nr-network-known-class-detector

A binary attack-vs-benign detector for blockchain-node network/resource attacks, trained entirely on faithful reproductions of publicly-disclosed attacks. Every attack class in the corpus reproduces a specific public disclosure — a CVE, a GHSA, or a named third-party security audit — and each carries a provenance.source_class recording how public its sourcing is. Part of NullRabbit's work on autonomous defence for decentralised networkswatch the outside of the perimeter.

STATUS: DIAGNOSTIC, not a deployment claim. Trained on synthetic localnet reproductions (lab fidelity), not real production traffic. See Evaluation and Limitations.

Model description

Given the network-layer signal of a short capture window against a blockchain node (packet-rate / size statistics from the pcap, and amplification / request-response / timing statistics from the RPC responses), the model emits a calibrated attack probability. It is one multi-family model over the network-v1 feature manifold — it spans eight protocol layers and nine chains, all public-sourced (this published cut is trained on public-cve-replication primitives only).

Architecture

  • HistGradientBoostingClassifier + isotonic calibration (scikit-learn), NaN-native.
  • 34 features kept (of the 103 network-v1 features present in the corpus; 69 degenerate dropped by a per-fit robust-column guard) — pcap aggregates + RPC-response aggregates. No host-load features (the containerised lab node is root-owned, so CPU/connection host metrics are unreadable).
  • Decision threshold 0.5 (calibrated). Inference is scoreability-gated: a record with no network signal (e.g. an economic/DeFi bundle) returns scoreable=False with no verdict.

Training data — 39 public-CVE attack primitives, 9 chains, 8 layers, 1084 bundles

This is the public-CVE cut (public-cve-replication only): 708 attack + 376 benign bundles (pcap + responses + manifest), 45 chain×primitive instances. Benign traffic exercises the same methods / wire messages the attacks abuse, at normal scale — so the model separates attack-use from benign-use, not message type. Every attack reproduces an external public disclosure (CVE / GHSA / named third-party audit) with a provenance.public_source URL. (An additional 8 original primitives — NullRabbit's own measurement of vendor-acknowledged Solana/Ethereum RPC amplification, for which no CVE exists — are held in the full corpus but excluded from this published cut, so the "trained entirely on public disclosures" claim above is literal.)

primitive chain · layer public source source_class
btc_inv_buffer_blowup Bitcoin · P2P CVE-2024-52915 public-cve-replication
btc_invdos_flood Bitcoin · P2P CVE-2018-17145 (INVDoS) public-cve-replication
btc_getdata_flood Bitcoin · P2P CVE-2024-52920 public-cve-replication
btc_headers_oom Bitcoin · P2P CVE-2019-25220 public-cve-replication
btc_orphan_cpu Bitcoin · P2P CVE-2024-52914 public-cve-replication
btc_addr_overflow_flood Bitcoin · P2P CVE-2024-52919 / GHSA-qwp9-p9rr-h729 public-cve-replication
btc_bloom_divzero Bitcoin · P2P CVE-2013-5700 public-cve-replication
cosmos_protobuf_nest_bomb Cosmos · deserialization GHSA-8wcc-m6j2-qxvm public-cve-replication
sol_tpu_quic_handshake_flood Solana · TPU-QUIC Neodyme Firedancer audit ND-FD04-LO-01 public-cve-replication
geth_devp2p_ping_flood Ethereum · devp2p/RLPx CVE-2023-40591 (GHSA-ppjg-v974-84cm) public-cve-replication
geth_rlpx_auth_flood Ethereum · devp2p/RLPx EL-2026-06 (EF public-disclosures) public-cve-replication
gossipsub_prune_backoff_overflow libp2p · gossipsub CVE-2026-34219 / CVE-2026-33040 public-cve-replication
gossipsub_subscribe_flood libp2p · gossipsub CVE-2026-46679 public-cve-replication
libp2p_stream_exhaustion libp2p · muxer CVE-2022-23492 / CVE-2022-23486 public-cve-replication
monero_levin_array_memcorrupt Monero · Levin/epee CVE-2018-3972 (CVSS 10) public-cve-replication
monero_portable_storage_oom Monero · Levin/epee Monero PR#7190 / 0.17.1.8 public-cve-replication
btc_headers_genesis_spam / btc_inv_eviction_jam / btc_tx_quad_sighash / btc_oversized_recv_buffer Bitcoin · P2P CVE-2024-52916 / -52913 / 2025-46598 / 2015-3641 public-cve-replication
btc_version_timestamp_overflow / btc_version_selfnonce Bitcoin · P2P CVE-2024-52912 / 2025-54604 public-cve-replication
btc_cmpctblock_stall / btc_cmpctblock_overflow Bitcoin · P2P (BIP152) CVE-2024-52922 / CVE-2025-46597 public-cve-replication
btc_mutated_block / btc_invalid_block_logfill / btc_alert_flood / btc_tx_maprelay Bitcoin · P2P CVE-2024-52921 / 2025-54605 / 2016-10724 / 2013-4627 public-cve-replication
p2p_getheaders_drain + inherited btc_addr_overflow_flood / btc_orphan_cpu Bitcoin/Dogecoin/Litecoin · P2P CVE-2023-33297 / 2024-52919 / 2024-52914 public-cve-replication
geth_eth_receipt_flood Ethereum · devp2p/RLPx EL-2024-20 (EF public-disclosure) public-cve-replication
geth_snap_trienode_dos Ethereum · devp2p/snap CVE-2021-41173 (GHSA-59hh-656j-3p7v) public-cve-replication
geth_tcp_handshake_flood Ethereum · devp2p EL-2024-06 (EF public-disclosure) public-cve-replication
sol_tpu_quic_slowloris / sol_tpu_quic_initial_cpu Solana · TPU-QUIC Neodyme ND-FD04-IN-02 / ND-FD1-MD-02 public-cve-replication
cosmos_p2p_conn_flood Cosmos · P2P CVE-2020-5303 (Tendermint) public-cve-replication
libp2p_signed_peer_record_flood libp2p · identify CVE-2023-40583 public-cve-replication
sui_verifier_hamsterwheel / sui_disassemble_panic / sui_move_recursion Sui · Move-VM / JSON-RPC CertiK Skyfall ×2 / CVE-2023-36184 public-cve-replication

