Security Engines
Security Engines
HookProbe uses multiple security engines for defense in depth. Each engine provides different capabilities that combine into a comprehensive detection system.
Engine Stack
+---------------------------------------------------------------+| SECURITY ENGINE STACK |+---------------------------------------------------------------+| || Layer 1: Aegis (Zig + eBPF) ----------------------> Kernel || * XDP packet intake (zero-copy) || * Shannon entropy computation || * Feature vector extraction || * Comptime protocol parsers || | || v || BPF Ring Buffer (shared memory) || | || v || Layer 2: Napse (Mojo AI) -----------------------> Inference || * SIMD-vectorized Bayesian classifier || * HMM kill chain tracking || * Autotuning Bayesian priors || * Intent event synthesis || | || v || Layer 3: dnsXai -----------------------------> AI DNS || * ML classification || * Entropy analysis || * CNAME uncloaking || | || v || Layer 4: AEGIS + QSecBit --------------------> Intelligence || * 8-agent AI orchestration || * Unified scoring || * Mesh coordination || |+---------------------------------------------------------------+Aegis — Kernel-Level Packet Intake (Zig + eBPF)
Purpose
Aegis is the kernel-level XDP packet intake engine, written in Zig and compiled to eBPF bytecode. It operates at the earliest possible point in the Linux network stack, before any memory allocation or kernel processing occurs.
Architecture
+---------------------------------------------------------------+| AEGIS XDP ARCHITECTURE |+---------------------------------------------------------------+| || NIC Driver (enp0s6 / dummy-mirror) || | || v || XDP Hook (pre-allocation) || | || v || Aegis XDP Program: || 1. Whitelist/Blocklist check (BPF hash maps) || 2. Rate limiting (LRU hash, per-tenant per-IP) || 3. Dynamic IPS blocks (from Qsecbit feedback) || 4. Shannon entropy computation (4-bit histogram) || 5. Protocol classification (comptime parsers) || 6. Feature vector extraction (32 bytes) || 7. Tenant ID injection (LPM trie lookup) || 8. Emit aegis_observation to BPF ring buffer || | || v || BPF Ring Buffer (16 MB, zero-copy to userspace) || | || v || Napse (Mojo, userspace consumer) || |+---------------------------------------------------------------+Capabilities
| Feature | Description |
|---|---|
| XDP Zero-Copy Intake | Packets processed before kernel stack allocation |
| Shannon Entropy | In-kernel entropy computation for encrypted/compressed payload detection |
| Comptime Protocol Parsers | Zig comptime generates specialized parsers for each L7 protocol |
| Feature Vector Extraction | 32-byte feature vector per packet for downstream ML inference |
| DDoS Mitigation | SYN flood, UDP flood, ICMP flood detection and drop |
| Rate Limiting | Per-tenant, per-IP rate limiting with configurable PPS thresholds |
| Dynamic IPS | Qsecbit and Napse can inject blocking rules via BPF maps |
| Line Rate | >10 Mpps on commodity hardware |
Configuration
# Enable Aegis XDPAEGIS_ENABLED=true
# Set rate limitsAEGIS_RATE_LIMIT_PPS=10000AEGIS_SYN_RATE_LIMIT=1000
# Ring buffer sizeAEGIS_RINGBUF_SIZE_MB=16Metrics
hookprobe-ctl metrics | grep aegis{ "aegis_packets_total": 1234567, "aegis_packets_dropped": 4521, "aegis_observations_emitted": 1230046, "aegis_drop_reasons": { "ddos_blocklist": 3200, "rate_limit": 1321 }, "aegis_ringbuf_overflow": 0}Shared Memory Ring Buffer
Purpose
The BPF ring buffer is the zero-copy communication channel between Aegis (kernel space) and Napse (userspace). It eliminates serialization overhead by sharing binary structs directly.
Architecture
+---------------------------------------------------------------+| BPF RING BUFFER (16 MB shared memory) |+---------------------------------------------------------------+| || Producer: Aegis XDP (kernel space, single writer) || Consumer: Napse Mojo (userspace, single reader via epoll) || || Struct: aegis_observation (cache-line aligned) || - timestamp_ns (u64) || - tenant_id (u32) || - src_ip, dst_ip (u32 each) || - proto, ports (u8, u16 each) || - tcp_flags (u8) || - payload_len (u16) || - shannon_entropy (f32) || - protocol_class (u8) || - feature_vector ([u8; 32]) || || Throughput: >5M observations/sec || Latency: <1 microsecond (kernel to userspace) || Backpressure: BPF_RINGBUF_BUSY flag || |+---------------------------------------------------------------+Napse — Mojo AI Intent Classification
“See every packet. Understand every intent.”
