---
license: apache-2.0
language:
  - en
tags:
  - cybersecurity
  - blockchain
  - network-security
  - validator-security
  - anomaly-detection
  - multi-class-classification
  - byte-amplification
  - gossip-abuse
  - sui
  - solana
  - scikit-learn
library_name: scikit-learn
pretty_name: Multi-class softmax folded detector (V8-V14 + V16, Sui + Solana)
---

# Multi-class softmax folded detector — V8-V14 + V16, Sui + Solana

## What it is

The multi-class folded detector is a single joint classifier trained against the union corpus of NullRabbit's V8-V14 binary detectors plus the new V16 gossip-abuse class, with Solana primitives folded into the existing Sui-side class taxonomy. It is one demonstrable outcome of NullRabbit's pre-registration discipline applied at the unified-detector layer; **the methodology is the contribution.**

This is the work of the substrate paper (in preparation): an iterative leak-surface peeling pattern applied across multiple training cycles. Each binary detector cycle (V8 → V9 → V10 → V11 → V12 → V13 → V14 → V15 → V16) is pre-registered, audited on close, and retracted in writing when a leak fires. The folded multi-class architecture absorbs each binary class as a softmax column; the v2 retrain documented here adds V16 (gossip-abuse) after V15's caveat #2 was empirically confirmed and closed by corpus augmentation. The model demonstrates **autonomous defence for decentralised networks** at the unified-detector layer.

The model itself is `CalibratedClassifierCV(HistGradientBoostingClassifier, method="isotonic", cv=5)` over 107 features spanning the bundle v1 modalities (pcap.*, host.*, app.*, protocol.*, responses.*). Output: per-class calibrated probabilities across 9 classes (benign + V8/V9/V10/V11/V12/V13/V14/V16). Single-bundle scoring; not a packet-level streaming detector.

## Architecture

- Estimator: `CalibratedClassifierCV(HistGradientBoostingClassifier(max_iter=300, learning_rate=0.05, max_depth=8), method='isotonic', cv=5)`.
- Output: 9-class softmax with isotonic calibration per class.
- Features: 107 total, drawn from the full bundle v1 modality surface.
- Solana mode: `folded` — Solana primitives map into Sui-side class manifolds based on the family taxonomy (e.g. SOL_F10 → V8, SOL_F14 → V14, SOL_G01-G08 → V16). This is the **cross-chain claim**: the family taxonomy abstracts at the attack-mechanism layer, so the same class column captures the mechanism regardless of the chain that hosts it.
- Training corpus: 2549 bundles across 38 primitives, fidelity_class=lab.
- Seed: 42.

## Class taxonomy

| Class | Family | Sui primitives | Solana primitives | Total in training |
|---|---|---|---|---:|
| benign | benign | sui_BENIGN_passive_fullnode, sui_BENIGN_reproducer_pipeline | solana_BENIGN_organic_rpc, solana_BENIGN_validator_passive, SOL_BG01_validator_repair_catchup | 1076 |
| V8 | response_amp | sui_F10 | SOL_F10 | 105 |
| V9 | reconnaissance | (none in this cache) | SOL_RC_nmap_slow | 50 |
| V10 | auth_bypass | sui_GR01, sui_GR02, sui_H01 | SOL_H01 | 204 |
| V11 | rate_limiter_bypass / app-DoS | sui_P01, sui_P05, sui_P06, sui_P07 | SOL_P07, SOL_GR01 | 324 |
| V12 | consensus_abuse / memory_amp | sui_D01, sui_D02, sui_D03 | (none) | 150 |
| V13 | service_misconfig | sui_MC × 5 | SOL_MC × 5 | 500 |
| V14 | compute_amp | sui_F14 | SOL_F14 | 105 |
| **V16** | **gossip_abuse** | (none — pcap-only Sui-side cycle banked) | **SOL_G01, SOL_G04, SOL_G05, SOL_G07, SOL_G08** | **35** |

V16 is the smallest class at n=35; all other classes have n≥50. The Solana-only construction of V16 reflects cycle2 corpus state at training time (2026-05-13). Cross-chain transfer evidence for V16 requires a Sui-side gossip-pcap corpus — banked, not validated.

## Training data

The training corpus is **proprietary**. NullRabbit's archived `corpus_v1.0`–`corpus_v1.10` plus the cycle2 working corpus (V15 / V16 gossip-abuse) compose the union from which 2549 lab-fidelity bundles were drawn for v2 training.

