5-Rule Engine
The five complementary detection mechanisms
VaultDEC's detection system uses five complementary rules that analyze packet behavior patterns. Each rule examines a different dimension of upload traffic to distinguish legitimate network activity (TCP ACKs, DNS queries) from data exfiltration.
Design Philosophy
No single metric perfectly distinguishes legitimate traffic from exfiltration. Download-heavy backup sync generates acknowledgment packets that register as uploads. Software updates involve bidirectional traffic. A single threshold would either miss attacks or generate false positives.
The 5-Rule Engine solves this by examining traffic from five angles simultaneously. The active Detection Mode determines how many rules must trigger before VaultDEC takes action.
The Five Rules
Rule A: Large Packet Frequency
What it measures: The number of large upload packets (near MTU size, ~1400–1500 bytes) per second.
| Mode | Threshold |
|---|---|
| STANDARD | 100/s |
| STRICT | 75/s |
| VAULT | 50/s |
TCP acknowledgments are small — typically 52–66 bytes. DNS queries are small. Legitimate upstream traffic from a backup server consists almost entirely of these small packets.
Exfiltration requires moving actual file data, which means full-sized packets. A stream of large upload packets is one of the strongest exfiltration indicators because normal backup operations almost never produce them.
Rule B: Medium Packet Frequency
What it measures: The number of medium-sized upload packets (roughly 200–1399 bytes) per second.
| Mode | Threshold |
|---|---|
| STANDARD | 400/s |
| STRICT | 300/s |
| VAULT | 200/s |
Some exfiltration tools fragment data into smaller-than-MTU packets to evade large-packet detection. Rule B catches this by monitoring the middle band of packet sizes — too large to be ACKs, but deliberately kept below the MTU to avoid Rule A.
This rule and Rule A together cover the full spectrum of meaningful data transfer, regardless of how the attacker chooses to chunk their output.
Rule C: Cumulative Upload Volume
What it measures: Total bytes uploaded within a rolling measurement window.
| Mode | Threshold |
|---|---|
| STANDARD | 100 MB |
| STRICT | 75 MB |
| VAULT | 50 MB |
Rules A and B examine packet-level patterns. Rule C takes a step back and looks at aggregate volume. Even if an attacker keeps individual packet rates just below the per-second thresholds, the total volume of data moved will accumulate.
This is the "math doesn't lie" rule — regardless of how cleverly traffic is shaped, exfiltrating a meaningful amount of data requires moving a meaningful number of bytes.
Rule D: Idle Upload Detection
What it measures: Upload speed when no significant download activity is detected.
| Mode | Threshold |
|---|---|
| STANDARD | 5 Mbps |
| STRICT | 2 Mbps |
| VAULT | 1 Mbps |
During an active R2 sync, TCP ACKs generate legitimate upload traffic proportional to download speed. Rule D accounts for this by only evaluating upload speed during periods when the device is not actively downloading.
A backup server with no active downloads should have near-zero upload traffic. Any sustained upload during idle periods is inherently suspicious — there's no legitimate reason for a backup server to be pushing data out when it isn't pulling data in.
Rule E: Absolute Upload Ceiling
What it measures: Instantaneous upload speed regardless of other activity.
| Mode | Threshold |
|---|---|
| STANDARD | 50 Mbps |
| STRICT | 35 Mbps |
| VAULT | 25 Mbps |
This is the hard ceiling. No matter what else is happening on the network — active downloads, legitimate bidirectional traffic, software updates — upload speed should never reach these levels from a backup server.
Rule E exists as the last line of defense. If an attacker is exfiltrating at full speed and somehow evading the other four rules, this rule catches them purely on bandwidth. It requires no nuance or context — if upload speed hits the ceiling, the connection dies.
Rule Interaction
The rules work together, not independently. The active Detection Mode determines how many rules must agree before VaultDEC takes action:
- STANDARD — More rules must trigger before action. Prioritizes avoiding false positives. Best for environments with varied legitimate traffic patterns.
- STRICT — Moderate trigger threshold. Balanced between detection speed and false positive prevention.
- VAULT — Fewer rules need to trigger, with the tightest thresholds. Prioritizes speed of response. A false positive (briefly killing a legitimate connection) is preferable to a missed exfiltration attempt.
Logging
Every rule evaluation is logged in JSON Lines format:
{
"ts": "2026-02-17T10:30:15Z",
"rules_triggered": ["A", "C"],
"large_pkt_rate": 62,
"med_pkt_rate": 185,
"volume_mb": 58.3,
"idle_up_mbps": 0.0,
"upload_mbps": 45.2,
"download_mbps": 112.8,
"mode": "STRICT",
"action": "AUDIT"
}Log files are stored at /var/log/vaultguardian/ with automatic 180-day retention and daily rotation.