Purpose
Napse is HookProbe’s proprietary AI-native detection engine, written in Mojo for maximum SIMD performance. It consumes observations from the Aegis ring buffer and classifies network activity into threat intents using Bayesian inference and Hidden Markov Model (HMM) kill chain tracking.
Architecture
+---------------------------------------------------------------+| NAPSE MOJO ARCHITECTURE |+---------------------------------------------------------------+| || Ring Buffer Consumer (epoll-based polling) || | || v || Bayesian Intent Classifier (SIMD-vectorized) || P(M|x) = P(x|M) * P(M) / P(x) || - Intent classes: c2, exfiltration, recon, lateral, || privilege_escalation, scanning, benign || - Prior P(M) updated via autotuning (network baseline) || - Likelihood P(x|M) from feature vector similarity || | || v || HMM Kill Chain Tracker || States: recon -> weaponize -> exploit -> install -> c2 || - Viterbi decoding for most likely state sequence || - Per-source-IP state tracking || - State transition probabilities learned from data || | || v || Intent Event Synthesis || - intents.json: classified intent events || - flows.json: connection-level flow summaries || - Direct feed to QSecBit + AEGIS orchestrator || |+---------------------------------------------------------------+Capabilities
| Feature | Description |
|---|---|
| SIMD-Vectorized Inference | Mojo SIMD intrinsics for parallel Bayesian computation across observation batches |
| Bayesian Intent Attribution | P(M|x) = P(x|M) * P(M) / P(x) — probabilistic classification with calibrated confidence |
| HMM Kill Chain Tracking | Hidden Markov Model tracks attacker progression through kill chain stages |
| Autotuning Priors | Bayesian priors self-adjust based on rolling network baseline statistics |
| Intent Classes | c2, exfiltration, reconnaissance, lateral_movement, privilege_escalation, scanning, anomalous, benign |
| Flow Correlation | Observations grouped into flows for connection-level analysis |
Bayesian Intent Attribution
The core classification algorithm uses Bayes’ theorem to compute the posterior probability of each intent class given an observation:
P(M|x) = P(x|M) * P(M) / P(x)
Where: M = intent class (e.g., c2, exfiltration, recon) x = feature vector from Aegis observation P(M) = prior probability of intent class (autotuned from baseline) P(x|M) = likelihood of observing features given intent class P(x) = marginal likelihood (normalization constant)The classifier maintains a likelihood model per intent class, trained on labeled network data. Priors are continuously updated based on the rolling baseline of observed traffic, ensuring the classifier adapts to each deployment environment.
Performance
| Metric | Aegis + Napse | Innovation over Legacy IDS |
|---|---|---|
| RAM Usage | ~150MB (Aegis) + ~300MB (Napse) | 4x less than traditional IDS stacks |
| CPU Idle | <0.5% (Aegis kernel) + <2% (Napse) | 10-20x more efficient |
| Startup Time | <1 second | 25x faster |
| Max Throughput | ~15 Gbps | 15x higher |
| Classification Latency | <500 microseconds | 200x faster |
| Container Image | ~50MB (Aegis) + ~80MB (Napse) | 7x smaller |
Napse Intent Event Example
{ "timestamp": "2026-02-16T14:22:03.123456", "engine": "napse", "event_type": "intent", "src_ip": "192.168.1.100", "src_port": 54321, "dst_ip": "1.2.3.4", "dst_port": 443, "tenant_id": 1, "intent": { "intent_class": "c2", "confidence": 0.94, "hmm_state": "install", "kill_chain_phase": "installation", "prior": 0.02, "likelihood": 0.87, "bayesian_factors": { "entropy_score": 0.92, "timing_regularity": 0.88, "payload_pattern": 0.96, "destination_reputation": 0.91 } }, "flow": { "flow_id": 8847291, "duration_ms": 4200, "bytes_sent": 1024, "bytes_recv": 48576 }, "aegis_features": { "shannon_entropy": 7.82, "protocol_class": "tls", "tcp_flags": "PA" }}Napse Output Format
Napse produces two output files:
intents.json — Intent classifications (one JSON object per line):
{"timestamp":"...","intent_class":"c2","confidence":0.94,"hmm_state":"install","src_ip":"...","dst_ip":"..."}{"timestamp":"...","intent_class":"reconnaissance","confidence":0.71,"hmm_state":"recon","src_ip":"...","dst_ip":"..."}flows.json — Connection-level flow summaries (one JSON object per line):
{"timestamp":"...","flow_id":8847291,"src_ip":"...","dst_ip":"...","duration":4.2,"bytes_sent":1024,"bytes_recv":48576,"intent_summary":"c2","max_confidence":0.94}{"timestamp":"...","flow_id":8847292,"src_ip":"...","dst_ip":"...","duration":0.3,"bytes_sent":200,"bytes_recv":800,"intent_summary":"benign","max_confidence":0.12}Configuration
[source]ringbuf_path = "/sys/fs/bpf/hookprobe/aegis_ringbuf"poll_timeout_ms = 10
[inference]simd_width = 256 # AVX2 (512 for AVX-512)batch_size = 64 # observations per inference batchmin_confidence = 0.6 # minimum confidence to emit intent
[hmm]states = ["recon", "weaponize", "exploit", "install", "c2"]initial_state = "recon"viterbi_window = 100 # observations per Viterbi decode
[autotuning]enabled = truebaseline_window_hours = 24prior_update_interval_sec = 60target_latency_us = 100
[output]intents_path = "/var/log/napse/intents.json"flows_path = "/var/log/napse/flows.json"qsecbit_feed = trueaegis_feed = trueclickhouse_batch_size = 1000clickhouse_flush_interval_ms = 5000dnsXai DNS Protection
Purpose
AI-powered DNS classification with explainable decisions.
