{"id":5089,"date":"2026-03-13T05:45:25","date_gmt":"2026-03-13T05:45:25","guid":{"rendered":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/?p=5089"},"modified":"2026-03-13T05:45:25","modified_gmt":"2026-03-13T05:45:25","slug":"kernel-edges-enable-autonomous-threat-intelligence","status":"publish","type":"post","link":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/?p=5089","title":{"rendered":"Kernel Edges Enable Autonomous Threat Intelligence"},"content":{"rendered":"\n

#<\/strong> NerfEngine Dev Log \u2014 March 13, 2026<\/strong><\/p>\n\n\n\n

..you sit down to fix one thing and end up building something that feels genuinely different from what existed before. We started with a live Ollama instance running `gemma3` on an RTX 3060 and ended up with a fully autonomous network threat intelligence pipeline \u2014 kernel-to-LLM \u2014 running on a single AlmaLinux 10 server.<\/p>\n\n\n\n

Here’s what’s up.<\/p>\n\n\n\n

—<\/strong><\/p>\n\n\n\n

Me: <\/strong>Please create a Blog Post for our latest work here today at \/home\/spectrcyde\/NerfEngine\/Update Blog Post 03132026.md<\/p>\n\n\n\n

ClaudeCode: <\/strong>\u25d0 The user wants a blog post about today’s work. Let me create an engaging technical blog post covering everything we implemented today:<\/p>\n\n\n\n

    \n
  1. GraphOps Copilot (graphops_copilot.py) – autonomous LLM investigation agent<\/li>\n\n\n\n
  2. Attractor loop fix (confidence threshold, plateau exit, best_confidence tracking)<\/li>\n\n\n\n
  3. GraphOps Autopilot (graphops_autopilot.py) – 4-tier autonomous alert system<\/li>\n\n\n\n
  4. Three upgrades from Gemma_Llama_MCP.md:\n
      \n
    • Detector cooldowns<\/li>\n\n\n\n
    • HypergraphMetricsCollector<\/li>\n\n\n\n
    • GraphAttractorDetector (rotating botnet detection)<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n

      <\/p>\n\n\n\n

      ##<\/strong> Where We Left Off<\/strong><\/p>\n\n\n\n

      NerfEngine already had significant pieces in place:<\/p>\n\n\n\n

      **<\/strong>Phase A<\/strong>**<\/strong> \u2014 `TemporalFanInDetector`: detects VPN-rotating botnets by measuring *timing synchronisation* rather than IP reputation. The insight: rotating proxies randomise IPs but they can’t hide their task scheduler ticking in unison. A botnet hitting a login endpoint from 183 unique IPs in a 200ms window is statistically impossible without central coordination.<\/p>\n\n\n\n

      **<\/strong>Phase B<\/strong>**<\/strong> \u2014 Kernel-side hypergraph edge emission: `struct graph_edge_event` (56 bytes) emitted directly from the XDP path. The kernel computes 64-bit node IDs via FNV-1a over `__u32 src_ip`. Userspace never touches raw IP tuples on the hot path.<\/p>\n\n\n\n

      **<\/strong>Stage 6 demo<\/strong>**<\/strong> \u2014 all six scenarios validated clean: `DRIFT[SCANNER] delta=60`, `FAN-IN[BOTNET_COORDINATION] srcs=120 ip_H=6.91 timing_H=-0.00`.<\/p>\n\n\n\n

      What we hadn’t built yet: the intelligence layer. The part that *explains* what the detectors found, and eventually starts asking its own questions.<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> Part 1 \u2014 GraphOps Copilot (graphops_copilot.py, 1,380 lines)<\/strong><\/p>\n\n\n\n

      ###<\/strong> The Problem We Solved First<\/strong><\/p>\n\n\n\n

      There’s a classic failure mode when you put an LLM in front of a graph query interface: the model returns the *example values from its own few-shot prompt* instead of the user’s actual entity.<\/p>\n\n\n\n

