Nexus (The Brain)

Nexus - The Regional Brain

16GB+ RAM · $2000+ · ML training capability

Nexus is the heavy compute tier designed for organizations that need local ML model training, regional threat aggregation, and fleet management.

What Nexus Enables

Capability	Description
ML Training	Train threat models locally
Federated Learning	Coordinate weight sharing
Fleet Management	Manage regional nodes
ClickHouse Analytics	High-performance queries
GPU Acceleration	NVIDIA/AMD support
High Availability	Redundant deployment

Best For

• Multi-site organizations
• Security research teams
• ML-heavy workloads
• Regional coordination
• Data sovereignty requirements

Hardware Requirements

Resource	Minimum	Recommended
CPU	8 cores	16+ cores (Xeon, EPYC)
RAM	16GB	64GB+
Storage	256GB SSD	1TB+ NVMe
Network	10Gbps	Intel X710 or Mellanox
GPU	Optional	NVIDIA RTX 3060+

Recommended Hardware

Server Configuration:

• Intel Xeon E-2300 series or AMD EPYC
• 64GB ECC RAM
• NVMe storage array
• Dual 10GbE NICs
• NVIDIA GPU (optional)

Approximate cost: $2000-5000+

Installation

sudo ./install.sh --tier nexus --enable-gpu --enable-ha

Installation Options

# Standard Nexus
sudo ./install.sh --tier nexus

# With GPU acceleration
sudo ./install.sh --tier nexus --enable-gpu

# High availability mode
sudo ./install.sh --tier nexus --enable-ha

# Full feature set
sudo ./install.sh --tier nexus --enable-gpu --enable-ha --enable-clickhouse

ML Training

Local Model Training

Train threat detection models on your data:

from hookprobe.ml import ThreatClassifier

classifier = ThreatClassifier(
    model_type="transformer",
    local_data="/var/hookprobe/data/flows.parquet"
)

# Train on local data - never leaves your network
classifier.train(epochs=50, batch_size=32)

# Export for deployment to edge nodes
classifier.export("/var/hookprobe/models/threat-v4.onnx")

Federated Learning

Coordinate learning across the mesh:

from hookprobe.federated import FederatedCoordinator

coordinator = FederatedCoordinator(
    aggregation="fedavg",
    min_participants=10,
    rounds=100
)

# Nodes train locally, share only weight updates
coordinator.start_round()

# Aggregate updates (no raw data shared)
global_weights = coordinator.aggregate()

# Push improved model to all nodes
coordinator.distribute(global_weights)

Model Visibility

Every ML decision is transparent:

{
    "model": "hookprobe-threat-classifier-v4",
    "version": "4.2.1",
    "trained_on": "local_data",
    "training_date": "2025-12-01",
    "accuracy": 0.97,
    "decision": {
        "classification": "malware_c2",
        "confidence": 0.94,
        "features": {
            "dns_entropy": 4.8,
            "connection_pattern": "beacon",
            "timing_jitter": 0.02
        },
        "explanation": "High entropy DNS with periodic beacon pattern"
    }
}

ClickHouse Analytics

High-performance analytics for security data:

Query Examples

-- Top blocked domains this week
SELECT domain, count() as blocks
FROM dns_blocks
WHERE timestamp > now() - INTERVAL 7 DAY
GROUP BY domain
ORDER BY blocks DESC
LIMIT 10;

-- QSecBit trend analysis
SELECT
    toStartOfHour(timestamp) as hour,
    avg(score) as avg_score,
    max(score) as max_score
FROM qsecbit_history
WHERE timestamp > now() - INTERVAL 24 HOUR
GROUP BY hour
ORDER BY hour;

-- Attack pattern correlation
SELECT
    signature,
    count() as occurrences,
    uniq(node_id) as affected_nodes
FROM mesh_alerts
WHERE timestamp > now() - INTERVAL 1 DAY
GROUP BY signature
ORDER BY affected_nodes DESC;

Data Retention

Data Type	Retention	Compression
Flow data	30 days	LZ4
DNS logs	90 days	ZSTD
QSecBit scores	365 days	LZ4
ML metrics	365 days	ZSTD

Fleet Management

Regional Coordination

Nexus manages edge nodes in its region:

# View managed nodes
hookprobe-ctl fleet list

# Push configuration update
hookprobe-ctl fleet config --update baseline.yaml

# Deploy new model
hookprobe-ctl fleet deploy --model threat-v4.onnx

# Health check all nodes
hookprobe-ctl fleet health

Fleet Dashboard

Metric	Description
Node count	Active nodes in region
Average QSecBit	Regional threat level
Model version	Current deployment
Last sync	Configuration freshness

High Availability

Deployment Options

/etc/hookprobe/ha.yaml

ha:
  enabled: true
  mode: "active-passive"
  nodes:
    - nexus-primary.internal:7946
    - nexus-secondary.internal:7946
  vip: 10.0.0.100
  failover_timeout: 30

Data Replication

• ClickHouse replication
• Configuration sync
• Model distribution
• Certificate rotation

GPU Acceleration

Supported GPUs

Vendor	Models
NVIDIA	RTX 3060+, A2000+, T4, A100
AMD	RX 6700+ (ROCm)

GPU Workloads

Task	Speedup
Model training	10-50x
Inference	5-20x
Embedding generation	20-100x

Configuration

# Verify GPU detection
hookprobe-ctl gpu status

# Enable GPU for training
hookprobe-ctl ml train --use-gpu

Integration Points

Dashboard

Full web dashboard with:

• Fleet overview
• ML training status
• ClickHouse query interface
• Model performance metrics
• Regional threat map

API

# Fleet status
curl http://localhost:8888/api/fleet/status

# ML metrics
curl http://localhost:8888/api/ml/metrics

# ClickHouse query
curl -X POST http://localhost:8888/api/query \
  -d '{"sql": "SELECT * FROM qsecbit_history LIMIT 10"}'

Resource Usage

Resource	Typical Usage
RAM	8-12GB (16GB+ with training)
CPU	40-60% (100% during training)
GPU	Idle to 100% (training)
Disk I/O	High (ClickHouse)
Network	100Mbps-1Gbps

Security Considerations

Data Sovereignty

• All training data stays local
• Only weight updates shared
• ClickHouse on encrypted storage
• Network segmentation supported

Access Control

Role	Permissions
Admin	Full access
Analyst	Query, view models
Operator	Fleet management
Viewer	Read-only dashboard

The Nexus Difference

Other security tools: “Trust our cloud AI” Nexus: “Train your own models, see exactly how decisions are made”

1. Full visibility into ML decisions
2. Local training - data never leaves
3. Auditable models - export and verify
4. Collective benefit - share intelligence, not data

Next Steps

• Architecture - System design details
• Protocols - HTP transport layer
• Operations - Deployment guide

AI Intelligence (HIP)

Nexus runs the full HookProbe Intelligence Platform with deep ML capabilities:

• Hardware Detection: All 13 NPU types + GPU detection (NVIDIA CUDA/ROCm)
• Inference Bridge: GPU/NPU-accelerated classification + large local LLM (Phi-3 to Llama-70B)
• AEGIS-Deep: Advanced agents with local model training and adversarial testing
• Federated Learning: Aggregation server for collective model updates with differential privacy
• Red/Purple Teaming: Automated attack simulation and digital twin testing

See Brain & NPU Detection and AEGIS AI Defense for details.