VERITY Network Intelligence v2.1 is zero-day anomaly detection by design. No signatures. No training on attack data. No cloud dependency. Calibrate on benign traffic only — attack labels are not used for calibration or detection. The deviation is the detection.
"Signatures catch what has been seen. Behavioral measurement catches what has not. The attack that has never been catalogued is still a deviation from the baseline — and deviation is measurable."
Signature-based detection works by pattern matching. It is fast, precise, and structurally limited to attacks that have been seen before. Zero-day attacks pass through invisible. So do the long tail of attacks that were never important enough to receive their own signature. The industry response has been to wait for the breach, write the signature, and hope no one else gets hit first.
VERITY takes a different approach. It calibrates on the benign traffic in your environment. It learns the behavioral shape of normal flows — volume, timing, directionality, session structure. Every incoming flow is measured against that baseline. The attack does not need a name. It does not need a signature. It does not need to have been seen before. It only needs to be different from normal, and difference is measurable.
VERITY calibrates on your benign traffic in a single pass. Every flow is then measured against multiple independent geometric reference points. Flows that deviate are flagged. Flows near the decision boundary are escalated. When the system is uncertain, it says so.
5-fold cross-validation on the Engelen 2021 corrected CICIDS-2017 release — not the widely circulated mislabeled UNB CSVs. Clean threshold protocol: training benign only. Two operating modes from a single v2.1 codebase. We report every class, including weak ones like SQL Injection at flow-metadata resolution.
| Dataset | Type | Mode | F1 | Recall | Notes |
|---|---|---|---|---|---|
| CICIDS-2017 Friday | DDoS / PortScan / Botnet | Precision | 0.963 | 0.968 | α=0.05, Engelen corrected |
| CICIDS-2017 Friday | DDoS / PortScan / Botnet | Detection | 0.951 | 0.970 | Genesis S2 rescue enabled |
| CICIDS-2017 Wednesday | DoS variants | Precision | 0.971 | 0.970 | α=0.02 |
| CICIDS-2017 Tuesday | FTP / SSH Patator | Detection | — | 0.995 | FTP-Patator recall at α=0.05 |
| CSE-CIC-IDS2018 | Cross-dataset | Precision | 0.996 | 1.000 | No retuning |
| CSE-CIC-IDS2018 | Cross-dataset | Detection | — | 1.000 | LOIC-HTTP, HOIC, Hulk improved |
14 of 15 attack classes at or above 0.93 recall in Detection mode. SQL Injection (n=13) remains weak — payload-level, below flow-metadata resolution. Optional corrected benchmark CSVs on the live demo.
| Property | VERITY | Signature-based IDS | Behavioral ML platforms |
|---|---|---|---|
| Encrypted traffic | Measures behavior | Cannot inspect | Varies |
| Zero-day attacks | Detected as deviation | Requires signature | Varies |
| Training required | None | Continuous signature updates | Days to weeks |
| Independent benchmark validation | Published, reproducible | n/a | Generally not published |
| GPU required | No | No | Typically yes |
| Air-gapped capable | Yes | Varies | Generally no |
| Engine size | 500–560 KB | Hundreds of MB | GB-scale infrastructure |
| Forensic signature per alert | 28 bytes | Limited | Varies |
The same 500–560 KB engine runs everywhere Python 3.9+ runs. Throughput scales with hardware. Latency is ~1 ms per flow in Precision mode and ~4 ms in Detection mode on workstation-class machines.
Reproduce the v2.1 benchmarks on corrected public datasets. Request a technical briefing. Evaluate VERITY on your own traffic, on your own hardware, with your team operating the engine throughout.