      Ask “What do you know about 200.36.135.121?” and you get:<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      labels.ip = “10.0.0.1”<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      That’s the prompt example. The model retrieved it and repeated it. This is the **<\/strong>query-generation attractor loop bug<\/strong>**<\/strong> \u2014 named after the mathematical concept of an attractor state that a system collapses into and can’t escape without an external push.<\/p>\n\n\n\n

      The fix required three pieces:<\/p>\n\n\n\n

      **<\/strong>EntityExtractor<\/strong>**<\/strong> \u2014 strict regex extraction that runs *before* any LLM call, pulling IPv4, CIDR, ASN, domain, port, and `node:0x…` node IDs out of free text. A compile-time `EXAMPLE_VALUES` set strips hallucinated placeholders before they ever reach the DSL. If the extracted entity matches `”10.0.0.1″` or `”host:session:abc123″`, it gets stripped. Clean or nothing.<\/p>\n\n\n\n

      **<\/strong>InvestigativeDSLExecutor<\/strong>**<\/strong> \u2014 a stateful verb interpreter with 9 verbs:<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      FOCUS    \u2014 set investigation target<\/p>\n\n\n\n

      WINDOW   \u2014 set time window (e.g. “200ms”, “5s”)<\/p>\n\n\n\n

      FILTER   \u2014 prune results by condition<\/p>\n\n\n\n

      ANALYZE  \u2014 run a named analysis (degree_delta, fanin, temporal_sync…)<\/p>\n\n\n\n

      CLUSTER  \u2014 group by timing or ASN<\/p>\n\n\n\n

      TRACE    \u2014 path tracing between nodes<\/p>\n\n\n\n

      EXPAND   \u2014 neighbor expansion<\/p>\n\n\n\n

      SUMMARIZE \u2014 aggregate current focus<\/p>\n\n\n\n

      ASSESS   \u2014 produce threat confidence score<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      The executor is *stateful across steps*: `FOCUS 10.99.0.1` persists through subsequent verbs. The LLM doesn’t need to restate the target on every line.<\/p>\n\n\n\n

      **<\/strong>GraphOpsAgent<\/strong>**<\/strong> \u2014 the Ollama-backed reasoning loop. System prompt explicitly lists allowed verbs and says *”NEVER output example placeholder values”*. Model generates a JSON plan; executor runs it; a second LLM call interprets results and emits a confidence score. Loop continues until `confidence >= 0.80`, attractor detected, or plateau.<\/p>\n\n\n\n

      ###<\/strong> The Attractor Loop Fix \u2014 Live-Tested Against llama3.2:3b<\/strong><\/p>\n\n\n\n

      Running against live Ollama (`llama3.2:3b`, RTX 3060, 27\/27 layers GPU), the IP query demonstrated the exact attractor behavior: identical plan repeated all 6 steps, confidence oscillating 0.80 -> 0.80 -> 0.80 -> 0.50 -> 0.80 -> **<\/strong>0.20<\/strong>**<\/strong>. Exits reporting 0.20 \u2014 the final-step jitter, not even the best value seen.<\/p>\n\n\n\n

      Three fixes applied:<\/p>\n\n\n\n

      “`python<\/p>\n\n\n\n

      seen_plans: set = set()          # frozensets of plan verbs<\/p>\n\n\n\n

      best_confidence = 0.0            # track max seen, not final jitter<\/p>\n\n\n\n

      # Attractor break: same plan seen before + confidence good enough -> stop<\/p>\n\n\n\n

      if frozenset(plan) in seen_plans and best_confidence >= PLATEAU_THRESHOLD:<\/p>\n\n\n\n

          confidence = best_confidence<\/p>\n\n\n\n

          break<\/p>\n\n\n\n

      # Plateau exit: N consecutive non-improving steps >= 0.65 -> stop<\/p>\n\n\n\n

      if confidence == prev_confidence:<\/p>\n\n\n\n

          plateau_count += 1<\/p>\n\n\n\n

          if plateau_count >= PLATEAU_STEPS and best_confidence >= PLATEAU_THRESHOLD:<\/p>\n\n\n\n

              break<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      After the fix: the same IP query exits after **<\/strong>1 step<\/strong>**<\/strong> at confidence=0.80.<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      [GraphOpsAgent] step 0 plan: [‘WINDOW 200ms’, ‘FOCUS ipv4’,<\/p>\n\n\n\n

