Now available — v1.0.0

See everything.
Miss nothing.

LYNX is a wire-speed, 12-layer intelligent intrusion detection system. No endpoint agents. No payload decryption. Detects multi-stage attacks across encrypted traffic using behavioral analysis, JA4 fingerprinting, and TinyLlama-powered false-positive reduction.

12 inspection layersZero endpoint agentsMIPS embedded readyFederated privacy
lynx-ids — bash
$lynx --version
LYNX v1.0.0 (Linux x86-64, DPDK-enabled)
Built by BreaktroughF1 LLP
$lynx -i eth0 -c /etc/lynx/lynx.conf
[LYNX] Flood gate : active (entropy window 500ms)
[LYNX] Normalisation : IPv4/TCP/IPv6/QUIC active
[LYNX] ML Pre-filter : shadow mode (burn-in 3600s)
[LYNX] Behavioral : baseline building (48/50 flows)
[LYNX] TinyLlama : loaded (Q4_K_M, 714 MB)
[LYNX] Degradation : L0 — Full inspection
[LYNX] Dashboard : http://127.0.0.1:8080
─────────────────────────────────────────────
[LYNX] Watching. All 12 layers active.
$
12Inspection layers
500k+Packets per second
0Endpoint agents required
4Platform targets
Wire-speed detection
No endpoint agents
Encrypted-traffic aware
MIPS embedded ready
Privacy-preserving FL
Evasion-resistant normalisation
Wire-speed detection
No endpoint agents
Encrypted-traffic aware
MIPS embedded ready
Privacy-preserving FL
Evasion-resistant normalisation
02Detection Pipeline

12 layers between the packet
and your SOC alert

Every packet traverses a fully ordered inspection pipeline. No layer is skippable. The flood gate and normalisation gate are hardcoded active at every degradation level.

L01

Hardware Layer

Ingestion

ASIC punts only suspicious traffic to the CPU. DPDK bypasses the OS kernel on Linux x86 — packets flow directly from NIC hardware queues to IDS memory without a copy. CPU affinity isolates IDS cores from UI and log workloads.

L02

Ingestion Decoupling

Ring Buffer

A lock-free SPSC ring buffer using C11 atomics sits between the capture thread and the IDS engine. The engine never waits on downstream consumers. Live metrics are exposed via shared memory — the dashboard reads at zero overhead.

L03

Flood Separation Gate

New

Shannon entropy computed over the 5-tuple source distribution in a sliding window classifies traffic as flood vs suspect before it touches the IDS queue. An attacker cannot trigger degradation mode by flooding — the flood never enters the IDS budget.

L04

ML Pre-Filter

Shadow Mode

A per-packet lightweight classifier (XGBoost → ONNX Runtime, or auto-generated C decision tree on MIPS) drops obviously malicious traffic before deep inspection. Shadow mode logs drops without executing them during a burn-in window — real drops only activate when the FP rate is verified below threshold.

L05

Normalization Gate

Evasion-Proof

Every layer above this sees a single canonical, unambiguous byte stream. IPv4 defragmentation, TCP reassembly, IPv6 extension header parsing, QUIC/HTTP3/MASQUE stream reassembly, and slow-drip multi-window rate analysis are all applied before any inspection occurs.

L06

Flow Engine

Session Tracking

Bidirectional sessions are reconstructed from normalised stream segments using a cuckoo hash table with O(1) worst-case lookup. Explicit per-flow TTLs and a hard memory cap prevent unbounded state growth regardless of attacker-controlled traffic.

L07

Fingerprinting

JA4 + ECH

JA4 TLS fingerprinting (replaces JA3S; ECH-resistant) combined with HTTP header characteristics and TCP/IP stack identity produces a composite multi-signal pseudo-identity without endpoint access. Identity is a weighted score, not a single spoofable hash.

L08

Feature Aggregation

Metadata Only

Session-level timing, volume, and destination attributes are extracted from metadata alone — no payload inspection, no decryption. LYNX works equally on plaintext and fully encrypted traffic, deriving all detection signals from observable behaviour.

L09

Behavioral Engine

Kill-Chain

A multi-stage attack modeler detects recon → access → enumeration → escalation → exfiltration chains even when individual sessions appear legitimate. A configurable correlation window (1 hour – 7 days) links activity across time. A baseline poison detector flags gradual adversarial drift.

L10

Signal Fusion & Scoring

Risk Score

Normalization anomalies, fingerprint deviations, and behavioral outliers are fused into a single context-aware risk score. An uncertainty gate routes verdicts: suppress (clear FP), escalate to TinyLlama (uncertain), or alert the SOC directly (confirmed threat).

L11

TinyLlama FP Reduction

Off Hot Path

A fine-tuned TinyLlama-1.1B model runs as an async worker off the hot path. It receives a wire-only flow graph as structured text and returns a binary verdict: THREAT or FALSE_POSITIVE. Uncertain verdicts go to the analyst — never silently suppressed.

L12

SOC Output & Dashboard

Real-time

Enriched alerts stream as JSON Lines to stdout, syslog, and a WebSocket dashboard. The React 18 dashboard uses virtual scrolling for 100k+ alert rows, OffscreenCanvas charts, alert grouping, and a permanent health indicator showing degradation level, CPU, and queue depth.

03Capabilities

Built for the threat landscape
your perimeter tools miss

Encrypted traffic. QUIC tunnels. Slow-drip exfiltration. Adversarial fingerprint spoofing. LYNX is designed from first principles to handle exactly what signature-based systems cannot.

