IBSR.

Observes, learns, reports home. The judgment layer for autonomous network defence.

Get the source →Read the paper Watch the demo →

fig · ibsr · liveObserve · Judge

telemetry · cohort.v1 · live14:02:11

14:02:11.443meshinfoconsensus.attest · 248 validators · quorum 99.2%

14:02:11.501ibsrobsbaseline drift 0.4σ · cohort.eu-west

14:02:11.612meshwarnprobe: discovery.scan.tcp · src=193.41.x.x ttl=64

14:02:11.701ibsrjudgeclass:recon.fingerprint · conf=0.94 · shadow

14:02:11.788guardauthauthority.scope=recon.* · cohort=42 · revocable

14:02:11.812guardactxdp.drop · 4.2µs · src=193.41.x.x

14:02:11.901meshsyncpropagate · cohort=42 · 1,184 nodes · 312ms

14:02:12.014ibsrobscounterfactual: would.have.blocked=true · evidence.persist

14:02:12.118meshinfocorpus.bundle.21091 · primitive=p2p.eclipse

14:02:12.220guardactxdp.drop · 3.8µs · pattern=ddos.amplify.ntp

14:02:12.301ibsrjudgeclass:dos.volumetric · conf=0.99 · enforce

14:02:12.412meshinfocohort.health · 98.7% · degraded=2

14:02:11.443meshinfoconsensus.attest · 248 validators · quorum 99.2%

14:02:11.501ibsrobsbaseline drift 0.4σ · cohort.eu-west

Mode

shadow · passive

Baseline

7d sliding

Output

counterfactual

License

Apache-2.0

[01] · WHAT IBSR DOES

Watches your traffic. Reports patterns home.

IBSR runs on operator infrastructure at kernel-level resolution. It builds a behavioural baseline of your traffic, identifies anomalies against that baseline, and reports findings to Mesh. It produces counterfactual evidence - this is what I would have blocked, and why. IBSR never enforces; that is Guard's role, on instructions Mesh has earned the authority to issue.

[02] · WHY IT MATTERS

What you get.

Real traffic, not synthetic data.

Behavioural baselines built on your actual network - not vendor lab conditions or sample datasets.

Counterfactual rehearsal.

See exactly what would have been blocked, before anything is. Earn the authority on evidence before you grant it.

Open source.

Inspect the code. Run it air-gapped. Audit every decision. No black-box vendor inference on your traffic.

[03] · DEPLOY

Three steps.

Install

Drop the IBSR binary onto the validator host. No sidecar daemons, no kernel module beyond what Linux already gives you.

Observe

IBSR builds a baseline of your traffic in shadow mode. No enforcement, no risk. Nothing leaves the box without operator sign-off.

Review

Read the counterfactual record. When the evidence supports action, grant Mesh authority for specific, bounded abuse classes.

ibsr · demopreview

$ curl -fsSL nullrabbit.ai/ibsr | sh
$ ibsr observe --shadow
  ▸ baseline · 7d · learning
  ▸ counterfactual · 847 would-block
$ ibsr evidence --tail
  ▸ shadow.log · awaiting sign-off

Demo · IBSR is not yet in production. The commands above illustrate the intended workflow.

Run IBSR on your network.

Get the source →Talk to us