QSecBit Metric

QSecBit Metric

QSecBit (Quantified Security Bit) is HookProbe’s universal resilience metric - a single number that represents your security posture at any moment.

The Formula

Qsecbit = a*drift + b*p_attack + g*decay + d*q_drift + e*energy_anomaly

Where:

• drift: Deviation from learned baseline behavior
• p_attack: Probability of active attack (from Napse intent classification)
• decay: Time since last baseline update
• q_drift: Quantum of behavioral shift
• energy_anomaly: Unusual power consumption patterns

RAG Status

QSecBit translates to intuitive status colors:

Status	Score Range	Meaning	Action
GREEN	< 0.45	Normal	Learning baseline
AMBER	0.45 - 0.70	Warning	Auto-response triggered
RED	> 0.70	Critical	Full mitigation deployed

Score Breakdown

Every QSecBit score can be decomposed:

hookprobe-ctl metrics | jq '.qsecbit'

{
  "score": 0.32,
  "status": "GREEN",
  "components": {
    "threats": {
      "value": 0.10,
      "weight": 0.30,
      "contribution": 0.03
    },
    "mobile": {
      "value": 0.15,
      "weight": 0.20,
      "contribution": 0.03
    },
    "ids": {
      "value": 0.08,
      "weight": 0.25,
      "contribution": 0.02
    },
    "xdp": {
      "value": 0.12,
      "weight": 0.15,
      "contribution": 0.018
    },
    "network": {
      "value": 0.05,
      "weight": 0.02,
      "contribution": 0.001
    },
    "dnsxai": {
      "value": 0.18,
      "weight": 0.08,
      "contribution": 0.0144
    }
  },
  "timestamp": "2025-12-07T18:35:00Z"
}

Component Details

Threats Component (30%)

Aggregates threat intelligence from Napse intent classifications:

• Active attack indicators (high-confidence C2, exfiltration intents)
• Kill chain progression (HMM state escalation from recon to C2)
• Command & control activity
• Lateral movement patterns

Mobile/Network Trust (20%)

Evaluates network environment:

• WiFi security level
• ARP spoofing detection
• Evil twin detection
• MITM indicators

IDS Component (25%)

Napse intent classifications:

• Bayesian intent class detections (confidence-weighted)
• Protocol anomalies from Aegis feature vectors
• Traffic pattern analysis
• Kill chain state transitions

XDP Component (15%)

Aegis kernel-level statistics:

• Packet drop rates
• DDoS indicators
• Port scan detection
• SYN flood metrics
• Shannon entropy anomalies

Network Stability (2%)

Connection health:

• Latency anomalies
• Packet loss
• Bandwidth utilization
• Route changes

dnsXai Component (8%)

DNS protection metrics:

• Blocked domain count
• Classification confidence
• Entropy anomalies
• CNAME uncloaking

Thresholds

Default thresholds (configurable):

/etc/hookprobe/network-config.sh

QSECBIT_AMBER_THRESHOLD=0.45
QSECBIT_RED_THRESHOLD=0.70

Automatic Responses

Threshold	Response
GREEN -> AMBER	Increase logging, alert
AMBER -> RED	Enable full mitigation, block suspicious
RED sustained	Isolate affected systems
Any -> GREEN	Resume normal operation

Real-Time Monitoring

Dashboard

The web dashboard displays:

• Current score with gauge
• Historical trend graph
• Component breakdown
• Recent score changes

CLI

# Current score
hookprobe-ctl health

# Detailed metrics
hookprobe-ctl metrics

# Watch real-time
watch -n 1 hookprobe-ctl health

API

curl http://localhost:8888/metrics | jq '.qsecbit'

Score History

QSecBit scores are retained for analysis:

# View historical scores
hookprobe-ctl metrics --history --since 24h

Auditable Decisions

Every score change is logged:

# View score change events
journalctl -u hookprobe-agent | grep qsecbit

Example log:

Feb 16 14:22:03 hookprobe[1234]: QSecBit changed: 0.32 -> 0.48 (AMBER)
Feb 16 14:22:03 hookprobe[1234]: Reason: IDS component increased (0.08 -> 0.35)
Feb 16 14:22:03 hookprobe[1234]: Trigger: napse:intent:c2 confidence=0.94 hmm_state=install
Feb 16 14:22:03 hookprobe[1234]: Action: Auto-response enabled, logging increased

Tuning

Adjusting Weights

For specific environments, adjust component weights:

# Example: Increase IDS weight for high-security zone
WEIGHTS = {
    "threats": 0.25,
    "mobile": 0.15,
    "ids": 0.35,      # Increased
    "xdp": 0.15,
    "network": 0.02,
    "dnsxai": 0.08
}

Adjusting Thresholds

For paranoid mode:

QSECBIT_AMBER_THRESHOLD=0.30
QSECBIT_RED_THRESHOLD=0.50

For relaxed environments:

QSECBIT_AMBER_THRESHOLD=0.60
QSECBIT_RED_THRESHOLD=0.85

Mesh-Wide QSecBit

The mesh aggregates scores from all nodes:

Global QSecBit = weighted_average(all_node_scores)

This provides:

• Overall mesh health
• Early warning of coordinated attacks
• Trend analysis

Why QSecBit Matters

Transparency

Every security decision traces back to QSecBit:

• Why was traffic blocked? -> Score triggered RED
• Why were logs increased? -> Score entered AMBER
• Why is the dashboard green? -> All components healthy

Auditability

Compliance teams can:

• Track score history
• Correlate with incidents
• Demonstrate due diligence
• Export for reporting

Actionability

Operations teams know:

• What to investigate
• Which component is problematic
• When normal returns
• What changed

Next Steps

• Security Engines - Components that feed QSecBit
• Monitoring Stack - How metrics are collected
• Debugging - Troubleshooting QSecBit issues