v0.9.6: Brain evolution, autoencoder fix, shield migration, CLI restructure#76
Merged
Conversation
Consolidate the DDoS protection module from standalone daemon into the main workspace, following the same pattern as killchain, dna, hypervisor, and smm migrations. Components migrated (14 modules, 81 tests): - rate_limiter: per-IP adaptive rate limiting (token bucket + sliding window) - escalation: 4-state machine (Normal → Elevated → UnderAttack → Critical) - syn_tracker: SYN flood detection via SYN/ACK ratio - attack_classifier: multi-vector attack classification - tcp_fingerprint: passive OS fingerprinting - xdp_manager: BPF blocklist management - cloudflare_failover: auto DNS proxy toggle on escalation - origin_lockdown: iptables Cloudflare-only restriction - bgp_monitor: BGP hijack detection via RIPE Stat - store: state persistence to JSON - api: HTTP metrics API (daemon feature only) - telegram_notify: standalone notifier (daemon feature only) Agent integration (shield_inline.rs): - Processes network events through rate limiter inline - Feeds SYN/ACK tracker and TCP fingerprinter - Runs escalation state machine on 10s ticks - Manages XDP blocklist entries - Writes shield incidents to JSONL - Notifies via agent's Telegram client - Persists state every 30s Config: [shield] section in agent.toml (enabled, bpf_path, dry_run) Standalone daemon preserved via `daemon` feature flag. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The nightly autoencoder training was learning from ALL events including attack traffic, which taught the model that attacks are "normal" and caused a baseline score of 0.896 (everything = anomaly). Now loads blocked IPs from decisions-*.jsonl and blocked-ips.txt before training and skips all events from those IPs. The model only learns from legitimate traffic patterns. Before: clean score 0.896, attack score 0.959, 100% FP at threshold 0.5 After: clean score 0.492, attack score 0.555, 13.7% FP at threshold 0.5 Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
… signal The autoencoder no longer generates its own incidents (Spider Sense). Instead it observes silently and stores the latest anomaly score, which is used to boost confidence in decisions made by other detectors. Changes: - narrative_anomaly.rs: removed incident creation, kept observation and baseline+autoencoder fusion (two independent sources agreeing) - incident_decision_eval.rs: added anomaly score boost — when neural model flags anomaly > 0.7, confidence is boosted by up to 10% - AgentState: added latest_anomaly_score field Effect: zero Spider Sense notifications, but the neural model still contributes to better decisions when it agrees with a real detector. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
BrainLogEntry now includes the full feature vector used for each decision. This enables training the defender brain from real production data without simulation. Also increased brain-log retention from 500 to 10000 entries. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Step 1+4 of Brain Evolution spec: - Replace gym-only brain (538KB, 0% agreement) with supervised model (27KB, trained on real production data + Caldera attacks) - Add BrainStats: tracks agreement rate per day, rolling weekly trend - Persist to brain-stats.json for dashboard consumption - brain-log.json now includes 72-dim features for offline retraining Spec: .specify/features/006-brain-evolution/spec.md Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Defender Brain Evolution (Feature 006)
.specify/features/006-brain-evolution/spec.mdAutoencoder Improvements
Notification Spam Fixes
Shield Migration
CLI Restructure
innerwarden system(no subcommand) shows available optionsOperator IP Protection
who -iTest plan
🤖 Generated with Claude Code