README.md

---
license: other
license_name: brsx-open-license
license_link: https://brsxlabs.gt.tc/brsxlicense.html
tags:
- cybersecurity
- hybrid
pipeline_tag: token-classification
---

# ShadowCore-v1

**Lightweight Network Behavior Classification Model**

ShadowCore-v1 is a compact sequence classification model designed to analyze short network-behavior streams and classify overall system state in real time.

The model operates on a minimal four-token vocabulary representing abstract network activity and can detect healthy, degraded, and potentially dangerous traffic patterns with millisecond-scale inference latency on modern hardware.

---

## Overview

ShadowCore-v1 was created to explore whether a small specialized model can perform behavior-level network analysis without requiring massive LLM-scale architectures.

Instead of processing raw packets, logs, or protocol metadata, ShadowCore-v1 analyzes compressed symbolic sequences that represent network behavior over time.

The model is intended for:

* Network health monitoring
* Congestion detection
* Anomaly detection
* Traffic pattern analysis
* Lightweight edge deployment
* Real-time alerting systems

---

## Vocabulary

ShadowCore-v1 uses a fixed vocabulary of only four tokens:

| Token | Meaning                             |
| ----- | ----------------------------------- |
| U     | Upload activity                     |
| D     | Download activity                   |
| +     | High latency / congestion / waiting |
| -     | Processing completed / idle time    |

Example:

```text
UU--DD--UU--DD--
```

Interpretation:

```text
Request
↓
Processing
↓
Response
↓
Idle
```

This pattern generally represents healthy behavior.

---

## Classification Labels

### NORMAL

Healthy system state.

Characteristics:

* Upload and download remain balanced
* Few latency spikes
* Stable processing flow
* Idle periods present

Example:

```text
UDUDUDUDUDUDUDUD
```

---

### CRITICAL

System degradation.

Characteristics:

* Upload activity begins exceeding download activity
* Latency clusters appear
* Processing flow becomes unstable
* Queue buildup starts forming

Example:

```text
UUUU++++DDUUUU++++DD
```

---

### DANGER

Potential failure or attack condition.

Characteristics:

* Upload activity dominates
* Download activity becomes rare
* Large latency clusters
* Severe congestion

Example:

```text
UUUUUU++++++++UUUUUU++++++++
```

---

## Input Format

Input length:

```text
64 tokens
```

Example:

```text
UUUU++++DDUUUU++++DDUUUU++++DDUUUU++++DDUUUU++++DDUUUU++++DD
```

Output:

```text
NORMAL
CRITICAL
DANGER
```

---

## Architecture

ShadowCore-v1 is built on the same core architecture family used in previous successful experiments including:

* GenoLite
* IsingBreaker
* ShadowCore

Key design goals:

* Small parameter count
* Fast training
* Fast inference
* Low memory usage
* Strong pattern recognition on symbolic sequences

Model size:

```text
~88 Million Parameters
```

---

## Dataset

Training data was generated using a rule-based synthetic behavior generator.

Dataset characteristics:

```text
4,500 samples
1,500 NORMAL
1,500 CRITICAL
1,500 DANGER
```

Features:

* Fixed-length sequences
* Duplicate filtering
* Motif composition
* Cluster variation
* Sequence rotation
* Behavioral balancing

The generator was designed to teach behavior patterns rather than memorization of exact sequences.

---

## Benchmark Results

Evaluation Accuracy:

```text
94.07%
```

The model consistently identifies:

* Healthy traffic patterns
* Growing congestion states
* Severe overload conditions

Testing also demonstrated reasonable behavior on ambiguous boundary cases, where the model produces mixed confidence instead of collapsing into a single class prediction.

---

## Performance

Training Environment:

```text
NVIDIA T4
Batch Size: 64
Epochs: 5
```

Training Time:

```text
~4.5 minutes
```

Inference:

```text
Millisecond-scale
```

on modern GPUs and suitable for real-time monitoring pipelines.

---

## Example Predictions

Input:

```text
UDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUDUD
```

Prediction:

```text
NORMAL
```

---

Input:

```text
UUUU++++DDUUUU++++DDUUUU++++DDUUUU++++DD
```

Prediction:

```text
CRITICAL
```

---

Input:

```text
UUUUUU++++++++UUUUUU++++++++UUUUUU++++++++
```

Prediction:

```text
DANGER
```

---

## Limitations

ShadowCore-v1 was trained on synthetic data.

While the model successfully learns network-behavior concepts, production deployment should include:

* Real traffic validation
* Domain-specific calibration
* Additional anomaly classes
* Real-world benchmark datasets

---

## Future Work

Planned improvements:

* ShadowCore-v2
* Larger motif library
* Real traffic traces
* Multi-stage anomaly classification
* Attack family detection
* Early-warning forecasting

---

## License

Research & Experimental Use

---

**ShadowCore-v1 demonstrates that lightweight specialized models can achieve >90% accuracy on behavior-oriented sequence classification tasks without requiring large-scale foundation models.** 🚀