025\)A comprehensive survey on integrating large language models with knowledge\-based methods\.Knowl\. Based Syst\.318,pp\. 113503\.External Links:[Link](https://doi.org/10.1016/j.knosys.2025.113503),[Document](https://dx.doi.org/10.1016/J.KNOSYS.2025.113503)Cited by:[§3\.5](https://arxiv.org/html/2607.04292#S3.SS5.p1.1),[§3\.5](https://arxiv.org/html/2607.04292#S3.SS5.p2.4)\. - \[31\]U\. Zahoora, A\. Khan, M\. Rajarajan, S\. H\. Khan, M\. Asam, and T\. Jamal\(2022\)Ransomware detection using deep learning based unsupervised feature extraction and a cost sensitive pareto ensemble classifier\.Scientific reports12\(1\),pp\. 15647\.Cited by:[§1](https://arxiv.org/html/2607.04292#S1.p2.1),[§2](https://arxiv.org/html/2607.04292#S2.p3.1),[Table 1](https://arxiv.org/html/2607.04292#S3.T1.25.21.21.8)\. - \[32\]J\. Zhang, P\. Wu, J\. London, and D\. Tenney\(2025\)Benchmarking and evaluating large language models in phishing detection for small and midsize enterprises: A comprehensive analysis\.IEEE Access13,pp\. 28335–28352\.External Links:[Link](https://doi.org/10.1109/ACCESS.2025.3540075),[Document](https://dx.doi.org/10.1109/ACCESS.2025.3540075)Cited by:[§3\.1](https://arxiv.org/html/2607.04292#S3.SS1.p1.1),[§3\.3](https://arxiv.org/html/2607.04292#S3.SS3.p1.1)\. - \[33\]Z\. Zhang, S\. Li, L\. Zhang, J\. Ye, C\. Hu, and L\. Yan\(2025\)LLM\-LADE: large language model\-based log anomaly detection with explanation\.Knowl\. Based Syst\.326,pp\. 114064\.External Links:[Link](https://doi.org/10.1016/j.knosys.2025.114064),[Document](https://dx.doi.org/10.1016/J.KNOSYS.2025.114064)Cited by:[§3\.3](https://arxiv.org/html/2607.04292#S3.SS3.p1.1),[Table 1](https://arxiv.org/html/2607.04292#S3.T1.31.27.27.7)\.
Similar Articles
Neuro-Bayesian-Symbolic Residual Attention Shallow Network: Explainable Deep Learning for Cybersecurity Risk Assessment
Introduces Neuro-Bayesian-Symbolic Residual Attention Shallow Network (NBS-RASN), a hybrid neural architecture for explainable cybersecurity risk assessment in open-source ecosystems, using 80 interpretable neurons across 12 layers with hard constraints for interpretability.
AEM: Adaptive Entropy Modulation for Multi-Turn Agentic Reinforcement Learning
This paper introduces AEM, a supervision-free method for agentic reinforcement learning that adapts entropy dynamics at the response level to improve exploration-exploitation trade-offs. It demonstrates performance gains on benchmarks like ALFWorld and SWE-bench by aligning uncertainty estimation with action granularity.
BraveGuard: From Open-World Threats to Safer Computer-Use Agents
BraveGuard is a self-evolving defense framework that trains guard models using open-world threat signals and realistic agent trajectories to improve safety detection in computer-use agents, achieving significant accuracy gains on the AgentHazard benchmark.
Taming "Zombie'' Agents: A Markov State-Aware Framework for Resilient Multi-Agent Evolution
Introduces AgentRevive, a Markov state-aware framework for resilient multi-agent collaboration that uses soft state transitions (Active, Standby, Terminated) to prevent premature pruning of agents that may recover, reducing token consumption while improving performance on reasoning and domain tasks.
SAGE: An LLM-driven Self Reflective Agentic Framework for Fraud Detection
Introduces SAGE, the first end-to-end LLM-driven multi-agent framework for fraud detection, using a Data Diagnostic Tree and Markov decision process with natural-language gradients to optimize models under class imbalance. Experiments show significant F1 improvements over baselines across five datasets.