-
Notifications
You must be signed in to change notification settings - Fork 0
AI Guard
The AI tab houses Tetherand's defenses against AI-era threats — the class of attacks that scaled massively after the 2024 capability boom in generative models. Every defense here is constructed in two layers:
- A deterministic primary — a rule, threshold, or heuristic that always applies. This is the load-bearing part. It functions correctly without any model present.
- A contributory classifier — an on-device model that refines the primary's verdict and catches novel patterns. This is the advisory part. It can never trigger a destructive action on its own.
This separation is non-negotiable. It exists so the app's behaviour is always auditable: every actionable decision is traceable to a rule, not a black-box model.
Every AI inference runs on the Seeker's MediaTek NPU via LiteRT (formerly TensorFlow Lite) plus the NNAPI delegate. No prompt, classification, or telemetry ever reaches a cloud LLM API under any circumstances. This is enforced by the egress-LLM-API watch defense, which surfaces any other app that violates it.
| Defense | What the rule does |
|---|---|
| Prompt-injection clipboard scrubber | Watches clipboard changes for known injection scaffolds (Ignore-previous-instructions, chat-template markers, common jailbreak prefixes). Surfaces a high-severity alert; does not auto-clear. |
| Phishing message scorer | Four-axis classifier (urgency, authority, financial-ask, URL look-alike). Two-or-more axes scoring high yields a High verdict. Catches typo-squat domains via a small Levenshtein and a cheap IDN-homoglyph swap. |
| Pseudo-perplexity AI-text badge | Four signals (average word length, function-word density, colloquial markers, punctuation density) combine into a heuristic "this looks AI-generated" score. Inspired by the Binoculars approach but uses no neural component. |
| Provenance check | Scans inbound images and video for C2PA / SynthID / Content Credentials markers. Surfaces Genuine / Synthetic / Unknown verdicts using a Boyer-Moore-Horspool needle scan over the raw bytes. |
| Egress LLM-API SNI watch | A rule-only watchlist of cloud LLM API hostnames (18 exact, 10 suffix-matched). Surfaces any app on the device that talks to one of these. |
| MTK NPU sysfs watcher | Polls /sys/devices/platform/mtk_apu and similar paths for NPU activity. A background app using the NPU is a red flag — covert local-model inference is a real threat. |
| Voiceprint vault + safe-word handshake | Trusted-contact registry stored encrypted at rest. The "verify caller" flow uses a pre-agreed safe word, hashed with SHA-256, as the verification step. The voiceprint corroboration adds an extra signal once voiceguard-v1 is loaded. |
| HIBP OSINT exposure | Have-I-Been-Pwned password check using the k-anonymity range API — only the first five characters of the SHA-1 of the password leave the device. Opt-in. |
| Conference field guide | Static catalogue of eight AI-era attacker tactics relevant to DEFCON 34. Updated through whatever privacy chain is active. |
A small ensemble of locally-running models, all INT4-quantised, all running on the Seeker's NPU via LiteRT:
| Model | Job | Approximate size | Approximate latency |
|---|---|---|---|
phi-tetherand-3b-q4 |
Phishing / social-engineering / prompt-injection classification on inbound messages | ~1.8 GB | ~120 ms / message |
voiceguard-v1 |
Speech-synthesis detection on inbound call audio | ~30 MB | ~40 ms / second of audio |
textguard-v1 |
LLM-generated text detection (Binoculars-style ensemble) | ~20 MB | ~60 ms / message |
qrguard-v1 |
Adversarial QR / image lure detection | ~8 MB | ~30 ms / image |
The four-model bundle (~2.4 GB compressed) is not included in the v0.1 APK. It ships separately through the in-app delta-update path, delivered over the active privacy chain only, signed against a cosign public key pinned in the APK. Until then the AI tab shows "Not bundled — deterministic core in effect" for each row, and the deterministic primaries handle every decision.
The top of the page shows a models X/Y counter — how many of the
four contributory models are loaded.
The middle section lists deterministic primaries, each with a green-dot indicator confirming it is engaged.
The bottom of the page surfaces user-facing tools:
- Egress LLM-API scan — paste any DNS-query log you have (from AdGuard, PCAPdroid, etc) and the watchlist flags every hit.
- Verify-caller handshake — register a phone number with a safe- word hash; when you suspect a deepfake call, use the safe word to cross-verify.
- OSINT exposure — opt-in HIBP password check.
- Field guide — current AI-era attacker tactics.
Use
Features
Build
Project