The Deterministic Edge
Invariant Vector Defense is a control-plane security architecture that enforces stability before systems converge and before execution occurs.
Conventional systems detect and react after damage has begun. IVD operates upstream, where control decisions are made. It identifies invariant structure in distributed activity, constructs bounded representations of that activity, and applies deterministic enforcement before the network or system state becomes unstable.
Two coordinated enforcement planes exist:
IVD CORE
Operates in the network control plane. It reduces distributed traffic into invariant Ψ-vectors, synthesizes macro-objects from those vectors, and enforces bounded upstream mitigation using BGP Flow Specification.
IVD-ACP
Operates in the execution control plane. It evaluates commands, artifacts, and system states before execution and assigns authority states that determine whether execution is allowed, sandboxed, or denied.
/// This is not monitoring. This is not reactive filtering. This is deterministic control of admissibility and propagation.
Get In Touch
Upstream Control-Plane Enforcement
IVD Core is a distributed control-plane defense system for detecting and suppressing large-scale coordinated traffic before it destabilizes the network.
Edge Telemetry Sensors
Extract fixed-length invariant Ψ-vectors from packet headers and timing at the edge. Correlation and macro-object synthesis occur at regional and global layers.
Policy Engine
Converts each macro-object into a bounded set of mitigation rules propagated via authenticated BGP sessions using Flow Specification. Rule deployment is constrained by stability policies including minimum lifetimes, safe update rates, and bounded rule counts.
This architecture prevents:
- ■ control-plane exhaustion from per-flow defenses
- ■ route flapping caused by reactive mitigation
- ■ collateral suppression of unrelated traffic
Execution Boundary Control
Deterministic admissibility enforcement prior to execution. ACP evaluates commands, artifacts, and ingestion events and assigns one of three authority outcomes before any execution path is entered.
Decisioning is deterministic and policy-driven. It is not probabilistic scoring and does not depend on behavioral prediction.
ACP IS NOT AN OBSERVABILITY LAYER. IT IS AN EXECUTION GATE.
Macro-Object Representation
IVD represents distributed attacks as macro-objects rather than collections of flows.
Each macro-object is constructed from invariant Ψ-vectors derived from packet headers and timing. A Ψ-vector is a fixed-length statistical representation of traffic behavior that remains stable even when attackers rotate source IPs, vary ports, or distribute sources across many networks. This allows millions of flows to collapse into a single bounded representation. Mitigation operates on the macro-object, not on individual sources.
TRL-6 Baseline Evidence
Validated and reproducible system posture.
Validation Posture:
- ✓ 60-node routing topology lab validated
- ✓ reproducible attack profile test harnesses
- ✓ structured logs and router state capture
- ✓ bounded mitigation with no route flapping
- ✓ convergence and withdrawal stability under load
- ✓ frozen evidence bundles with local verification
Transition to TRL-7
IVD is designed for controlled transition into operational environments.
Initial Deployment Targets
- → upstream network providers and enterprise edge environments
- → administrative control planes with high-impact privileges
- → retrieval and indexing systems vulnerable to poisoned inputs
- → orchestration and automation systems with execution authority
TRL-7 Progression Focus
- → deployment in live network and execution environments
- → validation of stability under real-world conditions
- → integration with existing routing policy and identity systems
- → operator workflow and audit integration
Early deployments are structured as controlled pilot environments with bounded scope and measurable outcomes.
Pilot Deployment Expectations
Controlled introduction of deterministic control-plane enforcement.
A pilot deployment introduces IVD Core and IVD-ACP into a bounded operational environment to validate stability, enforcement behavior, and integration with existing infrastructure.
Deployment Scope
- ■ One network domain or edge segment for IVD Core
- ■ One administrative or ingestion surface for IVD-ACP
- ■ Defined prefix ranges, services, or system boundaries
- ■ Pre-agreed enforcement policies and thresholds
Known Boundaries (TRL-6)
- [!] ACP state persistence is not yet production-hardened
- [!] Restart and recovery behavior are managed but not fully externalized
- [!] Large-scale multi-domain coordination is not yet field-validated
- [!] Vendor-specific FlowSpec behavior may vary and is validated per environment
Success Criteria
- ✓ Detection and suppression of coordinated traffic without control-plane instability
- ✓ Bounded rule generation and predictable withdrawal behavior
- ✓ No collateral suppression of legitimate traffic within defined scope
- ✓ Deterministic ACP enforcement of admissibility decisions
- ✓ Complete and verifiable audit trail for all enforcement actions
The goal is not to prove possibility. That has already been established.
The goal is to prove stability, bounded behavior, and operational fit under real conditions.
Patents & IP
Invariant Vector Defense and IVD-ACP are covered by a foundational provisional patent and two non-provisional U.S. patent applications defining invariant-based detection, macro-object synthesis, and control-plane enforcement mechanisms.
| Application No. | Status | Scope |
|---|---|---|
| 63/919,908 | Filed | Foundational Architecture |
| 19/458,205 | USPTO Examining | Network Control Plane |
| 19/456,364 | USPTO Examining | Execution Control Plane |