Skip to content

Proposal: deterministic Classifier (rule-based fast-path) in front of the LLM classifier #74

Description

@eeee2345

Proposal: a deterministic Classifier implementation as a fast-path in front of the LLM

Adrian's Classifier seam (Classify(ctx, *pb.PairedEvent, agentProfileID) (*Verdict, error) + Ping) is a clean place to add a deterministic pre-classifier that complements — not replaces — the LLM classification path. I'd like to propose and, if you're open to it, build one backed by an open rule corpus.

What it is. An ATRClassifier that implements the same Classifier interface. It runs Agent Threat Rules (ATR — MIT, open detection-rule standard for agent traffic: prompt injection, tool poisoning, context exfiltration, MCP attacks; ~700 rules) against the PairedEvent with plain deterministic matching, no model call. Chained in front of the existing LLM classifier:

  • On a rule hit → return a Verdict immediately: LatencyMS ≈ 0, zero model tokens, Reasoning = the rule id/category, MADCode/Classification mapped to your M-code taxonomy. Known-signature attacks (the exact shapes in the corpus) get caught on the fast path.
  • On no hit → defer to the LLM classifier unchanged. The LLM keeps doing what it's uniquely good at: novel, nuanced, reasoning-trace attacks.

Why it's worth a seam of its own, not just a prompt tweak:

  1. Cost + latency. A large share of real traffic is known-shape (the corpus is built from disclosed CVEs and wild-scan findings). Catching those deterministically means the LLM is only invoked on what the rules don't recognise.
  2. Resilience. ATRClassifier.Ping is always reachable (no upstream), so a fast-path verdict can still be served when ADRIAN_LLM_URL is down or wedged — degraded-but-alive instead of fail-closed on every event.
  3. Determinism where it matters. For audit/compliance, "this exact tool-poisoning signature fired, rule X" is a reproducible verdict; the LLM path stays for the judgement calls.

This fits your own framing (+35% vs behaviour-only): a deterministic rule layer + the LLM classifier is strictly more coverage than either alone, and the two are already targeting the same threat classes (prompt injection, tool poisoning, exfil) from different angles.

Scope of a first PR, if you're interested: a single ATRClassifier behind the existing interface + a chaining wrapper (Classify: rules first, LLM on miss) + tests, gated behind config so default behaviour is unchanged. Rules load once at startup; the corpus is a versioned artifact pulled independently. Happy to keep it small and put the M-code mapping table up for your review first.

I maintain ATR (COI: I author it; it's MIT and engine-neutral, so this is about giving Adrian a deterministic pre-filter, not routing it to any one ruleset). I see there's a CLA — I'll sign it before opening any code PR; raising this as a design question first to check the fast-path-classifier shape is one you'd want.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions