nr-network-known-class-detector
A binary attack-vs-benign detector for blockchain-node network/resource attacks, trained
entirely on faithful reproductions of publicly-disclosed attacks. Every attack class in the
corpus reproduces a specific public disclosure — a CVE, a GHSA, or a named third-party security
audit — and each carries a provenance.source_class recording how public its sourcing is. Part of
NullRabbit's work on autonomous defence for decentralised networks — watch the outside of the
perimeter.
STATUS: DIAGNOSTIC, not a deployment claim. Trained on synthetic localnet reproductions (lab fidelity), not real production traffic. See Evaluation and Limitations.
Model description
Given the network-layer signal of a short capture window against a blockchain node (packet-rate /
size statistics from the pcap, and amplification / request-response / timing statistics from the RPC
responses), the model emits a calibrated attack probability. It is one multi-family model over the
network-v1 feature manifold — it spans eight protocol layers and nine chains, all public-sourced
(this published cut is trained on public-cve-replication primitives only).
Architecture
HistGradientBoostingClassifier+ isotonic calibration (scikit-learn), NaN-native.- 34 features kept (of the 103
network-v1features present in the corpus; 69 degenerate dropped by a per-fit robust-column guard) — pcap aggregates + RPC-response aggregates. No host-load features (the containerised lab node is root-owned, so CPU/connection host metrics are unreadable). - Decision threshold 0.5 (calibrated). Inference is scoreability-gated: a record with no network
signal (e.g. an economic/DeFi bundle) returns
scoreable=Falsewith no verdict.
Training data — 39 public-CVE attack primitives, 9 chains, 8 layers, 1084 bundles
This is the public-CVE cut (public-cve-replication only): 708 attack + 376 benign bundles
(pcap + responses + manifest), 45 chain×primitive instances. Benign traffic exercises the same
methods / wire messages the attacks abuse, at normal scale — so the model separates attack-use
from benign-use, not message type. Every attack reproduces an external public disclosure (CVE / GHSA
/ named third-party audit) with a provenance.public_source URL. (An additional 8 original
primitives — NullRabbit's own measurement of vendor-acknowledged Solana/Ethereum RPC amplification, for
which no CVE exists — are held in the full corpus but excluded from this published cut, so the
"trained entirely on public disclosures" claim above is literal.)
| primitive | chain · layer | public source | source_class |
|---|---|---|---|
btc_inv_buffer_blowup |
Bitcoin · P2P | CVE-2024-52915 | public-cve-replication |
btc_invdos_flood |
Bitcoin · P2P | CVE-2018-17145 (INVDoS) | public-cve-replication |
btc_getdata_flood |
Bitcoin · P2P | CVE-2024-52920 | public-cve-replication |
btc_headers_oom |
Bitcoin · P2P | CVE-2019-25220 | public-cve-replication |
btc_orphan_cpu |
Bitcoin · P2P | CVE-2024-52914 | public-cve-replication |
btc_addr_overflow_flood |
Bitcoin · P2P | CVE-2024-52919 / GHSA-qwp9-p9rr-h729 | public-cve-replication |
btc_bloom_divzero |
Bitcoin · P2P | CVE-2013-5700 | public-cve-replication |
cosmos_protobuf_nest_bomb |
Cosmos · deserialization | GHSA-8wcc-m6j2-qxvm | public-cve-replication |
sol_tpu_quic_handshake_flood |
Solana · TPU-QUIC | Neodyme Firedancer audit ND-FD04-LO-01 | public-cve-replication |
geth_devp2p_ping_flood |
Ethereum · devp2p/RLPx | CVE-2023-40591 (GHSA-ppjg-v974-84cm) | public-cve-replication |
geth_rlpx_auth_flood |
Ethereum · devp2p/RLPx | EL-2026-06 (EF public-disclosures) | public-cve-replication |
gossipsub_prune_backoff_overflow |
libp2p · gossipsub | CVE-2026-34219 / CVE-2026-33040 | public-cve-replication |
gossipsub_subscribe_flood |
libp2p · gossipsub | CVE-2026-46679 | public-cve-replication |
libp2p_stream_exhaustion |
libp2p · muxer | CVE-2022-23492 / CVE-2022-23486 | public-cve-replication |
monero_levin_array_memcorrupt |
Monero · Levin/epee | CVE-2018-3972 (CVSS 10) | public-cve-replication |
monero_portable_storage_oom |
Monero · Levin/epee | Monero PR#7190 / 0.17.1.8 | public-cve-replication |
btc_headers_genesis_spam / btc_inv_eviction_jam / btc_tx_quad_sighash / btc_oversized_recv_buffer |
Bitcoin · P2P | CVE-2024-52916 / -52913 / 2025-46598 / 2015-3641 | public-cve-replication |
btc_version_timestamp_overflow / btc_version_selfnonce |
Bitcoin · P2P | CVE-2024-52912 / 2025-54604 | public-cve-replication |
btc_cmpctblock_stall / btc_cmpctblock_overflow |
Bitcoin · P2P (BIP152) | CVE-2024-52922 / CVE-2025-46597 | public-cve-replication |
btc_mutated_block / btc_invalid_block_logfill / btc_alert_flood / btc_tx_maprelay |
Bitcoin · P2P | CVE-2024-52921 / 2025-54605 / 2016-10724 / 2013-4627 | public-cve-replication |
p2p_getheaders_drain + inherited btc_addr_overflow_flood / btc_orphan_cpu |
Bitcoin/Dogecoin/Litecoin · P2P | CVE-2023-33297 / 2024-52919 / 2024-52914 | public-cve-replication |
geth_eth_receipt_flood |
Ethereum · devp2p/RLPx | EL-2024-20 (EF public-disclosure) | public-cve-replication |
geth_snap_trienode_dos |
Ethereum · devp2p/snap | CVE-2021-41173 (GHSA-59hh-656j-3p7v) | public-cve-replication |
geth_tcp_handshake_flood |
Ethereum · devp2p | EL-2024-06 (EF public-disclosure) | public-cve-replication |
sol_tpu_quic_slowloris / sol_tpu_quic_initial_cpu |
Solana · TPU-QUIC | Neodyme ND-FD04-IN-02 / ND-FD1-MD-02 | public-cve-replication |
cosmos_p2p_conn_flood |
Cosmos · P2P | CVE-2020-5303 (Tendermint) | public-cve-replication |
libp2p_signed_peer_record_flood |
libp2p · identify | CVE-2023-40583 | public-cve-replication |
sui_verifier_hamsterwheel / sui_disassemble_panic / sui_move_recursion |
Sui · Move-VM / JSON-RPC | CertiK Skyfall ×2 / CVE-2023-36184 | public-cve-replication |
Distribution: 708 public-cve-replication attack bundles — 39 distinct primitives across 9
chains (Bitcoin, Ethereum, Solana, Sui, Cosmos, Monero, Dogecoin, Litecoin, libp2p) — plus 376
benign. This published cut contains no original bundles; the 8 original RPC-measurement
primitives live in the full internal corpus and ship only if the operator explicitly opts in, always
under their honest label.