A curated, public sample of the corpus is available on Hugging Face as **[NullRabbit/nr-bundles-public](https://huggingface.co/datasets/NullRabbit/nr-bundles-public)** — 31 bundles spanning seven vulnerability families across Sui and Solana, CC-BY-4.0. The bundle format is open and specified at **[`nr-bundle-spec`](https://github.com/NullRabbitLabs/nr-bundle-spec)** (MIT). External researchers building their own corpus against the spec can reproduce the methodology, retrain the multi-class softmax architecture on their own data, and compare against this reference model.

The V8 binary detector that anchored the byte-amplification class is published separately at **[NullRabbit/v8-cipher-agnostic](https://huggingface.co/NullRabbit/v8-cipher-agnostic)** (Apache-2.0). The multi-class folded model unifies V8's behaviour with the other family detectors into a single inference path.

## Intended use

- **Reference multi-class detector for the V8-V14 + V16 attack-family taxonomy** on validator-infrastructure observations. Single bundle in → 9-class softmax out → argmax verdict + calibrated per-class probabilities.
- **Cross-chain generalisation evidence**: the folded mapping demonstrates that Sui-trained and Solana-trained class manifolds for the same family converge under joint training. Cross-chain transfer is validated for V8 (response_amp), V11 (rate_limiter_bypass), V13 (service_misconfig), V14 (compute_amp) — these have both Sui and Solana primitives in training and achieve per-class recall ≥0.997.
- **Methodology demonstration**: the v2 retrain consumes the V16 binary detector's outcome and absorbs the new family into the unified detector. Pre-registration → train → audit → outcome documentation is the substrate-paper-meaningful methodology, applied at the multi-class layer.

## Load-bearing limitations

This section is the most important part of the card. Each limitation is anchored in pre-registered evidence and surfaced because it would otherwise become a deployment-time surprise.

### n=1 OOF fragility on the V16 load-bearing benign

SOL_BG01_validator_repair_catchup is the single ground-truth UDP gossip benign in the training corpus. The fitted v2 model routes SOL_BG01 to `benign` with P(benign)=0.97. **In the OOF fold where SOL_BG01 is held out**, the model has zero UDP gossip benign signal and routes BG01 to V16 — producing the single benign-as-V16 misclassification in the OOF confusion matrix. This is **expected n=1 fragility** pre-registered in `docs/MULTICLASS-FOLDED-V2-DESIGN.md` Section "Honest caveats banked in advance #1". Production deployment for V16 + BG01-class routing requires corpus scale-up (n≥10 UDP benigns across postures: idle multi-validator cluster, repair-traffic, snapshot-catchup, vote-msg propagation) before the routing claim is defensible.

### V16 cross-primitive generalisation is in-sample

All 35 V16 attack bundles (SOL_G01, SOL_G04, SOL_G05, SOL_G07, SOL_G08) are in training. Per-primitive recall of 35/35 at the in-sample level is fit, not held-out generalisation. Transfer to gossip-abuse primitives outside the cycle2 corpus is not validated by v2.

### V16 has no Sui-side training data

V16's training distribution is Solana-only. The model **cannot** demonstrate cross-chain transfer for the gossip-abuse family from this corpus. Forward TODO: Sui-side gossip-pcap corpus + V16 cross-chain transfer evaluation.

### V9 (reconnaissance) is Solana-only in this cache

The 2026-05-11 baseline cache included `sui_RC_masscan_distributed` + `sui_RC_nmap_slow`; the v2-unified cache (flat-dir construction from step11-cache + spaces-extract + cycle2) doesn't include them. V9 in v2 has 50 bundles (SOL_RC_nmap_slow only). Per-class recall at 1.00 is in-sample; cross-chain V9 transfer is not validated. Forward TODO for v3.

### Per-class metric variance is asymmetric

V16 (n=35) is ~30× smaller than V13 (n=500). Stratified folding handles the imbalance but the per-class metric noise floor differs across classes — V16 metrics will have higher variance than V13 metrics. Single-fold per-class recall numbers for V16 should be interpreted with this in mind.

### Bundle modality requirements vary by class

The model uses 107 features spanning all bundle v1 modalities and was trained on bundles with full modality coverage (responses, host, app, protocol, packets.pcap all populated). At inference time, bundles with missing modalities are **out-of-distribution by construction** and predictions degrade in a class-dependent way.

