feat(qsecbit): add energy consumption-based anomaly detection

[homepods]

Add comprehensive energy monitoring system to Qsecbit that provides early warning of attacks by detecting anomalous power consumption patterns.

Key Features:

• RAPL (Running Average Power Limit) energy counter integration for Intel CPUs
• Per-PID CPU time tracking and power estimation from /proc/[pid]/stat
• EWMA (Exponentially Weighted Moving Average) smoothing for baseline tracking
• Z-score based spike detection (configurable threshold, default: 2.5 sigma)
• Automatic detection of NIC interrupt-handling processes (irq/, ksoftirqd, napi/)
• Automatic detection of XDP/eBPF related processes
• Correlation of power spikes with network attacks and kernel exploits

Algorithm (7-step process):

1. Read initial CPU time (/proc/stat) and RAPL energy counters
2. Sleep for Δt (1-5 seconds)
3. Read new CPU time and RAPL energy
4. Compute per-PID CPU share and wattage estimation
5. Build time-series of PID power consumption
6. Apply EWMA smoothing and Z-score anomaly detection
7. Alert on spikes in NIC/XDP processes, integrate with qsecbit RAG

Integration:

• New 5th component in qsecbit score: energy_anomaly (15% weight)
• Automatic weight redistribution when enabled (α=25%, β=25%, γ=20%, δ=15%, ε=15%)
• Energy metadata stored in ClickHouse/Doris with additional columns:
  • energy_anomaly, package_watts, nic_processes_watts, xdp_processes_watts
  • has_energy_anomaly, nic_spike, xdp_spike flags

Use Cases:

• DDoS attack detection: NIC interrupt handlers show power spikes during floods
• Cryptomining malware: Abnormal process power consumption patterns
• 0-day exploits: Unusual kernel/process behavior visible in power signatures
• XDP/eBPF exploitation: Correlated power spikes in XDP driver processes

Configuration:

• energy_monitoring_enabled: Enable/disable feature (default: False)
• energy_spike_threshold: Z-score threshold (default: 2.5)
• energy_ewma_alpha: EWMA smoothing factor (default: 0.3)
• energy_baseline_window: Baseline sample window (default: 100)

Hardware Requirements:

• Intel CPU with RAPL support (Core 6th gen+, Xeon Skylake+, Atom Goldmont+)
• Fallback to CPU-time estimation if RAPL unavailable (AMD/ARM CPUs)

Documentation:

• Comprehensive README section with examples, queries, and best practices
• Database schema updates for ClickHouse and Doris
• API reference for new EnergyMonitor class

This makes qsecbit even more competitive as a resilience metric by adding physical layer (energy consumption) visibility to complement existing statistical drift, ML predictions, classifier decay, and quantum drift components.

Pull Request

📋 Description

Brief summary of changes:

Related Issue:

Fixes #

🎯 Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Security enhancement
• Infrastructure/CI improvement
• Refactoring (no functional changes)

🔧 Component(s) Affected

• Deployment scripts (setup.sh, uninstall.sh, network-config.sh)
• Security features (Qsecbit, WAF, IDS/IPS)
• Networking (VXLAN, OVS, OpenFlow)
• Containers/PODs
• Monitoring (Grafana, VictoriaMetrics)
• n8n automation (POD 008)
• LTE/5G connectivity
• Documentation
• Testing infrastructure
• Other:

🧪 Testing Done

How was this tested?

• Fresh deployment test (./setup.sh in clean environment)
• Uninstall test (./uninstall.sh verifies complete cleanup)
• Service functionality tests
• Network isolation tests
• Security regression tests
• Manual testing only
• Automated tests added/updated

Test environment:

• OS:
• Podman version:
• Hardware:

Test results:

# Paste relevant test output

✅ Checklist

Before submitting this PR:

• I have read CONTRIBUTING.md
• My code follows the project's coding standards
• I have tested my changes in a clean environment
• I have updated documentation (README.md, CLAUDE.md, etc.)
• I have checked for exposed secrets/credentials
• My commit messages follow the conventional commits format
• I have run shellcheck on bash scripts (if applicable)
• I have run linting on Python code (if applicable)
• All deployment scripts still work after my changes
• I have verified network ranges are correct (10.200.x.x)

Security considerations:

• No hardcoded credentials added
• No security features disabled
• User input is validated (if applicable)
• No command injection vulnerabilities introduced
• Changes reviewed for OWASP Top 10 vulnerabilities

📸 Screenshots/Logs

Before:

# Show state before changes (if applicable)

After:

# Show state after changes

🔄 Breaking Changes

Does this PR introduce breaking changes?

• No
• Yes (explain below)

📚 Documentation Updates

Documentation changes made:

• README.md updated
• CLAUDE.md updated (for AI-relevant changes)
• CHANGELOG.md updated
• Component-specific README updated
• Inline code comments added
• No documentation changes needed

💬 Additional Notes

📝 Reviewer Notes

Specific areas to review:

---

By submitting this PR, I confirm:

• This code is my own work or properly attributed
• I agree to license contributions under the MIT License
• I have followed the security disclosure policy for any security-related changes