Training procedure (methodology is the contribution)
Per NullRabbit's pre-registration discipline: the corpus is built attack-by-attack from a public
disclosure with provenance.public_source; a Cleanlab data-quality scan gates label-issues and
duplicates before training; a methodology auditor reviews each gate event with sanity floors and
falsification holdouts; honest limitations are stated; cycles — not the final number — are the
contribution. This corpus passed audit APPROVED WITH REFINEMENTS (all applied) — including the
correction of a benign train/test leak in one held-out eval, reported transparently.
Evaluation
Diagnostic ML checks (the corpus of faithfully-modelled public attacks is the deliverable; these are
secondary). Reproduced by scripts/known_class_loco_eval.py + scripts/corpus_quality.py.
- Corpus (public-CVE cut): 1084/1084 distinct vectors, 0 duplicate rows; 2 Cleanlab review-flags — both deliberately-stealthy low-volume
gossipsub_subscribe_floodcaptures that legitimately resemble benign (labels correct, not mislabels). - Within-corpus held-out — binary attack-vs-benign ROC-AUC, GroupKFold by primitive (66 groups, leakage-clean): 0.9082.
corpus_sha256 known-class-v10-publiccve. - Leave-one-attack-primitive-out within Bitcoin (binary ROC-AUC, leak-clean disjoint-benign): all 20 Bitcoin primitives ≥ 0.969. Detection is on traffic shape, not deep wire-semantics.
- Leave-one-chain-out — binary attack-vs-benign ROC-AUC (HARD zero-shot transfer, not a deployment metric): Cosmos / Ethereum / Litecoin 1.00, Dogecoin 0.995, Bitcoin 0.934, libp2p 0.844, Solana 0.688, Sui 0.661, Monero 0.592. Note this is the easier binary (attack-vs-benign) signal: the companion
nr-bundles-publicdataset card reports the stricter held-out-chain 7-class family macro-F1 of 0.17 (Sui) / 0.35 (Solana) against a ~0.14 random floor — i.e. cross-chain family recovery does not transfer yet. Chains with few public-CVE primitives (Monero's unique Levin protocol; Sui/Solana with 3 each) have the fewest cross-chain near-neighbours. Cross-chain transfer is a hard, open problem here — reported honestly, not a deployment claim.
Intended uses
Research and benchmarking of network/resource-abuse detection on blockchain infrastructure; a worked, public-provenance reference corpus; downstream training. Not a turnkey production IDS.
Limitations
- Synthetic lab fidelity — generated localnet traffic, not a real-world deployment claim. A deployment claim needs a real-traffic validation gate (real mainnet RPC + real attack instances).
- Detection is on traffic shape (volume / rate / size / connection-churn), not deep wire semantics — adequate for these volumetric/crash DoS classes; it would not separate two attacks with identical traffic profiles.
- No host-load features (root-owned container).
- This is the public-CVE cut — every shipped attack class reproduces an external public disclosure
(CVE / GHSA / named audit). The
originalSolana/Ethereum RPC-amplification measurements (vendor-acknowledged but not CVE-backed — RPC amplification has ~no CVEs) are excluded from this model; they exist in the full internal corpus and ship only on explicit operator opt-in.
How to use
from predict import load, predict
model = load("model.joblib")
out = predict(model, [{"pcap.packet_rate": 850.0, "resp.amp_ratio_max": 224.0}])
# -> [{"scoreable": True, "score": ..., "verdict": "attack"|"benign", "threshold": 0.5}]
Run python inference_example.py for a worked example on real captured vectors (Bitcoin + Solana
attacks fire; benign Bitcoin peer is benign; an economic bundle is scoreable=False).
Licensing
Apache-2.0 (see LICENSE). Attribution appreciated.
Citation
@software{nullrabbit_network_known_class_2026,
author = {NullRabbit Labs},
title = {nr-network-known-class-detector: a public-provenance blockchain network-attack detector},
year = {2026},
url = {https://huggingface.co/NullRabbit/nr-network-known-class-detector}
}
Related: the open bundle format (nr-bundle-spec), the family taxonomy (mechanism-defined),
the earned-autonomy framework (Zenodo 10.5281/zenodo.18406828),
the NullRabbit substrate paper (in preparation), the dataset NullRabbit/nr-bundles-public, and
nullrabbit.ai.
Contact
NullRabbit Labs — huggingface.co/NullRabbit · nullrabbit.ai