          “FILTER ip_address = ‘200.36.135.121’”, ‘ANALYZE fanin’]<\/p>\n\n\n\n

      [GraphOpsAgent] step 0 confidence=0.80 (best=0.80)<\/p>\n\n\n\n

      [GraphOpsAgent] confidence threshold reached at step 0<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      Six round-trips reduced to one. The attractor loop is dead.<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> Part 2 \u2014 GraphOps Autopilot (graphops_autopilot.py, 758 lines)<\/strong><\/p>\n\n\n\n

      The copilot answers questions. The autopilot *asks them on its own*.<\/p>\n\n\n\n

      The design requirement: **<\/strong>LLM only runs when genuinely needed<\/strong>**<\/strong>. The classic failure mode of autonomous LLM systems is the alarm storm \u2014 the model fires on everything, floods the analyst queue with noise, and gets disabled within a week. The fix is deterministic anomaly detection *first*, LLM explanation *second*.<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      kernel telemetry<\/p>\n\n\n\n

            |<\/p>\n\n\n\n

      statistical detectors   <- DO NOT skip this<\/p>\n\n\n\n

            |<\/p>\n\n\n\n

      LLM explanation layer   <- only when detectors agree<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      ###<\/strong> The Four-Tier System<\/strong><\/p>\n\n\n\n

      “`python<\/p>\n\n\n\n

      TIER_OBSERVATION = 0.60   # internal log only<\/p>\n\n\n\n

      TIER_SUGGESTION  = 0.70   # suggestion queue (analyst pull)<\/p>\n\n\n\n

      TIER_ALERT       = 0.80   # auto-emit EventCard (no human needed)<\/p>\n\n\n\n

      TIER_AUTONOMOUS  = 0.90   # wake InvestigatorAgent (LLM runs)<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      **<\/strong>AlertDedup<\/strong>**<\/strong> \u2014 blake2b hash of `(source_type, pattern, sorted_node_ids, window_bucket)` with 30-second TTL. `window_ms \/\/ 1000` buckets absorb inter-detector jitter without suppressing genuinely new events.<\/p>\n\n\n\n

      **<\/strong>EventCard<\/strong>**<\/strong> \u2014 the intelligence briefing object analysts actually want:<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      GraphOps Alert<\/p>\n\n\n\n

      ————————————————–<\/p>\n\n\n\n

      Pattern           botnet_coordination<\/p>\n\n\n\n

      Nodes             94<\/p>\n\n\n\n

      Window            180ms<\/p>\n\n\n\n

      Confidence        0.84<\/p>\n\n\n\n

      Temporal Sync     0.82<\/p>\n\n\n\n

      IP Entropy        6.91<\/p>\n\n\n\n

      Suggested Actions<\/p>\n\n\n\n

        > Cluster timing<\/p>\n\n\n\n

        > Analyze ASN diversity<\/p>\n\n\n\n

        > Trace infrastructure paths<\/p>\n\n\n\n

        > Compare with previous clusters<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      **<\/strong>SentinelLoop<\/strong>**<\/strong> \u2014 subscribes to detector callbacks via `.subscribe(cb)`. Fully push-driven. At 20-60 million edges\/sec, a polling loop would be a CPU disaster. The detector fires, the callback runs, the router decides. The 200ms heartbeat thread keeps the process alive and does nothing else.<\/p>\n\n\n\n

