Pacific Platform · Claims 27, 28, 62–66

Structural Network Intrusion Detection
via PCF Signature Vectors

Network flows are converted to token sequences and analyzed via structural signatures. Dual-signal OR classifier: Signal A (structural distance exceeds calibrated detection threshold) OR Signal B (attack-token fraction exceeds calibrated detection threshold). No signature database. No training data.

F1 0.969

BruteForce

F1 0.949

DDoS

~1.5ms

Per trace

CPU · CICIDS2017

Benchmark

How It Works

Step 1

Flow Metering

Network flows → 5 CICFlowMeter features: packets/sec, packet length mean, flow duration, fwd/bwd packet counts. No DPI required.

Step 2

Tokenize

flow_to_tokens() maps features to security vocabulary. 10 token types encode behavioral semantics of network activity.

AUTH_BRUTE · NET_FLOOD · NET_PORTSCAN
NET_SLOW_CONN · NET_LARGE_SEND · NET_SEND
NET_RECV · NET_CONNECT · SYS_READ · SYS_WRITE

Step 3

Dual-Signal OR

Signal A: structural distance exceeds calibrated detection threshold derived from benign calibration traces. Signal B: attack-token fraction exceeds calibrated detection threshold of benign baseline. Intrusion detected if A OR B.

Step 4

Alert

Attack type classified from token distribution. Confidence, structural distance from benign baseline, and structural divergence all reported in the alert.

Live Alert Feed · 1,280 real detections · CICIDS2017 · is_real_data: true

Recent Detections

Loading…

Loading real detections…

Structural Network Intrusion Detectionvia PCF Signature Vectors

Structural Network Intrusion Detection
via PCF Signature Vectors