PARALLAX DETECTION PIPELINE

Live simulation — select an account archetype and watch 15 detectors classify behavior in real time

ingest profile baseline detect score assess
event_stream 0 events
account_profile
account_id
account_age
requests/hr
avg_input_tokens
avg_output_tokens
token_ratio
api_ratio
single_turn_ratio
safety_trigger_rate
interval_cv
hours_active
conv/day
detection_results — 0/15 triggered (threshold ≥ 0.50)
0.00
composite_score
NONE
tier1_triggered 0 / 9
tier2_triggered 0 / 6
top_signal
escalation not recommended
Client-side simulation using archetype parameters and detector weights from the real pipeline.

REAL-WORLD VALIDATION

Evaluated against the Los Alamos National Laboratory Unified Host and Network Dataset — 16.9M real authentication events, 87 known-compromised users

Dataset: LANL Cyber1 · 16.9M auth events · 187K sessions · 500 users (87 compromised, 413 normal) · 4-hour sliding windows
0.68
ROC AUC
↑ from 0.45 (v1)
0.49
Best F1
↑ from 0.00 (v1)
48.8%
Precision @ optimal
threshold = 0.77
48.3%
Recall @ optimal
42 of 87 compromised
~/results — AUC progression across 3 iterations
0.45
0.50 random
v1
Default weights, whole-profile
0.48
v2
Windowed scoring, host fan-out
0.68
v3
Anti-correlated pruned, signal-only
score_distributions — compromised vs normal (v3, n=500)
Score distribution: compromised mean=0.60, normal mean=0.48, threshold=0.77
compromised (n=87, mean=0.60)
normal (n=413, mean=0.48)
per_detector_contribution — delta (compromised mean − normal mean), sorted by signal strength

$ cat findings.txt

T2-006 Behavioral Shift is the engine. Compromised users show sharp behavioral changes in peak 4-hour windows (mean 0.71 vs normal 0.43). Delta +0.29 — drives most of the separation. This is the cross-domain signal: lateral movement in auth logs manifests as sudden behavioral shift, the same pattern that catches account takeover on AI platforms.

T1-009 Host Fan-Out delivers the second-strongest signal (+0.13 delta). Compromised users access more distinct hosts in their peak windows (mean 0.79 vs normal 0.66) — lateral movement leaves a destination diversity signature.

7 of 12 detectors were anti-correlated in v2 — they scored normal users higher than compromised. Designed for AI platform abuse, they penalized the wrong group on auth data. v3 zeroed all 10 non-contributing detectors and redistributed weight to the 5 correctly-oriented signals. AUC jumped from 0.48 to 0.68.

The approach that worked: diagnose which signals are noise, silence them, amplify what remains. Subtraction beat addition.

~/results — precision_recall at multiple thresholds
ThresholdTPFPFNTNPrecisionRecallF1
0.2572324158918.2%82.8%0.298
0.35713091610418.7%81.6%0.304
0.45692731814020.2%79.3%0.322
0.55622042520923.3%71.3%0.351
0.7742444536948.8%48.3%0.486
~/results — v3 active detector weights (5 of 15)
DetectorWeightDeltaRole
T2-006 Behavioral Shift0.30+0.29Primary — cross-domain signal
T1-009 Host Fan-Out0.25+0.13Lateral movement signature
T1-008 Concurrent Sessions0.20+0.05Parallel access patterns
T1-007 Error Pattern0.15+0.01Auth failure signatures
T1-004 Session Anomaly0.10+0.04Session structure deviation

← back to project details · source on GitHub