research
Unveiling Innovation: Our Research Odyssey
Leaderboards
Abluva's Pattern Attention Model leads Insider Threat Detection
Dataset Details 
Because using real, even de-identified, corporate data raises a variety of legal, ethical, and business issues, the DARPA Anomaly Detection at Multiple Scales (ADAMS) program turned to proxy data sets and synthetic data, with the goal to generate data to simulate the aggregated collection of logs from host-based sensors distributed across all the computer workstations within a large business or government organization over a 500 day period.
| Model | Accuracy % | F1 Score % |
|---|---|---|
| CNN | 98.65 | 91.48 |
| LSTM | 98.22 | 89.9 |
| GRU-CNN | 97.39 | 55.6 |
| TD-CNN-LSTM | 99.6 | 97.54 |
| TD-CNN-Attention | 99.95 | 99.71 |
PaPS Ensemble leads Security Intrusion Detection Models
Top Performance in Zero-Day Intrusion Detection tasks
| Dataset | Description | Model | Accuracy % | F1 Score % |
|---|---|---|---|---|
| BODMAS | Blue Hexagon Open Dataset for Malware AnalysiS. | Random Forest | 24.68 | 13.5 |
| XGBoost | 69.41 | 74.6 | ||
| LightGBM | 68.34 | 73.47 | ||
| MLP | 63.78 | 68.47 | ||
| PaPS Ensemble | 85.04 | 89.06 | ||
| UNSW NB-15 | Hybrid of real modern normal and contemporary synthesized attack activities. | Random Forest | 96.05 | 86.13 |
| XGBoost | 87.29 | 85.38 | ||
| LightGBM | 95.98 | 85.84 | ||
| MLP | 92.12 | 69.63 | ||
| DNN 5 layers | 76.1 | 79.6 | ||
| PaPS Ensemble | 98.39 | 95.23 | ||
| CIC IDS-2017 | Benign and common attacks resembling real-world data. | Random Forest | 93.44 | 91.19 |
| XGBoost | 64.28 | 59.08 | ||
| LightGBM | 94.35 | 92.82 | ||
| MLP | 88.65 | 87.75 | ||
| PaPS Ensemble | 92.77 | 92.99 | ||
| UNR IDD | Network port statistics for fine-grained intrusion analysis. | Random Forest | 97.53 | 97.79 |
| XGBoost | 93.98 | 95.15 | ||
| LightGBM | 97.53 | 97.79 | ||
| MLP | 92.69 | 94.26 | ||
| PaPS Ensemble | 99.73 | 99.73 |
BODMAS
PaPS Ensemble
85.04%
Accuracy
F1 Score
89.06%
F1
UNSW NB-15
PaPS Ensemble
98.39%
Accuracy
F1 Score
95.23%
F1
CIC IDS-2017
PaPS Ensemble
92.77%
Accuracy
F1 Score
92.99%
F1
UNR IDD
PaPS Ensemble
99.73%
Accuracy
F1 Score
99.73%
F1
Ranked #1 on Leaderboard on 5 AI Tasks
State of the Art Model with F1 above 99% for Sherlock Dataset
Synthetic Datasets
These datasets were created, using generative AI, by extending the world's most acknowledged and popular datasets used for Intrusion detection, experiments and proofs. You are welcome to use them for your experiments and extend them.
CSE-CIC-IDS2018 V3
Based on Canadian Institute for Cybersecurity's CSE-CIC-IDS2018 dataset that includes seven different attack scenarios: Brute-force, Heartbleed, Botnet, DoS, DDoS, Web attacks, and infiltration of the network from inside. This dataset is normalised and 1 new class called "Comb" is added which is a combination of synthesised data of multiple non-benign classes. The data is normalised and 1 new class "Comb" which is a combination of existing attacks is added.
CIC-IDS-2017 V2
Based on Canadian Institute for Cybersecurity's Intrusion Detection Evaluation Dataset CSE-IDS2017 dataset that contains benign and the most up-to-date common attacks, which resembles the true real-world data (PCAPs) and the results of the network traffic analysis using CIC Flow meter with labelled flows based on the time stamp, source, and destination IPs, source and destination ports, protocols and attack
UNSW-NB15 V3
The dataset is normalised and 1 additional class is synthesised by mixing multiple non-benign classes and is based on The University of New South Wales' UNSW-NB15 dataset. It has nine types of attacks, namely, Fuzzers, Analysis, Backdoors, DoS, Exploits, Generic, Reconnaissance, Shellcode and Worms.
NSL KDD V2
This dataset is normalised and 1 additional class is synthesised by mixing multiple non-benign classes. It is based on University of New Brunswick and Canadian Institute of Cybersecurity's NSL-KDD dataset, which itself is an improvement over Original KDD (Knowledge discovery and Data Mining Tools).
Research Papers
Published Research Papers
Blender-GAN: Multi-target conditional Generative Adversarial Network for novel class synthetic data generation
The global increase in computer network usage necessitates robust intrusion detection systems, prompting the application of machine learning and deep learning models. Limited training data for deep neural networks is addressed by synthetic data generation, with Blender-GAN proposed as a novel approach allowing the creation of new data by blending multiple class labels. The architecture demonstrates success in generating realistic synthetic network intrusion data with varied attack classes.
Attention to Patterns is all you need for Insider Threat Detection
This paper Introduces a fresh approach to insider threat detection in organisations. By leveraging advanced deep learning models such as Time-Distributed Deep Learning Architecture (TD-CNN-LSTM) and Contextually Aware Attention-Based Architecture (TD-CNN-Attention), this method enhances anomaly detection by capturing complex patterns in user behaviour. The combination of CNNs with LSTMs or attention mechanisms extracts spatial and temporal features from user access data, leading to significant accuracy and improvement in F1 scores. This research fonts a significant breakthrough in identifying insider threats, playing a pivotal role in fortifying the security of critical assets amid the constantly evolving threat landscape.
