In today’s networks, the frequency of distributed cyber attacks made centrally based SIEM solutions vulnerable to bottlenecks, privacy invasions, and single points of failure. This thesis proposes a decentralized anomaly detection platform for autonomous agents, every server visualized as a node, operating independently without centralized control to identify coordinated attacks with a focus on compliance in the European Blockchain Services Infrastructure (EBSI). We construct an evolving subnet adjacency graph over destination IPs and use Deep Graph Infomax (DGI) to learn highquality node embeddings that capture local traffic patterns as well as global information. The fine-tuned online embeddings are concatenated with raw flow features and fed into a universal LSTM-augmented reinforcement learning policy. The LSTM temporal memory enables both sudden and slow, sneaky attacks. Evaluation metrics ( ROC-AUC, F1, Accuracy, Precision and Recall ) are computed at two granularity levels: per-agent for each node detection performance and system-level using a ”union-of-alerts” decision rule for event-level detection. Experiments on the UNSW-NB15 flow data set demonstrate that our approach improves ROC-AUC from ≈ 0.936 to ≈ 0.95 and F1 from ≈ 0.89 to ≈ 0.913, outperforming the independent PPOLSTM baseline. The system preserves data privacy, only exposing aggregated scores of anomalies. These results suggest that integrating self-supervised graph embeddings with recurrent multiagent RL produces a robust, scalable, and privacy-preserving SIEM solution tailored for the EBSI federated environment. Further studies on window granularity, hyperparameters, and per-subnet policy specialization could potentially further validate design choices and offer a roadmap for deploying decentralized network defense systems.

The interpretability of an attack graph is a key principle as it reflects the difficulty of a specialist to take insights into attacker strategies. However, the quantification of interpretability is considered to be a subjective manner and complex attack graphs can be challenging to read and interpret. In this research paper, we propose a new metric for quantifying the interpretability of attack graphs, aiming for comparable results between attack graphs regardless of the chosen drawing configuration or generation method. We address the gap in existing metrics by combining elements from the theory of cognitive chunks of information and user-experience-related fields to measure interpretability in terms of cognitive load. Our metric leverages Gestalt principles to formalize the quantification of interpretability based on cognitive overload. Compared to a similar approach, the proposed metric reveals a high level of similarity with the baseline, however, qualitative analysis revealed the proposed metric eliminates certain discrepancies with the expert's opinion that the baseline metric presented. Furthermore, a use case of the metric is presented and we evaluate our metric by comparing attack graphs generated using different methods, such as deterministic finite automaton (S-PDFA), Markov chain, and suffix tree. Finally, further work is proposed toward the goal of completing the metric by incorporating the remaining Gestalt principles.