NullRabbit/multiclass-folded

Multi-class softmax folded detector — V8-V14 + V16, Sui + Solana

What it is

The multi-class folded detector is a single joint classifier trained against the union corpus of NullRabbit's V8-V14 binary detectors plus the new V16 gossip-abuse class, with Solana primitives folded into the existing Sui-side class taxonomy. It is one demonstrable outcome of NullRabbit's pre-registration discipline applied at the unified-detector layer; the methodology is the contribution.

This is the work of the substrate paper (in preparation): an iterative leak-surface peeling pattern applied across multiple training cycles. Each binary detector cycle (V8 → V9 → V10 → V11 → V12 → V13 → V14 → V15 → V16) is pre-registered, audited on close, and retracted in writing when a leak fires. The folded multi-class architecture absorbs each binary class as a softmax column; the v2 retrain documented here adds V16 (gossip-abuse) after V15's caveat #2 was empirically confirmed and closed by corpus augmentation. The model demonstrates autonomous defence for decentralised networks at the unified-detector layer.

The model itself is CalibratedClassifierCV(HistGradientBoostingClassifier, method="isotonic", cv=5) over 107 features spanning the bundle v1 modalities (pcap., host., app., protocol., responses.*). Output: per-class calibrated probabilities across 9 classes (benign + V8/V9/V10/V11/V12/V13/V14/V16). Single-bundle scoring; not a packet-level streaming detector.

Architecture

• Estimator: CalibratedClassifierCV(HistGradientBoostingClassifier(max_iter=300, learning_rate=0.05, max_depth=8), method='isotonic', cv=5).
• Output: 9-class softmax with isotonic calibration per class.
• Features: 107 total, drawn from the full bundle v1 modality surface.
• Solana mode: folded — Solana primitives map into Sui-side class manifolds based on the family taxonomy (e.g. SOL_F10 → V8, SOL_F14 → V14, SOL_G01-G08 → V16). This is the cross-chain claim: the family taxonomy abstracts at the attack-mechanism layer, so the same class column captures the mechanism regardless of the chain that hosts it.
• Training corpus: 2549 bundles across 38 primitives, fidelity_class=lab.
• Seed: 42.

Class taxonomy

Class	Family	Sui primitives	Solana primitives	Total in training
benign	benign	sui_BENIGN_passive_fullnode, sui_BENIGN_reproducer_pipeline	solana_BENIGN_organic_rpc, solana_BENIGN_validator_passive, SOL_BG01_validator_repair_catchup	1076
V8	response_amp	sui_F10	SOL_F10	105
V9	reconnaissance	(none in this cache)	SOL_RC_nmap_slow	50
V10	auth_bypass	sui_GR01, sui_GR02, sui_H01	SOL_H01	204
V11	rate_limiter_bypass / app-DoS	sui_P01, sui_P05, sui_P06, sui_P07	SOL_P07, SOL_GR01	324
V12	consensus_abuse / memory_amp	sui_D01, sui_D02, sui_D03	(none)	150
V13	service_misconfig	sui_MC × 5	SOL_MC × 5	500
V14	compute_amp	sui_F14	SOL_F14	105
V16	gossip_abuse	(none — pcap-only Sui-side cycle banked)	SOL_G01, SOL_G04, SOL_G05, SOL_G07, SOL_G08	35

V16 is the smallest class at n=35; all other classes have n≥50. The Solana-only construction of V16 reflects cycle2 corpus state at training time (2026-05-13). Cross-chain transfer evidence for V16 requires a Sui-side gossip-pcap corpus — banked, not validated.

Training data

The training corpus is proprietary. NullRabbit's archived corpus_v1.0–corpus_v1.10 plus the cycle2 working corpus (V15 / V16 gossip-abuse) compose the union from which 2549 lab-fidelity bundles were drawn for v2 training.

A curated, public sample of the corpus is available on Hugging Face as NullRabbit/nr-bundles-public — 31 bundles spanning seven vulnerability families across Sui and Solana, CC-BY-4.0. The bundle format is open and specified at nr-bundle-spec (MIT). External researchers building their own corpus against the spec can reproduce the methodology, retrain the multi-class softmax architecture on their own data, and compare against this reference model.