      **<\/strong>InvestigatorAgent<\/strong>**<\/strong> \u2014 Tier 3 only. Lazy-loads `GraphOpsAgent`. Builds a context-aware question from the `EventCard`, then runs the full investigation loop. A scanner card generates: *”Node X shows a degree delta of 60 connections in the last window. Pattern: scanner. Is this a port scan or lateral movement?”*<\/p>\n\n\n\n

      ###<\/strong> Scoring Functions<\/strong><\/p>\n\n\n\n

      The scoring encodes domain knowledge directly. For `FanInAlert`:<\/p>\n\n\n\n

      “`python<\/p>\n\n\n\n

      base = 0.92 if verdict == “botnet_coordination” else 0.72<\/p>\n\n\n\n

      penalty = min(0.15, timing_entropy * 0.10)<\/p>\n\n\n\n

      score = base – penalty<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      – Botnet with timing_entropy=0.01 (near-perfect sync): score=0.919 -> **<\/strong>Tier 3 autonomous investigation<\/strong>**<\/strong><\/p>\n\n\n\n

      – Fan-in spike with timing_entropy=2.0 (unsynchronised): score=0.57 -> **<\/strong>discarded<\/strong>**<\/strong><\/p>\n\n\n\n

      That second case is intentional. Unsynchronised fan-in is a CDN, a flash crowd, or a viral tweet. Discarding it before it ever touches the dedup layer is correct.<\/p>\n\n\n\n

      ###<\/strong> Self-Test Results: 24\/24<\/strong><\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      [PASS] EventCard format_card rendering<\/p>\n\n\n\n

      [PASS] AlertDedup TTL, key collision, expiry<\/p>\n\n\n\n

      [PASS] TierRouter all five thresholds<\/p>\n\n\n\n

      [PASS] Scoring: drift passthrough, botnet -> Tier 3, spike -> discard<\/p>\n\n\n\n

      [PASS] SentinelLoop: scanner queued, botnet dispatched, dedup suppression<\/p>\n\n\n\n

      [PASS] GraphOpsAutopilot start\/stop lifecycle<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> Part 3 \u2014 Three Upgrades from Code Review<\/strong><\/p>\n\n\n\n

      After reviewing the autopilot, the design doc came back with a code review \u2014 and it was genuinely useful. Here’s what it recommended and what we built.<\/p>\n\n\n\n

      ###<\/strong> Upgrade 1 \u2014 Detector Cooldowns<\/strong><\/p>\n\n\n\n

      A noisy detector can still produce high-frequency alerts even with dedup, because each new window produces new node IDs that hash differently. Solution: per-`(source_type, pattern)` cooldown timestamp.<\/p>\n\n\n\n

      “`python<\/p>\n\n\n\n

      DETECTOR_COOLDOWN = 1.0  # seconds<\/p>\n\n\n\n

      cooldown_key = (source_type, pattern)<\/p>\n\n\n\n

      if time.time() – self._last_emit.get(cooldown_key, 0.0) < DETECTOR_COOLDOWN:<\/p>\n\n\n\n

          return  # suppress burst<\/p>\n\n\n\n

      self._last_emit[cooldown_key] = time.time()<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      One line of state, one comparison, prevents alert bursts entirely.<\/p>\n\n\n\n

      ###<\/strong> Upgrade 2 \u2014 HypergraphMetricsCollector<\/strong><\/p>\n\n\n\n

      A shared `HypergraphSnapshot` computed once per window by a background thread:<\/p>\n\n\n\n

