Glossary
Definitions in this file are populated as Phase R4 firms up. The canonical definitions belong in ../PROTOCOL.md Section 4.
| Term | Definition | Protocol Reference | Status |
|---|---|---|---|
| Detection rule | Machine-readable artifact that expresses conditions intended to identify malicious or suspicious behavior, file content, or event telemetry. Phase 1 confirmatory rules are limited to native YARA, native Elastic, and high-fidelity Sigma-to-Elastic translations. | §4.1 | DRAFT |
| Mutation | Modified artifact or event representation derived from a parent ground-truth example for robustness testing. | §4.2 | DRAFT |
| Functional equivalence | Property of a mutation that preserves the attacker-relevant behavior, same detection intent, same observable surface, and no novel capability relative to the parent example. | §4.2 | DRAFT |
| Robustness score | Per-rule fraction of validated functionally equivalent mutations detected after the rule detects its original positive example. | §4.3 | DRAFT |
| Brittleness pattern | Recurring failure mechanism where a validated equivalent mutation is missed because the rule depends on a narrow representation of the target behavior. | §4.4 | DRAFT |
| Ground truth sample | Original positive example that should be detected by the rule before any mutation result can be scored for that rule. | §4.2 | DRAFT |
| Evaluator | Pinned validation environment used to execute or test a rule family, such as native YARA or self-managed Elastic/Kibana. | §4.1 | DRAFT |
| Unit of analysis | Object over which measurements are made: rule, rule-mutation pair, rule-source group, or mutation class. | §4.5 | DRAFT |