This talk presents a Rust-native IPS with an eight-stage real-time pipeline: async log ingestion from multiple services, 1000+ compiled attack signatures, vector similarity search via a custom Rust vector database with per-class cosine similarity thresholds for adjustable sensitivity, threat scoring with progressive blocking, nftables kernel hash sets for O(1) enforcement, async attacker intelligence gathering, SQLite persistence with SIEM export, and automated cleanup.
The key innovation is the offline learning loop: log files are periodically analyzed to identify attacks that were missed by the real-time pipeline. Missed attacks are vectorized and embedded into the vector database, improving future detection without manual rule writing. This deliberate separation—learning offline, detecting in real time—prevents vector poisoning while letting the system get smarter from every attack it fails to catch.
We’ll walk through the pipeline architecture, the vector database integration, sensitivity tuning, the learning loop, and a live demo showing real-time detection, sensitivity adjustment, and a missed attack being learned then caught on replay. Attendees leave with Rust patterns for adaptive systems (RAII for firewall rules, trait-based vectorization, Tokio+Rayon parallelism, feature flags) and two open-source projects they can deploy.

HDMI projector and screen
40 minute talk.
TV host (TVLinux, China America Bridge) 5 years, other conferences