Proposal: a deterministic Classifier implementation as a fast-path in front of the LLM
Adrian's Classifier seam (Classify(ctx, *pb.PairedEvent, agentProfileID) (*Verdict, error) + Ping) is a clean place to add a deterministic pre-classifier that complements — not replaces — the LLM classification path. I'd like to propose and, if you're open to it, build one backed by an open rule corpus.
What it is. An ATRClassifier that implements the same Classifier interface. It runs Agent Threat Rules (ATR — MIT, open detection-rule standard for agent traffic: prompt injection, tool poisoning, context exfiltration, MCP attacks; ~700 rules) against the PairedEvent with plain deterministic matching, no model call. Chained in front of the existing LLM classifier:
- On a rule hit → return a
Verdict immediately: LatencyMS ≈ 0, zero model tokens, Reasoning = the rule id/category, MADCode/Classification mapped to your M-code taxonomy. Known-signature attacks (the exact shapes in the corpus) get caught on the fast path.
- On no hit → defer to the LLM classifier unchanged. The LLM keeps doing what it's uniquely good at: novel, nuanced, reasoning-trace attacks.
Why it's worth a seam of its own, not just a prompt tweak:
- Cost + latency. A large share of real traffic is known-shape (the corpus is built from disclosed CVEs and wild-scan findings). Catching those deterministically means the LLM is only invoked on what the rules don't recognise.
- Resilience.
ATRClassifier.Ping is always reachable (no upstream), so a fast-path verdict can still be served when ADRIAN_LLM_URL is down or wedged — degraded-but-alive instead of fail-closed on every event.
- Determinism where it matters. For audit/compliance, "this exact tool-poisoning signature fired, rule X" is a reproducible verdict; the LLM path stays for the judgement calls.
This fits your own framing (+35% vs behaviour-only): a deterministic rule layer + the LLM classifier is strictly more coverage than either alone, and the two are already targeting the same threat classes (prompt injection, tool poisoning, exfil) from different angles.
Scope of a first PR, if you're interested: a single ATRClassifier behind the existing interface + a chaining wrapper (Classify: rules first, LLM on miss) + tests, gated behind config so default behaviour is unchanged. Rules load once at startup; the corpus is a versioned artifact pulled independently. Happy to keep it small and put the M-code mapping table up for your review first.
I maintain ATR (COI: I author it; it's MIT and engine-neutral, so this is about giving Adrian a deterministic pre-filter, not routing it to any one ruleset). I see there's a CLA — I'll sign it before opening any code PR; raising this as a design question first to check the fast-path-classifier shape is one you'd want.
Proposal: a deterministic
Classifierimplementation as a fast-path in front of the LLMAdrian's
Classifierseam (Classify(ctx, *pb.PairedEvent, agentProfileID) (*Verdict, error)+Ping) is a clean place to add a deterministic pre-classifier that complements — not replaces — the LLM classification path. I'd like to propose and, if you're open to it, build one backed by an open rule corpus.What it is. An
ATRClassifierthat implements the sameClassifierinterface. It runs Agent Threat Rules (ATR — MIT, open detection-rule standard for agent traffic: prompt injection, tool poisoning, context exfiltration, MCP attacks; ~700 rules) against thePairedEventwith plain deterministic matching, no model call. Chained in front of the existing LLM classifier:Verdictimmediately:LatencyMS≈ 0, zero model tokens,Reasoning= the rule id/category,MADCode/Classificationmapped to your M-code taxonomy. Known-signature attacks (the exact shapes in the corpus) get caught on the fast path.Why it's worth a seam of its own, not just a prompt tweak:
ATRClassifier.Pingis always reachable (no upstream), so a fast-path verdict can still be served whenADRIAN_LLM_URLis down or wedged — degraded-but-alive instead of fail-closed on every event.This fits your own framing (
+35% vs behaviour-only): a deterministic rule layer + the LLM classifier is strictly more coverage than either alone, and the two are already targeting the same threat classes (prompt injection, tool poisoning, exfil) from different angles.Scope of a first PR, if you're interested: a single
ATRClassifierbehind the existing interface + a chaining wrapper (Classify: rules first, LLM on miss) + tests, gated behind config so default behaviour is unchanged. Rules load once at startup; the corpus is a versioned artifact pulled independently. Happy to keep it small and put the M-code mapping table up for your review first.I maintain ATR (COI: I author it; it's MIT and engine-neutral, so this is about giving Adrian a deterministic pre-filter, not routing it to any one ruleset). I see there's a CLA — I'll sign it before opening any code PR; raising this as a design question first to check the fast-path-classifier shape is one you'd want.