The V8 binary detector that anchored the byte-amplification class is published separately at NullRabbit/v8-cipher-agnostic (Apache-2.0). The multi-class folded model unifies V8's behaviour with the other family detectors into a single inference path.

Intended use

• Reference multi-class detector for the V8-V14 + V16 attack-family taxonomy on validator-infrastructure observations. Single bundle in → 9-class softmax out → argmax verdict + calibrated per-class probabilities.
• Cross-chain generalisation evidence: the folded mapping demonstrates that Sui-trained and Solana-trained class manifolds for the same family converge under joint training. Cross-chain transfer is validated for V8 (response_amp), V11 (rate_limiter_bypass), V13 (service_misconfig), V14 (compute_amp) — these have both Sui and Solana primitives in training and achieve per-class recall ≥0.997.
• Methodology demonstration: the v2 retrain consumes the V16 binary detector's outcome and absorbs the new family into the unified detector. Pre-registration → train → audit → outcome documentation is the substrate-paper-meaningful methodology, applied at the multi-class layer.

Load-bearing limitations

This section is the most important part of the card. Each limitation is anchored in pre-registered evidence and surfaced because it would otherwise become a deployment-time surprise.

n=1 OOF fragility on the V16 load-bearing benign

SOL_BG01_validator_repair_catchup is the single ground-truth UDP gossip benign in the training corpus. The fitted v2 model routes SOL_BG01 to benign with P(benign)=0.97. In the OOF fold where SOL_BG01 is held out, the model has zero UDP gossip benign signal and routes BG01 to V16 — producing the single benign-as-V16 misclassification in the OOF confusion matrix. This is expected n=1 fragility pre-registered in docs/MULTICLASS-FOLDED-V2-DESIGN.md Section "Honest caveats banked in advance #1". Production deployment for V16 + BG01-class routing requires corpus scale-up (n≥10 UDP benigns across postures: idle multi-validator cluster, repair-traffic, snapshot-catchup, vote-msg propagation) before the routing claim is defensible.

V16 cross-primitive generalisation is in-sample

All 35 V16 attack bundles (SOL_G01, SOL_G04, SOL_G05, SOL_G07, SOL_G08) are in training. Per-primitive recall of 35/35 at the in-sample level is fit, not held-out generalisation. Transfer to gossip-abuse primitives outside the cycle2 corpus is not validated by v2.

V16 has no Sui-side training data

V16's training distribution is Solana-only. The model cannot demonstrate cross-chain transfer for the gossip-abuse family from this corpus. Forward TODO: Sui-side gossip-pcap corpus + V16 cross-chain transfer evaluation.

V9 (reconnaissance) is Solana-only in this cache

The 2026-05-11 baseline cache included sui_RC_masscan_distributed + sui_RC_nmap_slow; the v2-unified cache (flat-dir construction from step11-cache + spaces-extract + cycle2) doesn't include them. V9 in v2 has 50 bundles (SOL_RC_nmap_slow only). Per-class recall at 1.00 is in-sample; cross-chain V9 transfer is not validated. Forward TODO for v3.

Per-class metric variance is asymmetric

V16 (n=35) is ~30× smaller than V13 (n=500). Stratified folding handles the imbalance but the per-class metric noise floor differs across classes — V16 metrics will have higher variance than V13 metrics. Single-fold per-class recall numbers for V16 should be interpreted with this in mind.

Bundle modality requirements vary by class

The model uses 107 features spanning all bundle v1 modalities and was trained on bundles with full modality coverage (responses, host, app, protocol, packets.pcap all populated). At inference time, bundles with missing modalities are out-of-distribution by construction and predictions degrade in a class-dependent way.

