The immune system detects threats the same way a bouncer checks IDs. Self vs not-self is a coupling question — does this molecule fit the pattern? High K with self means safe. Low K with self means threat. Autoimmune disease is a bouncer who forgot what the regulars look like.
The first version of our threat detector worked like airport security on a bad day. It caught 97% of attackers. It also strip-searched 60% of grandmothers.
The problem: compiling code looks like cryptomining. Video encoding looks like ransomware. Backing up a database looks like someone stealing your data. Every intensive computer workload shares features with some attack category. If you just add up suspicious-looking things, everything looks suspicious.
The fix: stop adding things up. Require combinations. A cryptominer needs sustained CPU and mining patterns and pool connections. Compiling code has the CPU but not the mining patterns. Never triggers. The combination is the signature, not any single feature.
21 signatures. 0.7 milliseconds to check all of them. 29 out of 30 attacks caught. Zero false positives on 10 normal workloads. The one miss: a single-target UDP flood that looked like a legitimate video stream.
Same logic as the immune system, actually. Your body doesn’t flag every molecule. It asks: does this fit the pattern of self? High coupling with self = safe. Low coupling with self = threat. Autoimmune disease is a bouncer who forgot what the regulars look like.
Honest limit: we designed the signatures and the test cases at the same time. This is not independent validation. An attacker who knows the required features can avoid them. This demonstrates the principle, not a shipped security product.
The first version used a weighted sum: assign each behavioral feature a threat score, add them up, trigger if the sum exceeds a threshold. It got 97% detection. It also got a 60% false positive rate.
Compiling code looks like cryptomining — sustained CPU, many threads. Video encoding looks like ransomware — high disk I/O, many file writes. Database backups look like exfiltration — large outbound data, sequential file reads. Every intensive workload shares features with some attack category. Weighted sums cannot distinguish intent from intensity.
Each threat category defines a signature: a set of required features that must ALL be present, plus a list of confirming features where at least one must also match. A single feature never triggers alone, no matter how anomalous.
Cryptominer requires sustained CPU AND specific mining patterns AND at least one of: known pool connections, GPU compute abuse, or hashrate fingerprint. Compiling code has sustained CPU but no mining patterns — never triggers. The combination is the signature, not any individual feature.
21 signatures total. 0.7ms to evaluate all of them.
| Category | Detected | Rate |
|---|---|---|
| Cryptominer | 3/3 | 100% |
| Ransomware | 3/3 | 100% |
| DDoS | 2/3 | 67% |
| Timebomb | 2/2 | 100% |
| Exfiltration | 3/3 | 100% |
| Privilege Escalation | 2/2 | 100% |
| Lateral Movement | 2/2 | 100% |
| Rootkit | 2/2 | 100% |
| Keylogger | 1/1 | 100% |
| Backdoor | 2/2 | 100% |
| Supply Chain | 2/2 | 100% |
| Credential Attack | 2/2 | 100% |
| Evasion | 2/2 | 100% |
| Integrity | 1/1 | 100% |
The one miss: a UDP flood DDoS variant that lacked diverse_targets. The signature requires evidence of targeting multiple destinations — a single-target UDP flood looks like a legitimate high-bandwidth stream. This is a hard edge of the rule-based approach.
| Workload | Verdict |
|---|---|
| Web browsing | CLEAN |
| Compiling code | CLEAN |
| Video encoding | CLEAN |
| Database backup | CLEAN |
| System update | CLEAN |
| Docker build | CLEAN |
| CI pipeline | CLEAN |
| SSH admin session | CLEAN |
| Log rotation | CLEAN |
| npm install | CLEAN |
The DDoS UDP flood without diverse targets is the measured miss. But the deeper limitation is structural: rule-based combination signatures only catch attack patterns that have been defined. Unknown attack patterns — novel zero-days, new lateral movement techniques, creative exfiltration channels — need behavioral baselines, not just signatures.
This system catches known shapes fast and with zero false positives. It does not learn new shapes. That boundary is honest and permanent for this architecture.
10P honest limits: the 29/30 detection rate is self-referential — we designed the signatures and the test cases simultaneously. This is not independent validation. The 0/10 false positive test used 10 hand-picked normal scenarios, not real production workload traces. Five novel attack patterns (living-off-the-land, slow exfiltration, insider threat, encrypted C2 via CDN, subtle supply chain) would all evade these signatures. An attacker who knows the required features can avoid them. This demonstrates the combination-signature principle, not a validated security product. Real security tools (CrowdStrike, etc.) use ML-based anomaly detection that handles novel patterns.
Computed on Mac Mini M4, 35W.