Occam Pre-Intrusion Predictor
The Occam predictor uses a Hidden Markov Model over ATT&CK tactics to predict Benign traffic. Prediction failure (high surprisal) in a progressive anomalous sequence is the pre-intrusion trigger — detection before compromise. Patent pending 64/021,000.
Predictor Status
Self-commissioning state machine: Accumulating → Activating → Active. The predictor self-deactivates to Degraded if its confirmation rate drops below threshold.
| Status | Windows | Confirmation Rate | Avg Surprisal |
|---|---|---|---|
| Predicting | 4,287 | 0.847 | 1.42 |
| Accumulating | 534 | 0.000 | 0.89 |
Pre-Intrusion Alerts
High-surprisal observations in progressive attack sequences. Each row is an assessed-probable intrusion in progress — acted on before the attacker achieves objective.
| Window | Source | Segment | Observed | Surprisal (bits) | Anomaly | P(Benign) | Predicted Next | Viterbi Path |
|---|---|---|---|---|---|---|---|---|
| 2026-04-20T03:31:53 | 10.0.12.45 | datacenter | CommandAndControl | 8.73 | 0.92 | 0.080 | Benign | Normal→Probing→Compromised→C2Active |
| 2026-04-20T01:31:53 | 10.0.3.118 | corporate | LateralMovement | 7.21 | 0.87 | 0.130 | Benign | Normal→Probing→LateralSpread |
| 2026-04-19T23:31:53 | 10.0.12.201 | datacenter | DataExfiltration | 6.84 | 0.84 | 0.160 | Benign | Normal→Compromised→Exfiltrating |
| 2026-04-19T21:31:53 | 172.16.0.89 | dmz | CommandAndControl | 6.42 | 0.81 | 0.190 | Reconnaissance | Normal→Probing→C2Active |
| 2026-04-19T19:31:53 | 10.0.8.77 | corporate | Persistence | 5.92 | 0.78 | 0.220 | Benign | Normal→Compromised→Persisting |
| 2026-04-19T18:31:53 | 10.0.12.45 | datacenter | CommandAndControl | 5.87 | 0.76 | 0.240 | Benign | Normal→Probing→Compromised→C2Active |
| 2026-04-19T16:31:53 | 10.0.5.212 | corporate | PrivilegeEscalation | 5.47 | 0.73 | 0.270 | Benign | Normal→Compromised→Escalating |
| 2026-04-19T14:31:53 | 10.0.12.45 | datacenter | CommandAndControl | 5.31 | 0.71 | 0.290 | Benign | Normal→Probing→Compromised→C2Active |
Viterbi State Paths
The most-likely hidden-state paths decoded from observed token sequences. This is the explainable-AI output that satisfies DoD XAI requirements — every prediction can be traced back to the specific ATT&CK tactic progression that drove it.
| Decoded Path | Occurrences | Avg Surprisal | Elevated |
|---|---|---|---|
| Normal→Probing→Compromised→C2Active | 12 | 6.84 | 8 |
| Normal→Probing→LateralSpread | 8 | 5.92 | 5 |
| Normal→Compromised→Exfiltrating | 6 | 6.21 | 4 |
| Normal→Compromised→Persisting | 4 | 4.87 | 2 |
| Normal→Compromised→Escalating | 3 | 5.12 | 2 |
| Normal→Probing→C2Active | 2 | 4.42 | 2 |