The Lattice Agent

Purpose. A lightweight background executable that runs on workstations, servers, and ephemeral cloud nodes. It learns local baselines, detects anomalies, and can contain suspicious activity before it propagates.

Design goals

• Low friction: ~1–3% CPU during active analysis bursts; idle footprint targeted to be negligible.

• Portable: Windows (service), Linux (systemd), macOS (launch daemon). Container sidecar for CI/CD runners.

• Self-protections: signed binaries, ASLR/DEP hardening, secure update channel, rollback on failure.

What it observes (privacy-minimized)

• Process graph: parent/child relationships, token use, privilege escalation attempts.

• Network flows: destination tuples, TLS SNI, egress patterns (no payload inspection by default).

• File integrity: hash diffs for sensitive paths, unusual encryption bursts, mass rename/delete.

• User signals: off-hours logons, anomalous geo/IP, abnormal MFA prompts.

• DevOps hooks (optional): git client actions, build step scripts, package manager anomalies.

Local actions

• Soft isolate: kill process / block domain / restrict interface; expire automatically if cleared.

• Forensics capsule: short-lived, encrypted artifact (proc tree, hashes, flow summary).

• Explainability stub: why the agent acted (features + thresholds) for analyst review.

Event shape (agent → AI)

{
  "eid": "c9b3…",
  "ts": "2025-03-21T11:24:31Z",
  "host": {"id":"DESK-7821","os":"win","ver":"24H2"},
  "signal": {
    "kind": "proc.spawn",
    "parent": "powershell.exe",
    "child": "rclone.exe",
    "args": "--drive service_account.json"
  },
  "net": {"dst_ip":"203.0.113.26","dst_port":443,"sni":"undisclosed.cloud"},
  "risk": {"local_score":0.72,"action":"soft_isolate"},
  "proof": {"hmac":"6f2a…","nonce":"b1a…"}   // protects integrity before uplink
}

Why this matters The agent converts noisy telemetry into compact, privacy-respecting signals and—when necessary—buys time by containing threats locally while higher layers verify and coordinate a response.