-
Notifications
You must be signed in to change notification settings - Fork 0
System Architecture
KasinathCA edited this page Feb 21, 2026
·
1 revision
The Intent-Aware Security System is structured as a robust middleware layer positioned between the client interfaces and the core identity database. It operates on a microservice-inspired architecture using a centralized API gateway.
The system comprises three primary zones: the Frontend Client Layer, the Security Middleware (API Gateway), and the Data/Model persistence layer.
The core of the system is a high-performance, asynchronous REST API built using the FastAPI framework (app.py). It acts as a reverse proxy/validation gate for all incoming authentication requests.
-
Concurrency: Utilizes
asyncioanduvicornto handle high-throughput request validation without blocking the main event loop. -
State Management: Maintains a thread-safe, in-memory
ChallengeStorefor cryptographic nonces, utilizing mutex locks (threading.Lock) to prevent race conditions during rapid authentication attempts. -
Pipeline: Requests pass sequentially through two filters: the Cryptographic Verify Layer (ZKP) and the Behavioral Analysis Layer (ML). Failure at any layer results in an immediate
HTTP 403 Forbiddenrejection.
The client layer consists of isolated static modules served by the backend:
-
Government Portal (
static/portal/): Simulates a standard citizen-facing web application. Employs a dedicated WebCrypto API JavaScript client (zkp-client.js) and a background web worker (timer-worker.js) to generate ECDSA signatures securely within the local browser context. -
Hacker Console (
static/hacker/): An interactive command-line interface simulation for launching configurable automated attacks (brute force, scraping). -
Monitoring Dashboard (
static/dashboard/): A real-time telemetry interface employingChart.jsfor data visualization. It actively polls the API gateway to construct instantaneous visual representations of traffic volume, anomaly scatter plots, and threat assessments. -
Architecture Comparison (
static/compare/): An analytical User Interface that contrasts the vulnerabilities of legacy OTP infrastructure against the deterministic security of the ZKP implementation, specifically modeling SS7/SIM-swapping scenarios.
-
Synthetic Traffic Logs (
data/traffic_logs.csv): Generated prior to execution bygenerate_data.py, comprising randomized behavioral records spanning standard traffic and attack vectors. -
Pre-Trained ML Model (
data/model.pkl): The serialized Isolation Forest model, generated bytrain_model.py, loaded into memory upon initialization of the API gateway.
-
Initialization: The API Gateway starts and loads the
model.pklfile into RAM. It initiates a background asynchronous task to periodically prune expired cryptographic challenges. -
Registration: During the first access, the client generates an ECDSA keypair locally and registers the public key with the backend (
/zkp/register). The private key is strictly confined to local browser storage. -
Authentication Handshake:
- The client requests a challenge nonce from the backend.
- The client signs the traffic payload parameters and the designated nonce using its private key.
- The bundled request (Data + Signature + Challenge) is transmitted to the gateway.
-
Validation:
- Layer 1: The gateway verifies the signature mathematical integrity using the user's stored public key and instantly expires the challenge nonce to preclude replay attacks.
-
Layer 2: The traffic parameters (Rate, Time, Location, Payload size) are passed to the
IsolationForestpredicting agent. - An authorization decision (
ALLOWEDorBLOCKED) is computed, logged to the central telemetry queue, and returned to the client.