Distribution: 708 public-cve-replication attack bundles — 39 distinct primitives across 9 chains (Bitcoin, Ethereum, Solana, Sui, Cosmos, Monero, Dogecoin, Litecoin, libp2p) — plus 376 benign. This published cut contains no original bundles; the 8 original RPC-measurement primitives live in the full internal corpus and ship only if the operator explicitly opts in, always under their honest label.

Training procedure (methodology is the contribution)

Per NullRabbit's pre-registration discipline: the corpus is built attack-by-attack from a public disclosure with provenance.public_source; a Cleanlab data-quality scan gates label-issues and duplicates before training; a methodology auditor reviews each gate event with sanity floors and falsification holdouts; honest limitations are stated; cycles — not the final number — are the contribution. This corpus passed audit APPROVED WITH REFINEMENTS (all applied) — including the correction of a benign train/test leak in one held-out eval, reported transparently.

Evaluation

Diagnostic ML checks (the corpus of faithfully-modelled public attacks is the deliverable; these are secondary). Reproduced by scripts/known_class_loco_eval.py + scripts/corpus_quality.py.

  • Corpus (public-CVE cut): 1084/1084 distinct vectors, 0 duplicate rows; 2 Cleanlab review-flags — both deliberately-stealthy low-volume gossipsub_subscribe_flood captures that legitimately resemble benign (labels correct, not mislabels).
  • Within-corpus held-out — binary attack-vs-benign ROC-AUC, GroupKFold by primitive (66 groups, leakage-clean): 0.9082. corpus_sha256 known-class-v10-publiccve.
  • Leave-one-attack-primitive-out within Bitcoin (binary ROC-AUC, leak-clean disjoint-benign): all 20 Bitcoin primitives ≥ 0.969. Detection is on traffic shape, not deep wire-semantics.
  • Leave-one-chain-out — binary attack-vs-benign ROC-AUC (HARD zero-shot transfer, not a deployment metric): Cosmos / Ethereum / Litecoin 1.00, Dogecoin 0.995, Bitcoin 0.934, libp2p 0.844, Solana 0.688, Sui 0.661, Monero 0.592. Note this is the easier binary (attack-vs-benign) signal: the companion nr-bundles-public dataset card reports the stricter held-out-chain 7-class family macro-F1 of 0.17 (Sui) / 0.35 (Solana) against a ~0.14 random floor — i.e. cross-chain family recovery does not transfer yet. Chains with few public-CVE primitives (Monero's unique Levin protocol; Sui/Solana with 3 each) have the fewest cross-chain near-neighbours. Cross-chain transfer is a hard, open problem here — reported honestly, not a deployment claim.

Intended uses

Research and benchmarking of network/resource-abuse detection on blockchain infrastructure; a worked, public-provenance reference corpus; downstream training. Not a turnkey production IDS.

Limitations

  • Synthetic lab fidelity — generated localnet traffic, not a real-world deployment claim. A deployment claim needs a real-traffic validation gate (real mainnet RPC + real attack instances).
  • Detection is on traffic shape (volume / rate / size / connection-churn), not deep wire semantics — adequate for these volumetric/crash DoS classes; it would not separate two attacks with identical traffic profiles.
  • No host-load features (root-owned container).
  • This is the public-CVE cut — every shipped attack class reproduces an external public disclosure (CVE / GHSA / named audit). The original Solana/Ethereum RPC-amplification measurements (vendor-acknowledged but not CVE-backed — RPC amplification has ~no CVEs) are excluded from this model; they exist in the full internal corpus and ship only on explicit operator opt-in.

How to use

from predict import load, predict
model = load("model.joblib")
out = predict(model, [{"pcap.packet_rate": 850.0, "resp.amp_ratio_max": 224.0}])
# -> [{"scoreable": True, "score": ..., "verdict": "attack"|"benign", "threshold": 0.5}]

Run python inference_example.py for a worked example on real captured vectors (Bitcoin + Solana attacks fire; benign Bitcoin peer is benign; an economic bundle is scoreable=False).

Licensing

Apache-2.0 (see LICENSE). Attribution appreciated.

Citation

@software{nullrabbit_network_known_class_2026,
  author = {NullRabbit Labs},
  title  = {nr-network-known-class-detector: a public-provenance blockchain network-attack detector},
  year   = {2026},
  url    = {https://huggingface.co/NullRabbit/nr-network-known-class-detector}
}

Related: the open bundle format (nr-bundle-spec), the family taxonomy (mechanism-defined), the earned-autonomy framework (Zenodo 10.5281/zenodo.18406828), the NullRabbit substrate paper (in preparation), the dataset NullRabbit/nr-bundles-public, and nullrabbit.ai.

Contact

NullRabbit Labs — huggingface.co/NullRabbit · nullrabbit.ai

Downloads last month

-

Downloads are not tracked for this model. How to track
Inference Providers NEW
This model isn't deployed by any Inference Provider. 🙋 Ask for provider support

Dataset used to train NullRabbit/nr-network-known-class-detector