examples: add agent-action-monitor (behavioural gate for AI agent actions)#209
Open
ritiksah141 wants to merge 1 commit into
Open
examples: add agent-action-monitor (behavioural gate for AI agent actions)#209ritiksah141 wants to merge 1 commit into
ritiksah141 wants to merge 1 commit into
Conversation
…ions) Adds a new example at examples/agent-action-monitor/. A behavioural gate for AI agent actions, built on DUSK, an open source behavioural threat detection project. A hijacked AI agent still holds valid credentials, so a credential check waves it through. This gate asks a different question, does this agent normally do this, by scoring a proposed control-plane action against that agent's own learned baseline before the action reaches a downstream system. All three SIE primitives are wired into the live /v1/gate request path: extract (GLiNER) for privileged terms, encode (bge-m3) for a bounded fleet-wide similar-decision lookup, and score (bge-reranker-v2-m3) for semantic novelty against the agent's own baseline history. SIE is optional and degrades gracefully throughout the request path. Also adds a row to examples/README.md's gallery table. Built by Ritik Sah and Tanvir Farhad.
|
Hi @svonava,Quick update load testing is done, the latency table is in the README, and CI is green. This is ready for review whenever you get a chance. Thanks again for the support. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new example at
examples/agent-action-monitor/. A behavioural gate for AI agent actions, built on DUSK, an open source behavioural threat detection project. The core idea: a hijacked AI agent still holds valid credentials, so a credential check waves it through. This gate asks a different question, does this agent normally do this, by scoring a proposed control-plane action (a firewall rule change, a route change, a role grant) against that agent's own learned baseline before the action reaches a downstream system.SIE is optional and degrades gracefully throughout the request path. Semantic novelty and qualifying extraction results can increase, but never reduce, the deterministic anomaly score.
extractuses GLiNER with the labels role, privilege, resource, segment, and port. Confident, previously unknown role or privilege entities contribute an additional bounded anomaly signal; neutral resource, segment, and port entities do not add score by themselves.encode(BAAI/bge-m3) embeds each recorded verdict once. When sufficient history exists, it also embeds the incoming action for the bounded fleet-wide similar-decision lookup. It does not contribute directly to the anomaly score.score(BAAI/bge-reranker-v2-m3) reranks the acting agent's learned baseline history to detect semantic novelty and separately reranks the fleet-wide similar-decision shortlist.Repeat-offense memory persists refused verdicts per agent. A matching later attempt receives a bounded, decaying contribution and cites the earlier trace ID. Storage is capped at 50 offenses per agent and 500 tracked agents.
Also adds a row to
examples/README.md's gallery table.Architecture
Five services on one Docker Compose stack, no API key required by default:
dusk-gate(the Flask/v1/gateservice),sie(self-hosted, CPU default image),n8n(three webhooks, decision, report, alert, baked in and active from container start),mock-prod(a dummy downstream target), andagent-demo(a Bedrock or mock agent harness that runs a clean and a poisoned scenario against the gate, then exits).Watch mode is the default: a refused action is logged as
WOULD-BLOCKbut still reachesmock-prod, since an inline gate that wrongly blocks a legitimate action can disrupt a network. Enforce mode upgradesWOULD-BLOCKtoBLOCK, which stops the action before it reachesmock-prod.Run it
cd examples/agent-action-monitor docker compose upBrings up the full stack.
agent-demoruns a clean and a poisoned scenario against the gate automatically, then exits. See the example's own README for the full walkthrough, watch versus enforce mode, and the n8n webhook views.Validated end to end
Documented in the example's own
docs/sie-primitives.md, from a run against Superlinked's hosted tester cluster:sie_encodereturns a real 1024-dimensional dense vector fromBAAI/bge-m3, confirming the model actually loaded and servedtest_offense_memory_persists_across_a_simulated_restart, which restarts the gate engine and confirms a repeat offense is still cited afterwardTest plan
docker compose upstarts the full stack; health-gated services become healthy andagent-democompletes both scenarios successfullyagent-demo's clean scenario returnsALLOWand reachesmock-prodagent-demo's poisoned scenario returnsWOULD-BLOCKin watch mode and still reachesmock-prodDUSK_ENFORCE=trueondusk-gateturns the same poisoned scenario intoBLOCK, and it no longer reachesmock-prodpytestpasses standalone from a freshpip install -e ".[dev]"of this directory alone, 186 passed, 2 skippedruff check,mypy, andbanditcleanNotes and caveats
/v1/gateis unauthenticated with CORS open to all origins by default, appropriate for a local example, not a production security boundaryBuilt by Ritik Sah and Tanvir Farhad.