# LSTM on event-log sequences

DANTE applies a **plain LSTM directly to system-log event sequences**
to flag insider-threat behavior. Earlier in the literature than the
transformer wave, and useful here as a methodological baseline.

## What we borrowed

- **Evidence that simple recurrent models are enough.** The paper
  shows an LSTM on sequence-of-events alone — no per-task feature
  engineering — captures enough temporal structure to beat
  bag-of-events classifiers. That's the empirical ground for the
  *RNN/GRU/LSTM* entries in our model comparison being plain, not
  bespoke.
- **Negative-evidence framing.** DANTE is also explicit about cases
  where the LSTM under-performs (low-volume users, novel event
  types). Informs the *split-by-sample, not split-by-time* eval
  protocol on the perf scene — generalising to unseen actors is
  the bar.

## Where it differs

- Operates on log-event token sequences (categorical), not numeric
  resource metrics (continuous). Our channels are floats from
  `/proc`, so we use the temporal structure DANTE validates without
  inheriting the embedding setup.