Security Mesh
Security Mesh
The HookProbe Security Mesh is a federated network of edge devices that collaborate to provide collective defense while preserving individual privacy.
Mesh Architecture
┌─────────────────────────────────────────────────────────────────────────────────┐│ HOOKPROBE MESH │├─────────────────────────────────────────────────────────────────────────────────┤│ ││ ┌──────────────────────────────────────────────────────────────────────────┐ ││ │ NEXUS │ ││ │ ML/AI Heavy Computation · 16GB+ RAM │ ││ │ Train models locally · Full visibility into ML decisions │ ││ └──────────────────────────────────────────────────────────────────────────┘ ││ ▲ ││ │ HTP ││ ┌────────────────────────────┼────────────────────────────┐ ││ ▼ ▼ ▼ ││ ┌───────────┐ ┌───────────┐ ┌───────────┐ ││ │ FORTRESS │ │ GUARDIAN │ │ SENTINEL │ ││ │Edge Router│ │ Travel │ │ Validator │ ││ │ 4GB │ │ 1.5GB │ │ 256MB │ ││ └───────────┘ └───────────┘ └───────────┘ ││ │└─────────────────────────────────────────────────────────────────────────────────┘Node Roles
Edge Nodes (Detection)
Edge nodes are the sensors of the mesh:
| Type | RAM | Role |
|---|---|---|
| Sentinel | 256MB | Validation, health monitoring |
| Guardian | 1.5GB | L2-L7 detection, DNS protection |
| Fortress | 4GB | VLAN segmentation, IDS/IPS |
Edge nodes:
- Create microblocks for security events
- Sign with TPM/PoSF
- Gossip to validators
Validators (Consensus)
Validators aggregate edge intelligence:
- Collect microblocks from edge nodes
- Create checkpoints every epoch
- Aggregate BLS signatures
- Byzantine fault tolerant (2/3 majority)
Compute Nodes (Intelligence)
Nexus nodes provide ML capabilities:
- Train threat models locally
- Coordinate federated learning
- Aggregate regional intelligence
- Push hardened models to edge
Data Flow
┌─────────────────────────────────────────────────────────────────────────────────┐│ DATA FLOW │├─────────────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────┐ Raw ┌─────────┐ Qsecbit ┌─────────┐ ││ │Guardian │ ──telemetry──► │ Nexus │ ───scores───► │ Mesh │ ││ │Fortress │ (local) │ │ (derived) │ │ ││ │Sentinel │ │ │ │ │ ││ └─────────┘ └─────────┘ └─────────┘ ││ │ ││ ┌─────────┐ Hardened ┌─────────┐ Global ┌────┴────┐ ││ │Guardian │ ◄───model──── │ Nexus │ ◄──updates── │ Mesh │ ││ │Fortress │ (updates) │ │ (insights) │ │ ││ │Sentinel │ │ │ │ │ ││ └─────────┘ └─────────┘ └─────────┘ ││ ││ RAW DATA NEVER LEAVES THE EDGE ││ Only derived intelligence flows up ││ Only hardened models flow down ││ │└─────────────────────────────────────────────────────────────────────────────────┘Mesh Communication
HTP Protocol
All mesh communication uses the HookProbe Transport Protocol:
- Port: UDP 8144
- Encryption: ChaCha20-Poly1305
- Key Binding: Session key derived from weight fingerprints
- NAT Traversal: Heartbeat-based keep-alive
Message Types
class MessageType(Enum): HELLO = 0x01 # Initiate connection CHALLENGE = 0x02 # Attestation challenge ATTEST = 0x03 # Attestation response ACCEPT = 0x04 # Session accepted REJECT = 0x05 # Session rejected DATA = 0x10 # Encrypted payload HEARTBEAT = 0x20 # NAT keep-alive ACK = 0x21 # Acknowledgment CLOSE = 0xFF # Close sessionCollective Defense
Herd Immunity
When one node detects a threat, the entire mesh benefits:
T+00s: Mesh detects pattern hitting Nexus A, B, C │ ▼T+05s: Mesh broadcasts: "Attack signature X detected" │ ├─────────────────────────────────────────────────┐ ▼ ▼ ▼ ▼ Nexus A Nexus B Nexus C Nexus D (hit) (hit) (hit) (safe) │ │ │ │ ▼ ▼ ▼ ▼T+10s: All nodes preemptively block signature X │ ▼T+15s: Nexus D protected BEFORE attack reaches itWhat Gets Shared
| Data Type | Shared? | Format |
|---|---|---|
| Raw packets | Never | - |
| IP addresses | Never | - |
| Payloads | Never | - |
| QSecBit scores | Yes | Float (0.0-1.0) |
| Attack signatures | Yes | SHA256 hash |
| Neural fingerprints | Yes | ~256 bytes |
Byzantine Fault Tolerance
The mesh tolerates malicious nodes:
def bft_quorum_required(total_validators: int) -> int: """ Tolerates f=(n-1)/3 Byzantine validators.
For n=10: f=3 malicious tolerated, require 7 signatures For n=7: f=2 malicious tolerated, require 5 signatures """ f = (total_validators - 1) // 3 quorum = total_validators - f return quorumJoining the Mesh
New nodes join through attestation:
- Discovery: Node finds bootstrap validators
- Attestation: Node proves hardware identity (TPM/PoSF)
- Registration: Validator adds node to device registry
- Synchronization: Node receives current mesh state
- Participation: Node begins contributing intelligence
Mesh Health
Monitor mesh connectivity:
# Check mesh statushookprobe-ctl mesh status
# View connected peershookprobe-ctl mesh peers
# View contribution statshookprobe-ctl mesh statsNetwork Requirements
| Port | Protocol | Direction | Purpose |
|---|---|---|---|
| 8144 | UDP | Outbound | HTP mesh communication |
| 7946 | TCP/UDP | Bidirectional | Gossip protocol |
| 8888 | TCP | Local | Health endpoint |
Next Steps
- Collective Defense - How the mesh protects everyone
- DSM Protocol - Technical details of decentralized consensus
- HTP Protocol - Transport layer specification