      “`python<\/p>\n\n\n\n

      @dataclass<\/p>\n\n\n\n

      class HypergraphSnapshot:<\/p>\n\n\n\n

          cluster_density:   float  # edges \/ (nodes*(nodes-1))<\/p>\n\n\n\n

          edge_churn:        float  # fraction of edges not seen in prev window<\/p>\n\n\n\n

          temporal_sync:     float  # 1 – normalised inter-arrival timing entropy<\/p>\n\n\n\n

          asn_entropy:       float  # H(src_node_id) across all edges<\/p>\n\n\n\n

          top_fan_in_rate:   float  # max fan-in per dst in this window<\/p>\n\n\n\n

          active_attractors: int    # live GraphAttractor cluster count<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      All three detectors can reference this snapshot instead of recomputing the same Shannon entropy calculations independently. At high edge rates this matters.<\/p>\n\n\n\n

      ###<\/strong> Upgrade 3 \u2014 GraphAttractorDetector (The Important One)<\/strong><\/p>\n\n\n\n

      Fan-in detection and degree drift detection share a blind spot: they key on *nodes*. A VPN-rotating botnet changes its source nodes \u2014 IPs, ASNs, geos \u2014 constantly. By the time the detector builds state on one IP, it’s already gone.<\/p>\n\n\n\n

      **<\/strong>Graph attractors<\/strong>**<\/strong> key on *edge structure* instead. The observation: rotating botnets change their source nodes but they all hit the *same destination infrastructure*. The `edge_hash` is stable even when every `node_a` rotates.<\/p>\n\n\n\n

      “`python<\/p>\n\n\n\n

      # Tracks edge_hash -> {src_node_ids} over 5-second sliding windows<\/p>\n\n\n\n

      # Fires AttractorAlert when:<\/p>\n\n\n\n

      #   cluster_size           > 40    (enough distinct sources)<\/p>\n\n\n\n

      #   infrastructure_entropy > 0.8   (sources genuinely diverse, not one IP looping)<\/p>\n\n\n\n

      #   temporal_sync          > 0.75  (coordinated timing)<\/p>\n\n\n\n

      verdict = “rotating_botnet”<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      To defeat this detector, an attacker would need to either:<\/p>\n\n\n\n

      1. Use a *different* target on every connection \u2014 which defeats the botnet’s actual objective<\/p>\n\n\n\n

      2. Desynchronise their task scheduling \u2014 which defeats coordination<\/p>\n\n\n\n

      Neither is viable. The attractor is the signal, and it’s extremely robust.<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      ATTRACTOR [rotating_botnet] edge_hash=0x… cluster=94<\/p>\n\n\n\n

      infra_H=6.91 t_sync=0.82 score=0.917  ->  Tier 3<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> Part 4 \u2014 BPF Edge Aggregation (bpf_capture.c + capture.go)<\/strong><\/p>\n\n\n\n

      The performance math:<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      Raw packets:     100M\/sec x 100B\/event  = 10 GB\/sec telemetry<\/p>\n\n\n\n

      Phase B edges:   100M\/sec x 56B\/event   = 5.6 GB\/sec<\/p>\n\n\n\n

      Aggregated:      ~2M\/sec  x 56B\/event   = 112 MB\/sec<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      The edge aggregation trick reduces telemetry volume by ~98% before any data leaves the kernel.<\/p>\n\n\n\n

      **<\/strong>Kernel side<\/strong>**<\/strong> \u2014 new `edge_agg` LRU hash map (128K entries, keyed by `edge_hash`):<\/p>\n\n\n\n

      “`c<\/p>\n\n\n\n

      struct edge_counter {<\/p>\n\n\n\n

          __u64 count;     \/\/ packet count for this edge_hash<\/p>\n\n\n\n

          __u64 bytes;     \/\/ total bytes<\/p>\n\n\n\n

          __u64 first_ts;  \/\/ ktime of first packet this flush window<\/p>\n\n\n\n

          __u64 last_ts;   \/\/ ktime of most recent packet<\/p>\n\n\n\n

      };<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      On every packet in the XDP path: if entry exists, atomic_add count and bytes. If not, insert. That’s all. No ringbuf write, no memory copy, no wakeup to userland.<\/p>\n\n\n\n