Class manifold sensitivity to missing `packets.pcap` (the most common public-release mode where pcap is dropped for safety):

- **V8 (response_amp), V13 (service_misconfig), V14 (compute_amp)**: largely robust to pcap-drop. These classes have discriminative wire-shape features in `responses.parquet` + `host.parquet` that survive without pcap.
- **V11 (rate_limiter_bypass) and benign-with-traffic**: load-bearing on `pcap.*` rate/cardinality features. When pcap is dropped, the all-zero pcap.* signal looks more V16-like than V11/benign-like to the model, producing misclassifications.
- **V16 (gossip-abuse)**: load-bearing on `pcap.*` features (the class was trained entirely on pcap-only cycle2 bundles). Without raw pcap, V16 cannot be evaluated honestly — and a V16 prediction with `feature_coverage=resp_only` is almost certainly a missing-modality artefact, not a true gossip-abuse detection.

The `predict.py` scoreability gate (recommended consumption surface) refuses to score bundles where neither `responses.parquet` nor `packets.pcap` has content, and emits a `feature_coverage` flag + a `coverage_warning` when the predicted class is sensitive to the missing modality. For reliable V11 / benign-with-traffic / V16 inference, callers must provide bundles with raw `packets.pcap` present. The curated public dataset `nr-bundles-public` is not suitable for those classes.

### Disclosure context

The training corpus includes bundles for primitives at varying disclosure states. `SOL_F10_multi_get_accounts_amp`, `SOL_F14_simulate_transaction_sync_wedge`, `SOL_P07_get_program_accounts_filter_miss` are publicly disclosed per [NR-2026-001](https://nullrabbit.ai). Other primitives represent methodology-class findings or are referenced in coordinated-disclosure channels with respective ecosystems. Disclosure-status information travels with the bundles in `nr-bundles-public`; this model card is the inference-layer cross-reference.

## Evaluation

5-fold stratified out-of-fold predictions on the 2549-bundle training corpus:

| Class | n | recall | precision | brier | P(class\|true) | P(class\|false) |
|---|---:|---:|---:|---:|---:|---:|
| benign | 1076 | 0.999 | 0.999 | 0.0011 | 0.997 | 0.003 |
| V8 | 105 | 1.000 | 1.000 | 0.0001 | 0.992 | 0.000 |
| V9 | 50 | 1.000 | 1.000 | 0.0000 | 0.995 | 0.000 |
| V10 | 204 | 1.000 | 1.000 | 0.0001 | 0.990 | 0.000 |
| V11 | 324 | 0.997 | 1.000 | 0.0004 | 0.995 | 0.001 |
| V12 | 150 | 1.000 | 1.000 | 0.0000 | 1.000 | 0.000 |
| V13 | 500 | 1.000 | 1.000 | 0.0000 | 0.999 | 0.000 |
| V14 | 105 | 1.000 | 1.000 | 0.0001 | 0.985 | 0.000 |
| V16 | 35 | 1.000 | 0.972 | 0.0005 | 0.982 | 0.001 |

Overall OOF accuracy: **0.9992** (2026-05-11 predecessor: 0.9996; within fold-variance band). Per-class confusion matrix:

```
          benign      V8      V9     V10     V11     V12     V13     V14     V16
benign      1075       0       0       0       0       0       0       0       1
V8             0     105       0       0       0       0       0       0       0
V9             0       0      50       0       0       0       0       0       0
V10            0       0       0     204       0       0       0       0       0
V11            1       0       0       0     323       0       0       0       0
V12            0       0       0       0       0     150       0       0       0
V13            0       0       0       0       0       0     500       0       0
V14            0       0       0       0       0       0       0     105       0
V16            0       0       0       0       0       0       0       0      35
```

The single benign→V16 misclassification is the SOL_BG01 OOF fragility documented above. The single V11→benign cross-class confusion is identical to the 2026-05-11 baseline and reflects an edge case in the rate_limiter_bypass class boundary that has persisted across cycles.

## How to use

### Recommended path: `predict.py` (scoreability-gated)

The repository ships with `predict.py` — a thin scoreability-gated inference helper that wraps the raw multi-class estimator with two production-side gates:

- **Scoreability gate**: refuses to score bundles where neither `responses.parquet` nor `packets.pcap` has content. Bundles with no observed RPC traffic AND no captured network packets cannot be classified usefully; the gate returns an explicit `verdict: "unscoreable"` instead of producing a spurious argmax.
- **Feature-coverage flag**: emits `feature_coverage` describing which bundle modalities contributed features (`"resp_only"`, `"pcap_only"`, `"full"`, etc.) so callers can downweight predictions where the modality coverage doesn't match the predicted class (e.g. V16 prediction with `resp_only` coverage is suspect).

```python
from huggingface_hub import hf_hub_download
from predict import load_model, score_bundle

model_path = hf_hub_download(
    repo_id="NullRabbit/multiclass-folded", filename="model.joblib"
)
payload = load_model(model_path)

record = score_bundle("/path/to/some/bundle_dir", payload)
if record["verdict"] == "unscoreable":
    print(f"refused: {record['reason']}")
else:
    print(f"argmax: {record['argmax_class']} (P={record['argmax_p']:.4f}, "
          f"coverage={record['feature_coverage']})")
    for cls, p in sorted(record["class_probs"].items(),
                         key=lambda kv: -kv[1])[:3]:
        print(f"  P({cls}) = {p:.4f}")
```

