cybersecurity capstone · detection theory companion

From a glowing well
to a real detector.

The instruments in this series — the shield, the pulsar, the reactive armor, the singularity well — are visual metaphors for defensive postures. This companion does the unglamorous, defensible work: it maps each metaphor onto established intrusion-detection theory and lets you operate the three ideas that actually matter, with correct math you can check.

Claim under test: a defender's hardest problem is not stopping a known attack — it is deciding, under a flood of mostly-benign events, which alarms to believe. Every instrument in the series is a different answer to that one problem, and the math below shows why no single answer wins.
// the bridge

Each instrument is a real defensive posture.

Strip the sci-fi skin and every device in the series corresponds to a recognized class of defensive control. The metaphor is the teaching aid; the right-hand column is the actual computer science a reviewer can check against the literature.

InstrumentMetaphor actionReal defensive conceptCore tradeoff
Aegis-0reflect · clamp · foldLayered filtering / defense-in-depth — input rejection, rate-limiting, quarantineCheap, but only stops what each rule anticipates
Witness Shieldabsorb known · learn the restSignature (misuse) detection + online feature learningNear-zero false positives on known threats; blind to novel ones
Pulsar v2.1life · death · spark sweepContinuous monitoring + active response + self-repair (heal/block/regenerate)High coverage, high operational cost
Reactive Armordetect → detonate → depleteActive response / IPS with finite capacity (rate-limited blocking, honeypots)Effective until a focused load exhausts it
Singularity Wellcapture → spiral → swallowSinkholing / tarpitting / blackhole routing — containment, nothing returnsContains everything it catches — including benign traffic

The well's defining trait — it swallows everything that crosses the horizon — is exactly the property that makes containment dangerous in practice: capacity is not the same as judgment. The next three sections are the judgment.

// idea 1 — separability & threshold

A detector is two overlapping distributions.

Benign and malicious events both produce a score (anomaly score, model confidence, rule weight). If the distributions were perfectly separated, detection would be trivial. They never are. You choose a threshold; everything above it fires an alarm. Move it and you trade missed attacks against false alarms — there is no setting that escapes the trade. The locus of all those trades is the ROC curve.

Threshold & ROC explorer
live · normal model
TPR (recall / hit)
FPR (false alarm)
AUC (area under ROC)
true positive
false positive
false negative
true negative

Per 1,000 events at 50/50 mix. The shaded tails on the upper chart are exactly these four cells.

Mapping back: raising the threshold is the Aegis clamp tightening; AUC is how good the underlying sensor is before you pick any operating point. A perfect well has AUC near 1; a coin flip is 0.5.

// idea 2 — the base-rate fallacy

A 99%-accurate alarm can still be 99% wrong.

This is the result every security analyst learns the hard way, formalized by Axelsson (2000): when genuine attacks are rare, even an excellent detector produces alarms that are mostly false — because the vast benign population generates more false positives than the tiny malicious population generates true ones. It's just Bayes' theorem, but it governs whether an alerting system is usable at all.

Base-rate / precision calculator
live · Bayes
population of events100,000
actual attacks (prevalence)
true alarms (caught)
false alarms (noise)
missed attacks
true alarm false alarm missed attack correctly ignored
Precision — chance an alarm is real

Drag prevalence toward realistic intrusion rates (1 in 10,000+) and watch precision collapse even with a near-perfect detector. This is why raw alerting drowns analysts — and why containment tools like the well must pair capture with triage.

// idea 3 — signatures as a probabilistic set

The seed_packet is a Bloom filter.

Throughout the series the core "learns" by folding an attack into a 16-bit seed_packet with XOR, then "absorbs" a future hit if it matches. That is a real data structure: a Bloom filter (Bloom, 1970) — a bit array with several hash functions that answers set membership in constant time and constant space. Its bargain is precise: it can say "definitely never seen" or "probably seen" — it never misses a known signature, but as it fills it produces false positives. Add known-bad tokens below and probe it.

Signature memory — live Bloom filter
k=3 · m=256 bits
add a few signatures, then probe — known ones always match; novel ones may false-positive as the array fills.
signatures stored0
bits set0 / 256
fill ratio0%
false-positive rate0%

Predicted FP rate uses (1−e^(−kn/m))^k. The lit (gold-outlined) cells after a query are the k bits that signature hashes to. All set ⇒ "probably present." Any clear ⇒ "definitely absent."

Tradeoff: this is the Witness Shield's strength (instant, tiny, never misses a known threat) and its limit (false alarms rise with memory load, and it is blind to anything never absorbed).

// defensibility

What is metaphor, what is mechanism.

A capstone artifact has to be honest about its own model. Here is the clean separation, so nothing above is mistaken for a literal claim about how production systems work.

Metaphor — illustrative only

Reflecting an attack as attack ^ 0xFFFF, energy "splashing" off shells, gravitational capture, the trinity beam, six-face bloom. These are intuition pumps. No firewall literally inverts a packet's bits to bounce it.

The −1 flash core, "nothing escapes," and the witness that "cannot be flipped" are framing devices for immutability and containment — real goals, dramatized.

Mechanism — actually computed here

The ROC curve, TPR/FPR from two Gaussians, and AUC = Φ(d′/√2). The confusion matrix. Bayesian precision under varying base rate. The Bloom filter's hashing, true-positive guarantee, and rising false-positive rate. All of this runs live and matches the closed-form theory.

The taxonomy mapping each instrument to a defensive control class (filtering, signature detection, anomaly detection, active response, sinkholing) reflects standard categorization in the literature.

Where this could be falsified or extended

// sources

Where the theory comes from.

Verification artifact: the ROC/AUC, Bayesian precision, and Bloom false-positive rate in this page were checked against their closed-form expressions before publication (AUC at d′=2 → 0.9214; precision at TPR .99 / FPR .01 / prevalence 1e-4 → ~0.98%).