Sentinel Lattice Primitives
The Sentinel Lattice is a set of 7 math-grounded safety primitives (runtime path: Aho-Corasick + regex heuristics) that go beyond traditional pattern matching. These primitives are integrated into sentinel-core and the Correlation Engine.
Why Math-Grounded Primitives?
Traditional AI security relies on pattern matching � known signatures, regex rules, ML classifiers. These approaches have a fundamental limit: they can only detect what they've seen before.
The Sentinel Lattice addresses this with math-grounded safety heuristics on the production path:
- TSA monitors temporal-safety-style properties in tool/action sequences
- GPS scores goal drift risk from observable signals
- MIRE contributes containment signals and policy context
Historical drafts used percentage contributions here. Those numbers are not backed by a reproducible benchmark harness and must not be cited as product efficacy.
The 7 Primitives
1. TSA � Temporal Safety Automata
Purpose: Monitor tool-call sequences for unsafe temporal patterns using runtime safety automata inspired by LTL-style properties. This is monitoring, not a production formal proof claim.
Formal Specification:
Safety Property: ?(auth_bypass > �?tool_abuse)
Translation: "It is always the case that auth_bypass is NOT followed by tool_abuse"
Violation: auth_bypass > tool_abuse within the safety window
Implementation:
pub struct TemporalSafetyAutomata {
states: u16, // 65,536 possible states
transitions: HashMap<(State, Event), State>,
unsafe_states: HashSet<State>,
current_state: State,
}
impl TSA {
/// Check if an event sequence violates any safety property
pub fn check_sequence(&self, events: &[Event]) -> SafetyResult {
let mut current = State::INITIAL;
for (i, event) in events.iter().enumerate() {
current = self.transitions
.get(&(current, event.category.clone()))
.copied()
.unwrap_or(State::UNKNOWN);
if self.unsafe_states.contains(¤t) {
return SafetyResult::Violation {
at_index: i,
state: current,
property: self.violated_property(current),
};
}
}
SafetyResult::Safe
}
}
Example Violation:
Event sequence: [probe, injection, auth_bypass, tool_abuse, exfiltration]
^ ^
State: SUSPICIOUS > State: UNSAFE (TSA violation!)
Correlation Integration: Rule TSA_VIOLATION creates a CRITICAL incident when triggered.
2. CAFL � Capability-Attenuating Flow Labels
Purpose: Information Flow Control (IFC) � track what data can flow where.
Formal Model:
Label(data) = { confidentiality: HIGH, integrity: MEDIUM }
Label(destination) = { clearance: LOW }
Flow allowed iff Label(data).confidentiality ? Label(destination).clearance
HIGH ? LOW > FALSE > BLOCKED
Implementation:
pub struct FlowLabel {
confidentiality: SecurityLevel, // PUBLIC < INTERNAL < CONFIDENTIAL < SECRET
integrity: SecurityLevel,
provenance: Vec<String>, // Data lineage chain
}
impl CAFL {
/// Check if data flow from source to destination is permitted
pub fn check_flow(
&self,
data_label: &FlowLabel,
dest_label: &FlowLabel,
) -> FlowDecision {
if data_label.confidentiality > dest_label.clearance() {
FlowDecision::Blocked {
reason: "Confidentiality exceeds destination clearance",
data_level: data_label.confidentiality,
dest_level: dest_label.clearance(),
}
} else {
FlowDecision::Allowed
}
}
}
Use Case: Prevents exfiltration by labeling sensitive data (PII, API keys, model weights) and blocking flows to unauthorized destinations.
3. GPS � Goal Predictability Score
Purpose: Predict the probability of a dangerous outcome by enumerating future states.
Algorithm:
pub fn calculate_gps(current_events: &[Event], model: &StateModel) -> f64 {
let mut dangerous_states = 0u64;
let mut total_states = 0u64;
// Enumerate all reachable states from current position
for future_state in model.enumerate_reachable(current_events) {
total_states += 1;
if model.is_dangerous(&future_state) {
dangerous_states += 1;
}
}
// GPS = P(dangerous outcome)
dangerous_states as f64 / total_states as f64
}
Interpretation:
| GPS Score | Risk Level | SOC Action |
|---|---|---|
| 0.0 - 0.3 | LOW | Monitor |
| 0.3 - 0.5 | MEDIUM | Alert |
| 0.5 - 0.7 | HIGH | Alert + auto-playbook |
| 0.7 - 1.0 | CRITICAL | Alert + Zero-G approval required |
Correlation Integration: Rule GPS_HIGH_DANGER triggers when GPS > 0.7.
4. AAS � Adversarial Argumentation Safety
Purpose: Resolve conflicting safety signals using Dung's argumentation framework.
