Patent-pending technology for real-time network threat detection using computer vision on edge hardware.
Traditional network intrusion detection systems (IDS) rely on signature matching — comparing packets against known attack patterns. This approach fails against novel attacks, zero-day exploits, and AI-generated attack chains. As autonomous AI systems like Anthropic's Claude Mythos Preview demonstrate the ability to discover and exploit vulnerabilities across every major operating system, signature-based detection becomes fundamentally insufficient.
NetworkVision converts raw network traffic into 2D images called Network Activity Images (NAIs), then applies YOLO-style object detection to identify and localize threats in real-time.
Each NAI is a multi-channel image where:
| Channel | Data | Purpose |
|---|---|---|
| 0 | Packet Size | Payload volume per flow |
| 1 | Packet Count | Activity density |
| 2 | Protocol | TCP/UDP/ICMP distribution |
| 3 | TCP Flags | Connection state patterns |
| 4 | Direction | Inbound vs outbound |
| 5 | Inter-Arrival Time | Timing patterns |
| 6 | Byte Ratio | Asymmetric transfer detection |
| 7 | Unique Dest Ports | Scan behavior |
| 8 | SYN/ACK Ratio | Connection anomalies |
| 9 | Connection Duration | Persistent vs ephemeral flows |
Rows represent flows (mapped via consistent hashing), columns represent time bins within a 30-second window. The result is a spatial representation where attack patterns form visually distinct signatures.
Stage 1 — Binary Classifier: Fast triage model determines if a NAI contains any threat. 83KB, 0.28ms inference on Coral Edge TPU.
Stage 2 — YOLO Localizer: If a threat is detected, the localizer identifies threat type and location within the NAI using bounding-box regression. 376KB, 0.21ms on Coral Edge TPU.
Combined inference: 0.49ms — enabling real-time detection at line rate on a $20 AI chip.
| Class | NAI Pattern | Description |
|---|---|---|
| Port Scan | Horizontal spread across many destination ports | Reconnaissance activity probing for open services |
| DoS/DDoS | Dense vertical bands from many sources | Volumetric or application-layer denial of service |
| Exploit | Concentrated bursts with unusual flag patterns | Active exploitation attempts |
| Web Attack | HTTP-port focused with asymmetric byte ratios | SQL injection, XSS, path traversal |
| Botnet/C2 | Periodic beacon patterns to external IPs | Command and control communication |
| Brute Force | Repeated connections to auth ports | Credential stuffing and password attacks |
| Benign | Normal traffic distribution | Legitimate network activity |
NetworkVision includes a proprietary auto-labeling system that generates training data continuously from live network traffic. Traditional signature-based IDS alerts are correlated with behavioral observations to produce labeled datasets — enabling a self-improving detection loop that adapts to new threat patterns over time.
This approach eliminates the need for manual labeling and allows the model to generalize beyond known signatures to detect novel attacks.
| Platform | Binary Classifier | YOLO Localizer | Combined | Power |
|---|---|---|---|---|
| Pi 5 CPU | 0.32ms | 0.70ms | 1.02ms | ~5W |
| Coral Edge TPU | 0.28ms | 0.21ms | 0.49ms | ~0.5W |
| Hailo-10H | 20 TOPS INT8 — multi-model capable | ~2.5W | ||
AI systems can now autonomously discover and exploit zero-day vulnerabilities. Every novel exploit generates unique byte-level signatures that evade traditional IDS. But the network behavior remains detectable:
• Reconnaissance still produces scan patterns
• Exploitation still requires packet delivery
• Lateral movement creates new internal flows
• C2 channels produce periodic beacons
• Exfiltration creates asymmetric byte ratios
NetworkVision detects these behavioral patterns regardless of the specific exploit, making it resilient to novel and AI-generated attacks.
Patent Pending Provisional Filed April 2026 14 Claims Micro Entity
For partnership inquiries: Partners@NetworkVision.org