      **<\/strong>Go relay side<\/strong>**<\/strong> \u2014 new 50ms ticker goroutine added to `capture.go`:<\/p>\n\n\n\n

      “`go<\/p>\n\n\n\n

      ticker := time.NewTicker(50 * time.Millisecond)<\/p>\n\n\n\n

      \/\/ Every 50ms: iterate edge_agg map, emit frame 0x05, delete entries<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      Fifty milliseconds of accumulation. At 100M pkt\/sec, that’s 5 million packets compressed into however many distinct edge_hash values appear in that window \u2014 typically 1-5% of packet count.<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> Part 5 \u2014 AlmaLinux 10 Kernel Tuning (scripts\/tune_kernel.sh, 238 lines)<\/strong><\/p>\n\n\n\n

      A properly-tuned kernel for XDP\/eBPF looks very different from a default AlmaLinux install. The biggest wins:<\/p>\n\n\n\n

      “`bash<\/p>\n\n\n\n

      # Socket buffer \u2014 handle 128MB bursts without dropping<\/p>\n\n\n\n

      net.core.rmem_max = 134217728<\/p>\n\n\n\n

      # NIC -> kernel queue depth \u2014 don’t drop at the NIC<\/p>\n\n\n\n

      net.core.netdev_max_backlog = 300000<\/p>\n\n\n\n

      # Busy-poll \u2014 reduces latency on the XDP receive path<\/p>\n\n\n\n

      net.core.busy_read = 50    # us spin before sleeping<\/p>\n\n\n\n

      net.core.busy_poll = 50    # us spin on NIC before sleeping<\/p>\n\n\n\n

      # BPF JIT \u2014 without this BPF runs interpreted, 3-5x slower<\/p>\n\n\n\n

      net.core.bpf_jit_enable = 1<\/p>\n\n\n\n

      net.core.bpf_jit_harden = 0   # disable hardening in prod for speed<\/p>\n\n\n\n

      # Huge pages \u2014 ring buffer performance headroom<\/p>\n\n\n\n

      vm.nr_hugepages = 512          # 1 GB of 2MB pages<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      The script also handles NIC IRQ affinity pinning (`–nic <iface>`): one XDP worker per RX queue, NIC queue N -> CPU N. Disables `irqbalance` so the manual pins hold. Sets CPU performance governor. `–dry-run` and `–revert` flags. Idempotent \u2014 safe to run repeatedly.<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> The Full Stack After Today<\/strong><\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      |              AlmaLinux 10 \u00b7 RTX 3060 \u00b7 62.8 GB                  |<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      |  XDP \/ eBPF (bpf_capture.c)                                      |<\/p>\n\n\n\n

      |    +– flow_table     LRU hash 1M flows                          |<\/p>\n\n\n\n

      |    +– edge_agg       LRU hash 128K entries \u2014 50ms flush  [NEW]  |<\/p>\n\n\n\n

      |    +– rb             ringbuf -> 0x00 FlowCore                   |<\/p>\n\n\n\n

      |    +– flow_events    ringbuf -> 0x02 FlowEnd                    |<\/p>\n\n\n\n

      |    +– edge_ticks     ringbuf -> 0x03 EdgeTick                   |<\/p>\n\n\n\n

      |    +– graph_edges    ringbuf -> 0x04 GraphEdge (OPEN\/CLOSE)     |<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      |  Go Relay (capture.go)                                           |<\/p>\n\n\n\n

      |    5 ringbuf drain goroutines                                     |<\/p>\n\n\n\n

      |    1 edge_agg flush ticker (50ms) -> 0x05 EdgeAgg        [NEW]  |<\/p>\n\n\n\n

      |    WebSocket broadcast                                            |<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      |  Python Pipeline (stream_manager.py)                             |<\/p>\n\n\n\n

      |    topology_drift.py                                              |<\/p>\n\n\n\n

      |    +– TopologyDriftDetector      scanner \/ aggregator \/ lateral  |<\/p>\n\n\n\n

