Documentation Index
Fetch the complete documentation index at: https://quintsecurity.mintlify.app/llms.txt
Use this file to discover all available pages before exploring further.
Status: roadmap (Stage 4). This describes the designed architecture, not what currently ships. The GNN is feature-flagged off in production (gnn_enabled=False). Advancement triggers are in the ML Roadmap. Graph Neural Network
The GNN provides Tier 2 (cloud) structural analysis by operating on session action graphs materialized in Memgraph. It detects anomalies that the proxy’s FlowMatrix signatures cannot express: multi-hop attack paths, temporal phase transitions, resource fan-out patterns, and coordinated cross-agent attacks.
Architecture: Multi-Level Detector
Four independent detection levels run in parallel, combined via learned logistic regression:
Level 1: VGAE Autoencoder (Unsupervised)
Variational Graph Autoencoder trained only on normal sessions. Learns to reconstruct normal graph structure. High reconstruction error = anomalous.
- Encoder: GraphSAGE (38 → 128 → 64, mean aggregation)
- Decoder: Inner product (edges) + MLP (features)
- Loss: Edge reconstruction + feature reconstruction + KL divergence
- Strength: Catches anything structurally unusual
- Weakness: High variance, can’t name the attack type
Level 2: GAT Classifier (Supervised)
Graph Attention Network trained on labeled normal + attack sessions with focal loss for class imbalance.
- Architecture: GATConv(38 → 128, 4 heads) → GATConv(512 → 64, 4 heads) → global_mean_pool → MLP(64 → 2)
- Loss: Focal loss (alpha=0.75, gamma=2.0)
- Strength: Highest accuracy on known attack types, attention weights explain which edges matter
- Weakness: Cannot detect attack types not in training data
Level 3: Mahalanobis Distance (Statistical)
During training, computes the centroid and covariance of normal session embeddings in the VGAE latent space. At inference, measures how far a new session is from this normal cluster.
- Strength: Catches novel/zero-day attacks the classifier has never seen (100% in testing)
- Weakness: Sensitive to behavioral drift (normal behavior evolving)
Level 4: Node-Max (Per-Action)
Returns the maximum per-node anomaly score in the session. A session with 99 normal actions and 1 suspicious action still triggers if that one action scores high enough.
- Strength: Catches mimicry attacks where most actions are normal
- Weakness: Single noisy action can cause false alerts
Node Features (38-dim)
| Feature Group | Dims | Source |
|---|
| Capability one-hot | 12 | MCP tool call → capability mapping |
| Risk score | 1 | Proxy risk engine (0-100 normalized) |
| Deviation score | 1 | Proxy behavioral scoring (0-1) |
| Confidence band | 1 | Gate classification (KNOWN_SAFE/UNCERTAIN/ANOMALOUS) |
| Hour of day (cyclical) | 2 | sin/cos encoding from timestamp |
| Inter-action gap | 1 | Log-scaled seconds since previous action |
| Depth | 1 | Agent nesting level (0 = root) |
| In-degree / out-degree | 2 | Graph structural from Memgraph |
| Action type one-hot | 11 | MCP_TOOL_CALL, BASH_EXECUTION, etc. |
| Is business hours | 1 | Weekday 9am-6pm flag |
| Is novel tool | 1 | Proxy Bloom filter (first-time tool) |
| Is novel server | 1 | Proxy Bloom filter (first-time server) |
| Bigram surprise | 1 | How rare is this capability transition |
| Window entropy | 1 | Capability diversity in last 10 actions |
| Export density | 1 | Upload/send ratio in last 20 actions |
Training Data
| Property | Value |
|---|
| Total sessions | 50,000 |
| Normal sessions | 40,000 (8 agent archetypes) |
| Attack sessions | 10,000 (10 types, 35 variants) |
| Stealth attacks | 30% (normal features, attack structure only) |
| Topologies | 5 types (linear, burst, fan-out, branching, retry) |
| Session lengths | 5-500 actions (power-law distribution) |
Agent Archetypes
Coding assistant, data analyst, DevOps agent, support agent, security scanner, CI/CD pipeline, research agent, fleet orchestrator — each with distinct Markov transition matrices and temporal profiles.
Attack Types
Exfiltration, credential theft, staging, reconnaissance, cover tracks, privilege escalation, lateral movement, supply chain, data poisoning, denial of service — each with 3-5 variants.
Accuracy
| Metric | GNN Ensemble | Feature Baseline |
|---|
| AUROC | 1.000 | 0.982 |
| AUPRC | 1.000 | 0.978 |
| F1 | 1.000 | 0.966 |
| FPR @0.65 | 0.0% | — |
Adversarial Robustness
| Evasion Scenario | Detection |
|---|
| Business-hours attack (normal timing) | Per-level: 77-100% |
| Slow drip (5% malicious in 200 actions) | Per-level: 100% |
| Mimicry (normal archetype + 5 uploads) | Node-max: 97% |
| Novel zero-day (never trained) | 100% (Mahalanobis) |
| Capability-consistent (read+search only) | 0% (needs resource sensitivity) |
Signature Distillation
When the GNN detects an anomaly, the capability transition pattern is extracted from Memgraph, normalized to a [12x12] FlowMatrix, and packaged as a ThreatSignature compatible with the proxy’s registry:
{
"id": "QT-GNN-A1B2C3D4",
"name": "GNN-learned: high anomaly",
"flow_shape": [[0.0, 0.3, ...], ...],
"max_jsd": 0.25,
"severity": "high",
"weight": 0.85,
"agent_types": [],
"min_depth": 0
}
quint.signatures.{org_id} → all proxies add it to their ThreatSignatureRegistry. The entire fleet learns the new pattern in ~30 seconds.
Deployment
| Tier | Memgraph | Model | Scoring |
|---|
| Local | None | None | Proxy Gates 1-3 only |
| Team | Shared (1-2GB) | Quint pre-trained | 5-stage BI pipeline |
| Enterprise | Dedicated (8-32GB) | Custom per-tenant | + signature distillation |
| Global | Aggregated | Universal | + federated intelligence |
