AEGIS · Network Defense

A firewall that doesn’t read your packets — it measures their thermodynamics.

AEGIS classifies network flows as benign or adversarial from their physical shape alone — timing, size, direction — and never their contents. Trained on 908,037 sequences of real and adversarial traffic, it holds detection where payload-based detectors collapse. Concept to state-of-the-art in 45 days.

0.9952F1 score

99.50%True positive

0.21%False positive

262 µsLatency

40 MppsThroughput

Live Research SOTA arXiv:2604.02149 →

Architecture

Why it works.

AEGIS doesn’t pattern-match signatures or inspect payloads. It treats a connection as a physical system and reads four properties of it — the evasion is the signal.

01

Flow physics

xᵢ = [ Sᵢ , Δtᵢ , Dᵢ , Wᵢ , Fᵢ , Pᵢ ]

Every flow is reduced to six physical observables — packet size, inter-arrival time, direction, window, flags, protocol. The payload is never parsed. What remains is the physics of the connection.

02

Hyperbolic projection

φ(xᵢ) = Wₚxᵢ / ( 1 + ‖Wₚxᵢ‖ + ε )

Flows are embedded into the Poincaré disk, where the hierarchical structure of network behaviour separates with far less distortion than Euclidean space — benign and adversarial traffic pull apart.

After Nickel & Kiela, Poincaré Embeddings, NeurIPS 2017.

03

Liquid time-constants

dh/dt = −h(t) / τ(Δtᵢ) + f(x, h, t, θ)

A continuous-time recurrence adapts its own time constant to the gaps between packets, so bursty floods and slow low-and-slow flows are each read on their own clock rather than a fixed window.

After Hasani et al., Liquid Time-constant Networks, AAAI 2021.

04

Thermodynamic variance

H(X) = −Σ P(xᵢ) log₂ P(xᵢ)

Adversarial padding and morphing exist to disguise a flow — but they change its disorder. AEGIS measures that Shannon entropy directly, so the very act of evasion becomes the thing it detects.

Corpus

What it learned from.

400 GB of raw packet capture, distilled to 908,037 labelled flow sequences and a 10 GB training tensor. Four tiers, widest baseline to most adversarial.

Tier I Planetary baselinesWIDE MAWI · CIC-IDS-2017 Open

Tier II IoT & botnetAposemat IoT-23 · CTU-13 Open

Tier III APT & zero-dayMalware-Traffic-Analysis · BCCC-Mal-NetMem Open

Tier IV Proprietary evasionVLESS Reality · GhostBear Closed · Gated

AEGIS Adversarial Corpus on HuggingFace →

Results

The numbers.

Held-out test set, 181,608 flows. The confusion matrix, in full.

123,505True negative

57,551True positive

265False positive

287False negative

0.9998AUC

Under adversarial evasion	ET-BERT	Standard SSM	AEGIS
F1 score	0.2568	~0.85	0.9952
Resists adversarial padding	No	Partial	Yes
Requires payload inspection	Yes	Yes	Never
Detection latency	—	—	262 µs

ET-BERT figure under adversarial conditions after Jing et al., 2025. Payload-based detectors degrade sharply when traffic is padded or morphed; AEGIS reads only flow physics, so the same evasion that defeats them is what it measures.

Privacy

It cannot leak what it never reads.

AEGIS sees packet headers and timing — never contents. No payload is stored, no TLS session is intercepted, no plaintext is reconstructed at any point in the pipeline. Privacy here isn’t a policy bolted on top; it’s a property of the architecture. GDPR- and PDPA-compatible by design.

AegisScan

The commercial layer.

AegisScan puts the engine in your hands — upload a capture, receive a thermodynamic threat report in seconds, with the flows that raised the entropy flagged in full. Free tier live.

Open AegisScan →

Paper

The record.

Every figure on this page traces to the preprint or the public dataset — nothing unverifiable.

arXiv:2604.02149 AEGIS — thermodynamic state-space models for zero-day evasion detectioncs.CR · cs.LG · Published Read →

Dataset AEGIS Adversarial Corpus908,037 sequences · gated HuggingFace →