Full feature reference

Every capability.
No exceptions.

LYNX is built from first principles. Every feature closes a specific detection gap that existing IDS solutions leave open. This page documents all 12 inspection layers and the capabilities within each.

The 12-layer inspection pipeline

L01

Hardware Layer

Ingestion

ASIC punts only suspicious traffic to the CPU. DPDK bypasses the OS kernel on Linux x86 — packets flow directly from NIC hardware queues to IDS memory without a copy. CPU affinity isolates IDS cores from UI and log workloads.

DPDK kernel-bypass (Linux x86)CPU affinity isolationlibpcap on all platformsNUMA-aware allocation

L02

Ingestion Decoupling

Ring Buffer

A lock-free SPSC ring buffer using C11 atomics sits between the capture thread and the IDS engine. The engine never waits on downstream consumers. Live metrics are exposed via shared memory — the dashboard reads at zero overhead.

C11 _Atomic lock-free SPSCDrop-oldest overflow policyShared-memory zero-copy metrics256 MB default (32 MB MIPS)

L03

Flood Separation Gate

New

Shannon entropy computed over the 5-tuple source distribution in a sliding window classifies traffic as flood vs suspect before it touches the IDS queue. An attacker cannot trigger degradation mode by flooding — the flood never enters the IDS budget.

Shannon entropy sliding windowSeparate rate-limiter for floodDegradation-weaponisation preventionConfigurable entropy threshold

L04

ML Pre-Filter

Shadow Mode

A per-packet lightweight classifier (XGBoost → ONNX Runtime, or auto-generated C decision tree on MIPS) drops obviously malicious traffic before deep inspection. Shadow mode logs drops without executing them during a burn-in window — real drops only activate when the FP rate is verified below threshold.

XGBoost / ONNX Runtime (x86)C decision tree (MIPS)Shadow mode with FP measurementAdversarial retraining support

L05

Normalization Gate

Evasion-Proof

Every layer above this sees a single canonical, unambiguous byte stream. IPv4 defragmentation, TCP reassembly, IPv6 extension header parsing, QUIC/HTTP3/MASQUE stream reassembly, and slow-drip multi-window rate analysis are all applied before any inspection occurs.

IPv4 defrag + overlap removalTCP stream reassemblyIPv6 ext headers + tunnellingQUIC / HTTP3 / MASQUE

L06

Flow Engine

Session Tracking

Bidirectional sessions are reconstructed from normalised stream segments using a cuckoo hash table with O(1) worst-case lookup. Explicit per-flow TTLs and a hard memory cap prevent unbounded state growth regardless of attacker-controlled traffic.

Cuckoo hash — O(1) worst-caseBidirectional session reconstructionHard memory cap + LRU eviction2M concurrent flows (default)

L07

Fingerprinting

JA4 + ECH

JA4 TLS fingerprinting (replaces JA3S; ECH-resistant) combined with HTTP header characteristics and TCP/IP stack identity produces a composite multi-signal pseudo-identity without endpoint access. Identity is a weighted score, not a single spoofable hash.

JA4 — ECH-resistant TLSHTTP header order + timingTCP/IP stack identityComposite confidence score

L08

Feature Aggregation

Metadata Only

Session-level timing, volume, and destination attributes are extracted from metadata alone — no payload inspection, no decryption. LYNX works equally on plaintext and fully encrypted traffic, deriving all detection signals from observable behaviour.

Inter-arrival time statisticsByte/pkt directionality ratioGeo, ASN rarity, protocol mixZero payload access

L09

Behavioral Engine

Kill-Chain

A multi-stage attack modeler detects recon → access → enumeration → escalation → exfiltration chains even when individual sessions appear legitimate. A configurable correlation window (1 hour – 7 days) links activity across time. A baseline poison detector flags gradual adversarial drift.

Kill-chain state machine1h – 7d correlation windowBaseline poison detectorAnalyst feedback loop

L10

Signal Fusion & Scoring

Risk Score

Normalization anomalies, fingerprint deviations, and behavioral outliers are fused into a single context-aware risk score. An uncertainty gate routes verdicts: suppress (clear FP), escalate to TinyLlama (uncertain), or alert the SOC directly (confirmed threat).

Weighted 4-signal fusionWire-only network context graphUncertainty gate — no silent dropsConfigurable weight tuning

L11

TinyLlama FP Reduction

Off Hot Path

A fine-tuned TinyLlama-1.1B model runs as an async worker off the hot path. It receives a wire-only flow graph as structured text and returns a binary verdict: THREAT or FALSE_POSITIVE. Uncertain verdicts go to the analyst — never silently suppressed.

TinyLlama-1.1B QLoRA fine-tuneGGUF Q4_K_M — ~700 MBAsync bounded queueDisabled at L1 degradation

L12

SOC Output & Dashboard

Real-time

Enriched alerts stream as JSON Lines to stdout, syslog, and a WebSocket dashboard. The React 18 dashboard uses virtual scrolling for 100k+ alert rows, OffscreenCanvas charts, alert grouping, and a permanent health indicator showing degradation level, CPU, and queue depth.

JSON Lines + syslog RFC 5424WebSocket delta updatesReact 18 virtual scroll UI100k+ alert row performance

Capability summary

Evasion-Resistant Normalisation

IP defragmentation, TCP reassembly, IPv6 extension header parsing, and QUIC reassembly ensure every inspection layer sees a single canonical byte stream — fragmentation, overlap, and tunnelling attacks are caught before any detection logic runs.

Encrypted Traffic Detection

All detection is metadata and behavioural — no payload inspection, no TLS interception. LYNX detects exfiltration, lateral movement, and C2 beaconing in fully encrypted sessions by analysing timing, volume, fingerprints, and sequence patterns.

TinyLlama False-Positive Reduction

A fine-tuned TinyLlama-1.1B language model evaluates uncertain alerts off the hot path, converting wire-only flow graphs into readable context and returning a binary THREAT / FALSE_POSITIVE verdict. SOC analysts receive only real threats.

Privacy-Preserving Federated Learning

Each deployed node contributes only locally-differentially-private weight deltas to a shared global model — raw traffic never leaves the device. Clustered FedAvg groups nodes by traffic domain so a hospital's model never corrupts a factory's.

Wire-Speed Performance

Zero dynamic allocation on the hot path, lock-free SPSC ring buffer, cuckoo hash flow table with O(1) worst-case lookup, and optional DPDK kernel bypass on Linux x86. Benchmarked at 500k+ packets per second on commodity hardware.

Graceful Degradation

Under CPU saturation, LYNX reduces inspection depth through 4 explicit levels rather than dropping packets or crashing. The flood gate and normalisation layer are never disabled — evasion protection holds at every degradation level.

MIPS Embedded Deployment

A single statically-linked binary cross-compiled for Cavium OCTEON MIPS64 runs on the Cyberoam CR1500ia and similar hardware-firewall platforms with 512 MB RAM. No vendor SDK, no proprietary dependencies — just standard Linux.

Multi-Stage Attack Modelling

A kill-chain state machine correlates recon → access → enumeration → escalation → exfiltration patterns across a configurable 1-hour to 7-day window, detecting APT campaigns that individual session alerts would never surface.

No Endpoint Access Required

LYNX derives pseudo-identities from JA4 TLS fingerprints, HTTP characteristics, and TCP/IP stack behaviour — no agents, no EDR, no kernel modules on endpoints. Identity follows the network, not the host.

Ready to see it in action?

Request a live demo tailored to your deployment target and traffic domain.

Request Demo

Every capability.No exceptions.