Core

Evasion-Resistant Normalisation

IP defragmentation, TCP reassembly, IPv6 extension header parsing, and QUIC reassembly ensure every inspection layer sees a single canonical byte stream — fragmentation, overlap, and tunnelling attacks are caught before any detection logic runs.

AI

Encrypted Traffic Detection

All detection is metadata and behavioural — no payload inspection, no TLS interception. LYNX detects exfiltration, lateral movement, and C2 beaconing in fully encrypted sessions by analysing timing, volume, fingerprints, and sequence patterns.

AI

TinyLlama False-Positive Reduction

A fine-tuned TinyLlama-1.1B language model evaluates uncertain alerts off the hot path, converting wire-only flow graphs into readable context and returning a binary THREAT / FALSE_POSITIVE verdict. SOC analysts receive only real threats.

Privacy

Privacy-Preserving Federated Learning

Each deployed node contributes only locally-differentially-private weight deltas to a shared global model — raw traffic never leaves the device. Clustered FedAvg groups nodes by traffic domain so a hospital's model never corrupts a factory's.

Performance

Wire-Speed Performance

Zero dynamic allocation on the hot path, lock-free SPSC ring buffer, cuckoo hash flow table with O(1) worst-case lookup, and optional DPDK kernel bypass on Linux x86. Benchmarked at 500k+ packets per second on commodity hardware.

Resilience

Graceful Degradation

Under CPU saturation, LYNX reduces inspection depth through 4 explicit levels rather than dropping packets or crashing. The flood gate and normalisation layer are never disabled — evasion protection holds at every degradation level.

Portable

MIPS Embedded Deployment

A single statically-linked binary cross-compiled for Cavium OCTEON MIPS64 runs on the Cyberoam CR1500ia and similar hardware-firewall platforms with 512 MB RAM. No vendor SDK, no proprietary dependencies — just standard Linux.

Detection

Multi-Stage Attack Modelling

A kill-chain state machine correlates recon → access → enumeration → escalation → exfiltration patterns across a configurable 1-hour to 7-day window, detecting APT campaigns that individual session alerts would never surface.

Agentless

No Endpoint Access Required

LYNX derives pseudo-identities from JA4 TLS fingerprints, HTTP characteristics, and TCP/IP stack behaviour — no agents, no EDR, no kernel modules on endpoints. Identity follows the network, not the host.

04Deployment Targets

One codebase.
Every firewall it runs on.

LYNX compiles for four targets from a single C17 codebase. No vendor SDK, no proprietary dependencies — just standard Linux and a configurable CMake flag.

Full inspection on any hardware

LYNX Desktop

A CLI tool — run it like Snort. Point it at an interface or a PCAP file. All 12 inspection layers active, TinyLlama FP reduction included. Runs on Linux, Windows, and macOS with zero OS-specific configuration.

Runs on

Linux x86-64
Windows 10 / 11
macOS (M1, M2, Intel)
Best for development, testing, and server deployments
Full platform comparison →
SpecificationValue
Capturelibpcap + DPDK opt-in
ML InferenceONNX Runtime
LLMTinyLlama Q4_K_M
Default levelL0 — Full
RAM (typical)~2 GB
PRODUCTION READY
05Resilience

Graceful degradation —
never a hard crash

When CPU load spikes, LYNX reduces inspection depth through four explicit levels instead of dropping packets or crashing. The flood separation gate and normalisation layer are hardcoded active at every level — an attacker cannot trigger degradation to bypass evasion protection.

Invariant: Flood gate and normalisation are locked active at all levels. No configuration can override this constraint.

L0

Full Inspection

< 80%

Active layers

All 12 layers
TinyLlama FP reduction
Behavioral engine
ML pre-filter
06Federated Learning

Every node improves the model.
Zero raw traffic leaves the device.

LYNX uses privacy-preserving federated learning to let your deployment contribute to a shared global model — without ever sending network packets or sensitive metadata off-device. Formal differential privacy guarantees bound exactly what an adversary controlling the server could learn.

FL Aggregation Server
Clustered FedAvg · Trust model · DP budget
↑ weight deltas (noisy + clipped) ↑
↓ global model update ↓
Enterprise Firewall
local training
+ DP noise
+ L2 clip
Industrial OT Network
local training
+ DP noise
+ L2 clip
Healthcare VLAN
local training
+ DP noise
+ L2 clip
Raw traffic never leaves any node. Ever.

Local Differential Privacy

ε=1.0, δ=1e-5 Gaussian noise applied before any update leaves the device. Formal privacy guarantee bounds what an adversary controlling the server could learn.

Clustered FedAvg

Nodes grouped by traffic domain — enterprise, industrial, healthcare. A hospital's medical IoT patterns never corrupt a factory's OT model.

Gradient Anomaly Detection

Per-node reputation scoring and gradient direction analysis detect and quarantine poisoning attempts before they affect the global model.

Versioned & Rollback-Capable

Every global model update is versioned. Nodes automatically roll back if the new model increases their local false-positive rate.

Default DP Parameters
ε (epsilon)
1.0
δ (delta)
1e-5
clip norm
1.0 L2
mechanism
Gaussian
Built by BreaktroughF1 LLP

Ready to see everything
your network is hiding?

Request a demo or dive straight into the documentation. LYNX deploys in under an hour on Linux, Windows, macOS, and embedded MIPS hardware.

Proprietary software. All rights reserved. BreaktroughF1 LLP