GridPRISM: Provenance-aware real-time intrusion detection via prior-guided subgraph routing and auditable budgeted semantic masking

Real-time, window-level intrusion detection on provenance graphs is desirable for cyber–physical and operational-technology (CPS/OT) deployments. However, CPU-only service-level objectives (SLOs) impose a hard constraint: richer causal evidence escalates per-window workload and memory footprint. Existing provenance intrusion detection often relies on heuristic subgraph extraction and masking, leaving the budget–evidence boundary under-specified. Consequently, per-alert auditing of retained evidence and per-window resource use is difficult, and reported effectiveness may not remain feasible under CPU-only real-time SLOs. To address these challenges, we propose GridPRISM, a CPU-only budgeted detection pipeline. It begins with a Guarded Subgraph Router (GSR) that routes each window under an explicit utility–cost objective, with hard guardrails that bound worst-case expansion. Building on routed windows, Budgeted Semantic Masking (BSM) replaces uniform random corruption with a domain-aware, budget-calibrated policy that stabilizes self-supervised learning under benign dominance and enhances sensitivity to sparse anomalies. Critically, to prevent conflating controlled effectiveness with end-to-end feasibility, GridPRISM is evaluated under two complementary protocols on CADETS, TRACE, and IEEE-14, separately reporting benchmark effectiveness and CPU-only SLO compliance. Under an equal global masking budget, BSM improves entity-level detection over uniform random masking, with absolute gains of ＋0.08/＋0.13 in average precision and ＋0.08/＋0.14 in F1 at a locked operating point. Moreover, in CPU-only end-to-end execution, GridPRISM meets SLOs, achieving 95th-percentile latency 15.7–108.6 ms and peak RSS 0.435–5.34 GB, making the budget–evidence trade-off auditable for CPU-only CPS/OT monitoring and alert triage.