Threat model
The AV reframes a security event as a CLAIM about the host's state. HF1–HF20 — already in the framework as claim-verifier operators — score the claim. There is no parallel "security operator" family.
Threat → primary HF (Phase 1 design §2.2)
| Threat | Primary HF | Secondary HF | Computed how |
|---|---|---|---|
| Binary execution anomaly | HF8 (Pattern Repetition) | HF15 (Semantic Coherence) | instances_in_30_pulses / max of identical process-hash spawns; image-entropy distance from 30 d baseline |
| Network exfil curve | HF14 (Propagation Velocity) | HF18 (Temporal Fractal) | autocorrelation of bytes-delta; Higuchi fractal dim of payload-size timeseries |
| C2 callback | HF6 (Temporal Relevance) | HF8 (Pattern Repetition) | e^{−Δp/30} over interval-to-interval retries |
| New persistence | HF1 (Source Credibility) | HF4 (Source Verification) | verified_accuracy / max_accuracy on the writer's signature; min(1, signers/3) for code-sign chain |
| Privilege escalation | HF9 (Contradiction Index) | HF16 (Ethical Severity) | low-good operator (threshold ≤ 0.10) — perfect fit for a claim that contradicts the prior euid state |
| Lateral movement | HF12 (Network Density) | HF13 (Source Diversity) | points_in_cluster / total over peer-hash adjacency |
| Agent self-tamper | HF9 (Contradiction Index) | HF20 (Binomial Truth) | uses validateRange() already in lib/awareness.ts |
The three-gate trigger
S_forensic ≥ θ_composite (default 0.85, configurable per-device)
AND protect001(phase) ≥ 0.388 (5φ wobble peak)
AND protect002(t) ∈ [0.2, 0.8] (sibling-vote envelope)
The AND-of-three drops false positives. HF spectrum alone fires at noisy boundaries; combining with two pulse-coupled gates limits the trigger to phase windows where the network is in a coherent observation regime.
Privacy — fingerprints, not payloads
Every av.threat.detected row carries a fingerprint:
fingerprint = sha256(
canonical_json(claim_payload) ‖
device_id ‖
zeqond_bucket(captured_at, 8)
)
The peer learns "there's a threat with fingerprint X", checks its local feature set for a hamming match, never sees what the original malware was. No central signature DB, no payload leak, math-derived hash adjacency.
Sybil resistance
Two tiers (Phase 1 §4.4):
- Free: 0 ZEQ stake,
trust × 0.25cap on the alert weight. - Staked: 10 ZEQ burned on emission,
trust × 1.0.
A flood attacker spawning 1000 fake machines either fails the trust cap (novel POHC ≈ 0) or pays 10 000 ZEQ/round to be heard, which is economically infeasible past a small bursting cap.
What's NOT in the threat model
- Kernel rootkits that hide from eBPF — the agent cannot detect what the kernel actively conceals. The mesh is what catches these: a rootkit on host A is silent in A's telemetry, but A's peers may observe its outbound traffic and post the matching fingerprint.
- Physical tampering with the host — the framework's chain catches agent-self-tamper via HF9 invariants, but recovers the host post-fact; it doesn't prevent the attack.
- Sophisticated low-and-slow attacks — by design the composite needs signal above the 0.85 threshold; an attacker who never moves the baseline more than 0.1 from steady state may go undetected until the cross-machine fingerprint match catches them anyway.