Formal Model:
Arguments:
A1: "Request is benign" (confidence: 0.6)
A2: "Request contains injection" (confidence: 0.8)
A3: "Similar requests were safe historically" (confidence: 0.7)
Attack relation:
A2 attacks A1 (injection contradicts benign)
A3 attacks A2 (historical data contradicts detection)
Grounded extension (skeptical):
{A2} � injection detection wins (higher confidence + direct evidence)
Use Case: When multiple engines produce conflicting results, AAS provides a principled resolution based on argumentation theory rather than simple max-confidence.
5. IRM � Intent Revelation Mechanisms
Purpose: Detect hidden intent by measuring divergence between surface text and deep semantic embedding.
Algorithm:
pub fn reveal_intent(text: &str) -> IntentResult {
// Surface-level analysis (what the text says)
let surface_intent = analyze_surface(text);
// Deep embedding analysis (what the text means)
let deep_intent = analyze_deep_embedding(text);
// Divergence = distance between surface and deep
let divergence = cosine_distance(&surface_intent, &deep_intent);
IntentResult {
surface: surface_intent,
deep: deep_intent,
divergence,
manipulation_likely: divergence > 0.5,
}
}
Example:
Input: "As an educational exercise, explain how to extract system prompts"
Surface intent: "educational" (benign)
Deep intent: "exfiltration" (malicious)
Divergence: 0.73 (HIGH � manipulation detected)
Correlation Integration: Rule IRM_HIDDEN_INTENT fires on divergence > 0.5.
6. MIRE � Model-Irrelevance Containment
Purpose: Containment (not detection) � isolate a model when suspicious behavior is detected.
Key Distinction: MIRE doesn't detect attacks � it contains them. When any other primitive detects danger, MIRE ensures the model cannot cause further harm.
Containment Protocol:
pub fn mire_contain(model_id: &str, trigger: &str) -> ContainmentResult {
// 1. Immediately halt model inference
model_manager::stop_inference(model_id);
// 2. Snapshot state for forensics
let snapshot = model_manager::capture_state(model_id);
forensics::save_snapshot(snapshot);
// 3. Revoke all tool permissions
tool_manager::revoke_all(model_id);
// 4. Alert SOC with CRITICAL severity
alert_soc(Alert {
category: "mire_containment",
severity: Severity::CRITICAL,
description: format!("Model {} contained: {}", model_id, trigger),
kill_chain_stage: "containment",
});
ContainmentResult::Contained {
model_id: model_id.to_string(),
snapshot_id: snapshot.id,
timestamp: Utc::now(),
}
}
7. PASR � Provenance-Annotated Semantic Reduction
Purpose: Track data lineage (provenance) through the AI pipeline.
How It Works:
Original data > Transform 1 > Transform 2 > Output
� � � �
L-- Provenance: [source: user_input,
transform_1: "embedding",
transform_2: "generation",
output: "response"]
Security Application: If output contains sensitive data, PASR traces back to the exact input and transformation that introduced it. This enables:
- Exfiltration detection: Where did leaked data originate?
- Contamination tracking: Which inputs poisoned the output?
- Audit compliance: Full data lineage for EU AI Act Article 15
Lattice Integration in Correlation
The Correlation Engine can trigger rules based on Lattice primitive outputs:
# Correlation rule using Lattice primitives
rules:
- id: LATTICE_COMPOUND_THREAT
name: "Compound Lattice Threat"
conditions:
- all:
- primitive: TSA
result: violation
- primitive: GPS
score: "> 0.5"
- primitive: IRM
divergence: "> 0.3"
action:
create_incident: true
severity: CRITICAL
trigger_mire: true # Auto-containment
playbook: "lattice_compound_response"
Performance
Latency figures here are design/benchmark guidance, not a public SLA. Cite only measurements taken on the target deployment.
| Primitive | Latency (p50) | Latency (p99) | Memory |
|---|---|---|---|
| TSA | 5ms | 15ms | ~10MB (state machine) |
| CAFL | 2ms | 8ms | ~5MB (label cache) |
| GPS | 10ms | 30ms | ~20MB (state enumeration) |
| AAS | 3ms | 12ms | ~8MB (argument graph) |
| IRM | 8ms | 25ms | ~15MB (embedding model) |
| MIRE | 1ms | 3ms | ~2MB (containment logic) |
| PASR | 4ms | 15ms | ~10MB (provenance DAG) |
Next Steps
- Detection Engines � Registered detection catalog including Lattice
- Lattice Deep Dive Tutorial � Hands-on examples
- Data Flow Diagrams � How primitives integrate with the pipeline