Class manifold sensitivity to missing packets.pcap (the most common public-release mode where pcap is dropped for safety):

• V8 (response_amp), V13 (service_misconfig), V14 (compute_amp): largely robust to pcap-drop. These classes have discriminative wire-shape features in responses.parquet + host.parquet that survive without pcap.
• V11 (rate_limiter_bypass) and benign-with-traffic: load-bearing on pcap.* rate/cardinality features. When pcap is dropped, the all-zero pcap.* signal looks more V16-like than V11/benign-like to the model, producing misclassifications.
• V16 (gossip-abuse): load-bearing on pcap.* features (the class was trained entirely on pcap-only cycle2 bundles). Without raw pcap, V16 cannot be evaluated honestly — and a V16 prediction with feature_coverage=resp_only is almost certainly a missing-modality artefact, not a true gossip-abuse detection.

The predict.py scoreability gate (recommended consumption surface) refuses to score bundles where neither responses.parquet nor packets.pcap has content, and emits a feature_coverage flag + a coverage_warning when the predicted class is sensitive to the missing modality. For reliable V11 / benign-with-traffic / V16 inference, callers must provide bundles with raw packets.pcap present. The curated public dataset nr-bundles-public is not suitable for those classes.

Disclosure context

The training corpus includes bundles for primitives at varying disclosure states. SOL_F10_multi_get_accounts_amp, SOL_F14_simulate_transaction_sync_wedge, SOL_P07_get_program_accounts_filter_miss are publicly disclosed per NR-2026-001. Other primitives represent methodology-class findings or are referenced in coordinated-disclosure channels with respective ecosystems. Disclosure-status information travels with the bundles in nr-bundles-public; this model card is the inference-layer cross-reference.

Evaluation

5-fold stratified out-of-fold predictions on the 2549-bundle training corpus:

Class	n	recall	precision	brier	P(class|true)	P(class|false)
benign	1076	0.999	0.999	0.0011	0.997	0.003
V8	105	1.000	1.000	0.0001	0.992	0.000
V9	50	1.000	1.000	0.0000	0.995	0.000
V10	204	1.000	1.000	0.0001	0.990	0.000
V11	324	0.997	1.000	0.0004	0.995	0.001
V12	150	1.000	1.000	0.0000	1.000	0.000
V13	500	1.000	1.000	0.0000	0.999	0.000
V14	105	1.000	1.000	0.0001	0.985	0.000
V16	35	1.000	0.972	0.0005	0.982	0.001

Overall OOF accuracy: 0.9992 (2026-05-11 predecessor: 0.9996; within fold-variance band). Per-class confusion matrix:

          benign      V8      V9     V10     V11     V12     V13     V14     V16
benign      1075       0       0       0       0       0       0       0       1
V8             0     105       0       0       0       0       0       0       0
V9             0       0      50       0       0       0       0       0       0
V10            0       0       0     204       0       0       0       0       0
V11            1       0       0       0     323       0       0       0       0
V12            0       0       0       0       0     150       0       0       0
V13            0       0       0       0       0       0     500       0       0
V14            0       0       0       0       0       0       0     105       0
V16            0       0       0       0       0       0       0       0      35

The single benign→V16 misclassification is the SOL_BG01 OOF fragility documented above. The single V11→benign cross-class confusion is identical to the 2026-05-11 baseline and reflects an edge case in the rate_limiter_bypass class boundary that has persisted across cycles.

How to use

Recommended path: predict.py (scoreability-gated)

The repository ships with predict.py — a thin scoreability-gated inference helper that wraps the raw multi-class estimator with two production-side gates:

• Scoreability gate: refuses to score bundles where neither responses.parquet nor packets.pcap has content. Bundles with no observed RPC traffic AND no captured network packets cannot be classified usefully; the gate returns an explicit verdict: "unscoreable" instead of producing a spurious argmax.
• Feature-coverage flag: emits feature_coverage describing which bundle modalities contributed features ("resp_only", "pcap_only", "full", etc.) so callers can downweight predictions where the modality coverage doesn't match the predicted class (e.g. V16 prediction with resp_only coverage is suspect).