      |    +– TemporalFanInDetector      botnet timing sync              |<\/p>\n\n\n\n

      |    +– GraphAttractorDetector     rotating botnet         [NEW]  |<\/p>\n\n\n\n

      |    +– HypergraphMetricsCollector shared window metrics   [NEW]  |<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      |  GraphOps Autopilot (graphops_autopilot.py)               [NEW]  |<\/p>\n\n\n\n

      |    SentinelLoop   push-driven, 3 detector subscriptions          |<\/p>\n\n\n\n

      |    AlertDedup     blake2b hash \u00b7 30s TTL                         |<\/p>\n\n\n\n

      |    TierRouter     0.60 \/ 0.70 \/ 0.80 \/ 0.90                      |<\/p>\n\n\n\n

      |    EventCard      analyst briefing object + format_card()        |<\/p>\n\n\n\n

      |    InvestigatorAgent   Tier 3 -> GraphOpsAgent                   |<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      |  GraphOps Copilot (graphops_copilot.py)                   [NEW]  |<\/p>\n\n\n\n

      |    EntityExtractor       regex + EXAMPLE_VALUES guard            |<\/p>\n\n\n\n

      |    InvestigativeDSLExecutor   9 verbs, stateful                  |<\/p>\n\n\n\n

      |    GraphOpsAgent         attractor-proof loop \u00b7 llama3.2:3b      |<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      |  MCP Server \u2014 11 tools total                                      |<\/p>\n\n\n\n

      |    graphops_investigate       natural language -> report          |<\/p>\n\n\n\n

      |    graphops_dsl_exec          raw DSL plan execution             |<\/p>\n\n\n\n

      |    graphops_entity_parse      entity extraction                  |<\/p>\n\n\n\n

      |    graphops_autopilot_status  runtime stats               [NEW]  |<\/p>\n\n\n\n

      |    graphops_suggestion_queue  Tier 1 queue                [NEW]  |<\/p>\n\n\n\n

      |    graphops_observation_log   Tier 0 log                  [NEW]  |<\/p>\n\n\n\n

      |    graphops_format_card       render event card           [NEW]  |<\/p>\n\n\n\n

      +——————————————————————+<\/p>\n\n\n\n

      “`<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> By The Numbers<\/strong><\/p>\n\n\n\n

      | File | Lines | Status |<\/p>\n\n\n\n

      |—|—|—|<\/p>\n\n\n\n

      | graphops_copilot.py | 1,380 | 5\/5 tests pass \u00b7 live Ollama validated |<\/p>\n\n\n\n

      | graphops_autopilot.py | 758 | 24\/24 tests pass |<\/p>\n\n\n\n

      | topology_drift.py | 912 | 3 new classes \u00b7 smoke tests pass |<\/p>\n\n\n\n

      | bpf_capture.c | 426 | pending make bpf |<\/p>\n\n\n\n

      | capture.go | 1,000 | pending go build |<\/p>\n\n\n\n

      | scripts\/tune_kernel.sh | 238 | syntax valid |<\/p>\n\n\n\n

      **<\/strong>~2,800 lines of new code today across 6 files.<\/strong>**<\/strong><\/p>\n\n\n\n

      All Python tests pass. BPF\/Go changes pending hardware compile.<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      ##<\/strong> What’s Next<\/strong><\/p>\n\n\n\n

      **<\/strong>Immediate<\/strong>**<\/strong> \u2014 `FRAME_TAG_EDGE_AGG = 0x05` handler in `stream_manager.py` and `EdgeAggEvent` in `FlowCore.py`. Same pattern as all other frame types.<\/p>\n\n\n\n

      **<\/strong>Interesting<\/strong>**<\/strong> \u2014 Wire `HypergraphSnapshot` into `GraphAttractorDetector` so the shared metrics precomputation replaces the attractor’s own per-window entropy calls.<\/p>\n\n\n\n

