← pcfic.com
LAMINAR
LIVE DEMO
Pacific · Astrognosy AI · Patent Pending

Network Threat Detection
on a Raspberry Pi.

Behavioral intrusion detection without a rule database and without a training phase. Two independent detectors fire on departures from a calibrated benign baseline. Engineered as an on-prem probe — runs on a Pi-class CPU at ~1.5 ms per trace.

F1 0.969
BruteForce
F1 0.949
DDoS
~1.5ms
Per trace · CPU
0
Training samples
Brand · Pacific by Astrognosy AI

Laminar reads network flow the way you'd read a river.

Healthy traffic has a shape. Attacks don't. Laminar's behavioral baseline captures that shape on calibration, then flags every departure — without a signature, without a model, without a GPU.

No 30-day deployment observation. No rule database. No labeled attack corpus. Just a probe, a benign window, and a detector that keeps working when the threat landscape changes.

How It Works
Step 1
Flow Metering
Network flows → 5 CICFlowMeter features: packets/sec, packet length mean, flow duration, fwd/bwd packet counts. No DPI required.
Step 2
Tokenize
flow_to_tokens() maps features to security vocabulary. 10 token types encode behavioral semantics of network activity.
AUTH_BRUTE · NET_FLOOD · NET_PORTSCAN
NET_SLOW_CONN · NET_LARGE_SEND · NET_SEND
NET_RECV · NET_CONNECT · SYS_READ · SYS_WRITE
Step 3
Two-Detector OR
Detector 1: structural distance from the benign baseline exceeds the calibrated threshold. Detector 2: attack-pattern token fraction exceeds the calibrated threshold of benign traffic. Intrusion detected if either fires.
Step 4
Alert
Attack type classified from token distribution. Confidence, structural distance from benign baseline, and structural divergence all reported in the alert.
Benchmarks vs GPU-Class ML Detectors · CICIDS2017

A 2025 paper from USC and Duke benchmarked four representative ML detectors — MLP, 1D-CNN, OCSVM, and LOF — on CICIDS2017 across two scenarios: (1) known attacks the model trained on, and (2) unknown attacks withheld at training time. The unknown-attack scenario is the one that matters in production. The supervised GPU-class detectors collapse.

Laminar calibrates on benign traffic only — no attack samples are ever seen during training. By definition, every attack Laminar detects is an "unknown" attack. So the fair comparison is the right column.

Detector Compute Known F1 Unknown F1
Laminar  (benign-only calibration) CPU · Pi ≈ 0.929 † ≈ 0.929 †
MLP  (supervised neural net) GPU 0.9446 0.2973
1D-CNN  (supervised conv net) GPU 0.9160 0.3218
LOF  (unsupervised, benign-only) CPU heavy 0.8706 0.6814
OCSVM  (unsupervised, benign-only) CPU heavy 0.5520 0.7575

† Laminar's "Known" and "Unknown" F1 are the same value — because Laminar never trains on attack samples. The ≈ 0.929 figure is the macro-average across the five attack classes published on this page (BruteForce 0.969, DDoS 0.949, PortScan 0.932, DoS 0.910, Web 0.885). MLP / CNN / OCSVM / LOF figures sourced verbatim from Xu & Liu (2025).

Supervised ML collapses on novel attacks
MLP and CNN score F1 ≈ 0.93 on attacks they were trained against — and F1 ≈ 0.30 on attacks withheld at training time. Recall drops from ~0.90 to ~0.18. Production attackers don't disclose their playbook in advance.
Laminar's edge over OCSVM / LOF
OCSVM (the best benign-only ML baseline) hits F1 0.7575 on unknown attacks. LOF hits F1 0.6814. Laminar's behavioral fingerprint approach lands at F1 ≈ 0.929 — and runs at ~1.5 ms per trace on a Raspberry Pi.
Snort baseline for context
Rule-based Snort with the default ruleset on the same CICIDS2017 traffic: 28% overall detection, 17% false positive rate (Saropourian 2022, UVic). The incumbent is the baseline neither ML nor Laminar is competing against any more.

Sources:   ML figures — Xu, Z. & Liu, Y. (2025). Robust Anomaly Detection in Network Traffic: Evaluating Machine Learning Models on CICIDS2017. arXiv:2506.19877v2.  ·  Snort figures — Saropourian, B. (2022). Evaluation of a Graphical Attack Fingerprint Model and Comparison against the Snort IDS, M.Eng. thesis, University of Victoria.

Pi-Class On-Prem Probe

Laminar is engineered to run on a Raspberry Pi-class CPU as an on-premises detection probe. Drop one on a network segment, calibrate once, alert forever.

Hardware
Pi-class CPU
Raspberry Pi 4 / Pi 5 class hardware. No GPU, no DPI accelerator card.
Memory footprint
~50 MB runtime
No rule set loaded into memory. Suricata / Snort need 1 GB+ for their default rule corpus.
Setup window
Minutes, not weeks
Calibrate on a benign traffic window once. No 30-day observation phase. No labeled attack corpus required.
Live Alert Feed · 1,280 real detections · CICIDS2017 · is_real_data: true
Recent Detections
Loading…
Loading real detections…
Attack Distribution (CICIDS2017)
BruteForce
300
PortScan
300
DDoS
287
DoS
285
WebAttack
108
1,280 real detections · CICIDS2017 · is_real_data: true
Open Full Laminar Console →