from huggingface_hub import hf_hub_download
from predict import load_model, score_bundle

model_path = hf_hub_download(
    repo_id="NullRabbit/multiclass-folded", filename="model.joblib"
)
payload = load_model(model_path)

record = score_bundle("/path/to/some/bundle_dir", payload)
if record["verdict"] == "unscoreable":
    print(f"refused: {record['reason']}")
else:
    print(f"argmax: {record['argmax_class']} (P={record['argmax_p']:.4f}, "
          f"coverage={record['feature_coverage']})")
    for cls, p in sorted(record["class_probs"].items(),
                         key=lambda kv: -kv[1])[:3]:
        print(f"  P({cls}) = {p:.4f}")

predict.py depends on the bundle-spec reference parser:

pip install git+https://github.com/NullRabbitLabs/nr-bundle-spec.git

For a full worked example that loads bundles from nr-bundles-public via the spec parser and demonstrates cross-class scoring (V8 / V11 / V13 / V14 / benign verdicts on the public dataset), see inference_example.py.

Bypassing the gate

Callers with their own pre-filtering pipeline (or who explicitly want raw model output) can load the estimator directly:

import joblib
import numpy as np

payload = joblib.load(model_path)
model = payload["model"]            # CalibratedClassifierCV
features = payload["feature_names"] # 107-feature contract
class_order = payload["class_order"]

X = np.array([[...]])               # shape (n_samples, 107)
proba = model.predict_proba(X)      # shape (n_samples, 9)

This path is the responsibility of the caller. The scoreability gate exists to prevent spurious predictions on under-determined inputs. See the Load-bearing limitations section.

Methodology

NullRabbit's training cycles follow pre-registration discipline. Each cycle has a design document committed before the trainer runs. Audits run on close against sanity floors, per-feature ablation trails, and falsification holdouts. Where an audit fires, training halts, the design is re-registered, and the prior version is retracted in writing.

The iterative leak-surface peeling pattern is the methodology contribution: detection of a training-time leak (a feature whose discriminative signal turns out to come from a labelling artefact or capture-pipeline asymmetry rather than from the attack mechanism) triggers a corpus delta + re-train + re-audit, with each cycle narrowing the leak surface. The v2 retrain is a worked example at the unified-detector layer: V15 (gossip-abuse binary) pre-registered caveat #2 (protocol-shape leak); cycle2 corpus expansion (the other-window sprint) provided the load-bearing UDP benign that made the caveat empirically testable; V15 evaluation confirmed the caveat; V16 binary detector retrained with corpus augmentation closed the caveat at the n=1 fragile level; this v2 multi-class retrain absorbs V16 into the unified detector with the load-bearing benign test passing at training-set scale and the OOF fragility surfaced honestly.

The corpus format and family taxonomy are open at nr-bundle-spec. The methodology is open (in preparation as the substrate paper). The specific corpus contents beyond nr-bundles-public are proprietary.

Related

• Bundle format spec: nr-bundle-spec (MIT)
• Reference public bundles: NullRabbit/nr-bundles-public (CC-BY-4.0)
• V8 binary detector (cipher-agnostic byte-amplification): NullRabbit/v8-cipher-agnostic (Apache-2.0)
• Earned-autonomy paper (governance layer for autonomous defence for decentralised networks): Zenodo DOI 10.5281/zenodo.18406828
• Substrate paper (data-layer methodology, in preparation)
• NullRabbit Labs: huggingface.co/NullRabbit
• Website: nullrabbit.ai

Citation

@misc{nullrabbit_multiclass_folded_2026,
  author       = {NullRabbit},
  title        = {Multi-class softmax folded detector — V8-V14 + V16, Sui + Solana},
  year         = {2026},
  month        = may,
  version      = {2},
  publisher    = {Hugging Face},
  url          = {https://huggingface.co/NullRabbit/multiclass-folded},
  note         = {Reference 9-class joint detector for the V8-V14 binary detector family plus the V16 gossip-abuse class. Trained on the bundle v1 corpus specified at nr-bundle-spec v0.1.0; curated public sample at NullRabbit/nr-bundles-public; V8 binary anchor at NullRabbit/v8-cipher-agnostic.},
}

Contact

Research enquiries: simon@nullrabbit.ai

Spec compliance or format questions — open an issue at nr-bundle-spec.