      **<\/strong>Exciting<\/strong>**<\/strong> \u2014 In-kernel botnet detection. Move fan-in counters and temporal burst tracking into BPF maps. Emit `BOTNET_CLUSTER` events directly from the XDP path. The kernel becomes the first anomaly detector. Userland receives only high-value signals. That’s the architecture telecom operators quietly run for abuse detection at hyperscale.<\/p>\n\n\n\n

      **<\/strong>Wild<\/strong>**<\/strong> \u2014 Hypergraph spectral fingerprinting. Compute eigenvalue signatures of traffic clusters. Detects VPN-rotating botnets even when every node and IP changes every minute, by analysing the structural fingerprint of the traffic graph rather than any individual node property.<\/p>\n\n\n\n

      —<\/strong><\/p>\n\n\n\n

      *NerfEngine is a personal research project combining eBPF\/XDP network telemetry, hypergraph analysis, and autonomous LLM-backed threat detection. The architecture described here \u2014 kernel-side graph primitive emission, timing-entropy botnet detection, graph attractor analysis, and attractor-proof LLM agent loops \u2014 represents genuinely novel combinations of techniques that don’t appear together elsewhere in the open literature. Building it has been one of the most interesting engineering exercises I’ve done.*<\/p>\n\n\n\n

      *More updates as the build continues. The kernel is listening.*<\/p>\n\n\n\n

      Blog post written \u2014 380 lines at \/home\/spectrcyde\/NerfEngine\/Update Blog Post 03132026.md.<\/p>\n\n\n\n

      It covers:<\/p>\n\n\n\n

        \n
      1. GraphOps Copilot \u2014 the attractor loop bug, the fix, live test results against llama3.2:3b<\/li>\n\n\n\n
      2. GraphOps Autopilot \u2014 4-tier system, AlertDedup, SentinelLoop, scoring logic, 24\/24 pass<\/li>\n\n\n\n
      3. Three upgrades \u2014 cooldowns, HypergraphMetricsCollector, GraphAttractorDetector (the rotating-botnet detector)<\/li>\n\n\n\n
      4. BPF edge aggregation \u2014 98% telemetry reduction, kernel + Go relay design<\/li>\n\n\n\n
      5. AlmaLinux 10 tuning script \u2014 key sysctl values, IRQ pinning, JIT config<\/li>\n\n\n\n
      6. Full stack diagram, by-the-numbers table, and what’s next<\/li>\n<\/ol>\n\n\n\n

        Extra Special Thanks to ChatGPT!!!<\/strong><\/h2>\n\n\n\n

        https:\/\/chatgpt.com\/share\/69b3a327-a4c4-8011-a9d0-d82cfc8804ed<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

        # NerfEngine Dev Log \u2014 March 13, 2026 ..you sit down to fix one thing and end up building something that feels genuinely different from what existed before. We started with a live Ollama instance running `gemma3` on an RTX 3060 and ended up with a fully autonomous network threat intelligence pipeline \u2014 kernel-to-LLM \u2014… Kernel Edges Enable Autonomous Threat Intelligence<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":79,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"neve_meta_sidebar":"","neve_meta_container":"","neve_meta_enable_content_width":"","neve_meta_content_width":0,"neve_meta_title_alignment":"","neve_meta_author_avatar":"","neve_post_elements_order":"","neve_meta_disable_header":"","neve_meta_disable_footer":"","neve_meta_disable_title":"","footnotes":""},"categories":[10,7],"tags":[],"class_list":["post-5089","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-signal_scythe","category-the-truben-show"],"_links":{"self":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts\/5089","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5089"}],"version-history":[{"count":1,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts\/5089\/revisions"}],"predecessor-version":[{"id":5090,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/posts\/5089\/revisions\/5090"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=\/wp\/v2\/media\/79"}],"wp:attachment":[{"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5089"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5089"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/172-234-197-23.ip.linodeusercontent.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5089"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}