Securing from Unseen: Connected Pattern Kernels (CoPaK) for Zero-day Intrusion Detection
The surge in data from digitization and cloud adoption requires advanced intrusion detection. Classic systems struggle with complexity, necessitating a proposed deep learning connected pattern kernel architecture. This model excels in zero-day intrusion detection, demonstrating superior performance and generalisation in monitoring network traffic.
Partitioned Problem Space (PaPS) Ensemble For Zero-day Intrusion Detection
The ubiquity of low-cost cloud data storage has exponentially increased data generation, posing significant challenges to data security. Traditional intrusion detection systems struggle with the volume and speed of cloud data. This work introduces a novel partitioned problem space deep-learning ensemble approach, outperforming existing methods in zero-day intrusion detection tasks.
Submitted Research Papers
A Multi-Platform Taxonomy of Server-Path Database CVEs (2020–2026): Disclosure Asymmetry and Query-Aware Interception Layer Addressability
Enterprise data infrastructure includes heterogeneous database platforms such as on-premises RDBMS, cloud-native warehouses, document stores, and in-memory engines. Thus the attack surface has expanded substantially. With it, query-aware interception layers (QAILs) deployment has grown for database traffic inspection however no empirical characterization exists for addressing server-path vulnerability classes at the architectural layer. We present a systematic, multi-platform CVE taxonomy covering eight major database platforms (PostgreSQL, MySQL, Microsoft SQL Server, Snowflake, Databricks, MongoDB, Redis, ClickHouse) over January 2020 through April 2026. From a server-culprit universe of 570 CVE records, we curate a primary high-severity dataset of 143 entries (CVSS ≥ 7.0) and introduce a seven-layer attack vector taxonomy. Alongside it we have introduced a novel classification axis, termed as QAIL Addressability which classifies each CVE by its detectability at a wire-level interception layer. Our analysis reveals: (1) 84.6% of high-severity server-path database CVEs are QAIL-addressable; (2) There is an asymmetry in the way CVEs are being disclosed, for e.g. MySQL discloses more CVEs than PostgreSQL while high-severity concentration is much higher in MSSQL/PostgreSQL; and (3) We found that extension sandbox escapes and protocol/query-path weaknesses continue to be structurally distinct threat classes. The full annotated dataset, scope policy, and collection scripts are released as a public resource.
A Survey on Security of the Model Context Protocol: Documented Incidents, Defense Frameworks, and Coverage Gaps in Agentic AI
The Model Context Protocol (MCP) by Anthropic, has quickly become an integral part between LLM agents and the external tools they rely on. This rapid adoption has given rise to security failures — zero-click data exfiltration (CVE-2025-32711), command injections (CVE-2025-6514), prompt-injection-driven remote code execution in coding agents (CVE-2025-53773), and large-scale vulnerability discovery in MCP servers. Several MCP gateways and academic defense frameworks have been proposed in response, but none have asked: of the documented agentic-AI failures in the public record, how many would today's defenses actually have prevented? Hence, we assemble 79 documented incidents from CVEs, peer-reviewed work, and reproducible disclosures, coding each against a 10-layer defense model. Our findings suggest that 49.4% sit in a broad data-plane band, with 26.6% at 3 layers barely covered by current frameworks. We then formalize two control primitives — probe-augmented policy, session risk-budget composition — and demonstrate via 3 case-study reconstructions how each would have intercepted documented vulnerable call paths.
On-going Research
Capability-Based Security for LLM Agents
Inspired by Google's open research
Contextual Breach Discovery
Cross context memories
Patents
Abluva Patents
System and Method for Automated Anomaly Detection
A system and method for automated anomaly detection is described. The method includes identifying inherent characteristics or tags associated with the one or more entities. The characteristics or tags may be ranked or contextualized based on one or more global factors or actor-based factors. The method further includes contextualizing actor behaviour considered over a period of time or sessions. The method further includes measuring context changes and context overlaps and quantifying the dynamics of the actor behaviour using one or more AI/ML models. Further, the method includes performing dynamic patching and dynamically modeling the changes in actor behaviour over time in order to detect anomalies.
Reasoning and Intent Based Authorisation System and a Method Thereof
An authorization system and related method is disclosed. The system receives an access request from a requester (human or machine). The system performs a series of steps in order to dynamically determine whether access has to be provided to the requester. The requester may be an unknown entity and access related policies may not be defined. The series of steps for dynamically granting access may include generating one or more relational parameters, generating one or more reasoning indicators, receiving, from the device associated with the requester, response inputs on a set of tasks associated with the requested resource, and validating the one or more reasoning indicators using the one or more relational parameters and the response inputs. Upon successful validation, access can be granted to the requester with least privileges required for the access.
Event-Based Authentication and Authorisation System and a Method Thereof
An event-based authentication and adaptive authorisation system and a related method has been described. The system enables continuous monitoring of user behaviours, contextual events, and security threats and dynamically adjusts access control policies and permissions in real-time. Authentication is derived from a combination of predefined and contextually learned user actions, enabling password-less hybrid authentication mechanisms. The system continuously assesses risk factors, anomalous behaviours, and evolving security conditions to refine access permissions. The system adapts to changing threat landscape and changing user behaviour. As a result, enhanced security, flexibility, and operational efficiency is achieved by the robust and responsive system that is becoming essential for organizations in today's environment of rapidly evolving cyber threats.
Authorisation System to Validate an Accessor and a Method Thereof
System and Method for Automated Identification and Inference of Characteristics of Entities
Patents (in-filling)
1
Agentic Breach
1
Contextual Breach Discovery