`predict.py` depends on the bundle-spec reference parser:

```
pip install git+https://github.com/NullRabbitLabs/nr-bundle-spec.git
```

For a full worked example that loads bundles from `nr-bundles-public` via the spec parser and demonstrates cross-class scoring (V8 / V11 / V13 / V14 / benign verdicts on the public dataset), see [`inference_example.py`](inference_example.py).

### Bypassing the gate

Callers with their own pre-filtering pipeline (or who explicitly want raw model output) can load the estimator directly:

```python
import joblib
import numpy as np

payload = joblib.load(model_path)
model = payload["model"]            # CalibratedClassifierCV
features = payload["feature_names"] # 107-feature contract
class_order = payload["class_order"]

X = np.array([[...]])               # shape (n_samples, 107)
proba = model.predict_proba(X)      # shape (n_samples, 9)
```

**This path is the responsibility of the caller.** The scoreability gate exists to prevent spurious predictions on under-determined inputs. See the Load-bearing limitations section.

## Methodology

NullRabbit's training cycles follow pre-registration discipline. Each cycle has a design document committed before the trainer runs. Audits run on close against sanity floors, per-feature ablation trails, and falsification holdouts. Where an audit fires, training halts, the design is re-registered, and the prior version is retracted in writing.

The **iterative leak-surface peeling pattern** is the methodology contribution: detection of a training-time leak (a feature whose discriminative signal turns out to come from a labelling artefact or capture-pipeline asymmetry rather than from the attack mechanism) triggers a corpus delta + re-train + re-audit, with each cycle narrowing the leak surface. The v2 retrain is a worked example at the unified-detector layer: V15 (gossip-abuse binary) pre-registered caveat #2 (protocol-shape leak); cycle2 corpus expansion (the other-window sprint) provided the load-bearing UDP benign that made the caveat empirically testable; V15 evaluation confirmed the caveat; V16 binary detector retrained with corpus augmentation closed the caveat at the n=1 fragile level; this v2 multi-class retrain absorbs V16 into the unified detector with the load-bearing benign test passing at training-set scale and the OOF fragility surfaced honestly.

The corpus format and family taxonomy are open at `nr-bundle-spec`. The methodology is open (in preparation as the substrate paper). The specific corpus contents beyond `nr-bundles-public` are proprietary.

## Related

- **Bundle format spec**: [`nr-bundle-spec`](https://github.com/NullRabbitLabs/nr-bundle-spec) (MIT)
- **Reference public bundles**: [NullRabbit/nr-bundles-public](https://huggingface.co/datasets/NullRabbit/nr-bundles-public) (CC-BY-4.0)
- **V8 binary detector** (cipher-agnostic byte-amplification): [NullRabbit/v8-cipher-agnostic](https://huggingface.co/NullRabbit/v8-cipher-agnostic) (Apache-2.0)
- **Earned-autonomy paper** (governance layer for autonomous defence for decentralised networks): [Zenodo DOI 10.5281/zenodo.18406828](https://doi.org/10.5281/zenodo.18406828)
- **Substrate paper** (data-layer methodology, in preparation)
- **NullRabbit Labs**: [huggingface.co/NullRabbit](https://huggingface.co/NullRabbit)
- **Website**: [nullrabbit.ai](https://nullrabbit.ai)

## Citation

```bibtex
@misc{nullrabbit_multiclass_folded_2026,
  author       = {NullRabbit},
  title        = {Multi-class softmax folded detector — V8-V14 + V16, Sui + Solana},
  year         = {2026},
  month        = may,
  version      = {2},
  publisher    = {Hugging Face},
  url          = {https://huggingface.co/NullRabbit/multiclass-folded},
  note         = {Reference 9-class joint detector for the V8-V14 binary detector family plus the V16 gossip-abuse class. Trained on the bundle v1 corpus specified at nr-bundle-spec v0.1.0; curated public sample at NullRabbit/nr-bundles-public; V8 binary anchor at NullRabbit/v8-cipher-agnostic.},
}
```

## Contact

Research enquiries: simon@nullrabbit.ai

Spec compliance or format questions — open an issue at [`nr-bundle-spec`](https://github.com/NullRabbitLabs/nr-bundle-spec).