Capabilities
| Feature | Description |
|---|---|
| ML Classification | Neural network categorization |
| Entropy Analysis | Detect DGA domains |
| CNAME Uncloaking | Reveal hidden trackers |
| Whitelist/Blacklist | User-configurable |
Classification Output
{ "domain": "suspicious-tracker.com", "decision": "BLOCKED", "confidence": 0.92, "category": "TRACKING", "features": { "shannon_entropy": 4.2, "ad_pattern_score": 0.15, "cname_uncloaked": "adobe.demdex.net", "blocklist_match": false, "ml_classification": "TRACKING" }, "explanation": "High entropy domain resolving to known tracker"}Categories
| Category | Description |
|---|---|
| MALWARE | Known malicious domains |
| TRACKING | Advertising trackers |
| PHISHING | Credential theft |
| C2 | Command and control |
| DGA | Algorithmically generated |
| SUSPICIOUS | Unknown but risky |
| BENIGN | Safe to allow |
Configuration
dnsxai: model: "hookprobe-dns-classifier-v3" blocklists: - "https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts" - "https://blocklistproject.github.io/Lists/tracking.txt" confidence_threshold: 0.85 entropy_threshold: 4.0Layer Detector
Purpose
Multi-layer threat detection from L2 to L7.
Detection Capabilities
| Layer | Attacks Detected |
|---|---|
| L2 | ARP spoofing, MAC flooding, VLAN hopping |
| L3 | IP spoofing, ICMP redirect, source routing |
| L4 | Port scanning, SYN flood, connection hijacking |
| L5 | SSL stripping, TLS downgrade |
| L7 | SQL injection, XSS, command injection |
Alert Format
{ "layer": "L2", "attack_type": "arp_spoofing", "description": "MAC address changed for gateway", "details": { "old_mac": "aa:bb:cc:dd:ee:ff", "new_mac": "11:22:33:44:55:66", "ip": "192.168.1.1" }, "severity": "high", "action_taken": "alert"}NEURO Engine
Purpose
Neural resonance for device authentication and integrity.
Components
| Component | Function |
|---|---|
| TER Generator | Capture system state |
| Weight Evolution | Deterministic weight updates |
| PoSF Signer | Neural network signatures |
| Resonance Checker | Verify weight alignment |
Temporal Event Record (TER)
TER (64 bytes):+-- H_Entropy (32 bytes): SHA256(CPU, memory, network, disk)+-- H_Integrity (20 bytes): RIPEMD160(kernel, binary, config)+-- Timestamp (8 bytes): Unix microseconds+-- Sequence (2 bytes): Monotonic counter+-- Chain_Hash (2 bytes): CRC16(previous TER)Integrity Detection
When a system is compromised:
- H_Integrity changes
- Weight evolution diverges
- Resonance check fails
- Node is flagged
Engine Integration
All engines feed into QSecBit:
Qsecbit = ( 0.30 * threats_component + # Napse intent classifications, Layer Detector 0.20 * network_component + # Napse flow analysis 0.25 * ids_component + # Napse high-confidence intents 0.15 * xdp_component + # Aegis XDP drop statistics 0.02 * stability_component + # Connection health 0.08 * dnsxai_component # DNS protection)Metrics
View Engine Stats
# All engine metricshookprobe-ctl metrics
# Specific enginehookprobe-ctl metrics --engine aegishookprobe-ctl metrics --engine napsehookprobe-ctl metrics --engine dnsxaiHealth Checks
# Engine healthhookprobe-ctl health --enginesNext Steps
- Monitoring Stack - Observability setup
- QSecBit - Unified scoring
- Debugging - Troubleshooting engines