Behavioral Cryptographic Attestation for Autonomous AI Agents

1. The problem: AI agents operate below the visibility floor

Contemporary AI agent security operates at the inference layer: prompt injection filters, output classifiers, content moderation guardrails. These mechanisms share a structural blind spot: they cannot observe what an agent does at the operating system level, only what it says.

A compromised agent using living-off-the-land techniques — executing lateral movement via ptrace, exfiltrating data through sendmsg, spawning a shell interpreter via execve — produces no anomalous network traffic, no application-layer error, no semantic signal that inference-layer tools can detect. The attack is structurally invisible to everything above the kernel.

For regulated financial entities subject to DORA Art. 17, this blind spot has a direct operational consequence: when an AI agent incident occurs, there is no artifact that satisfies the regulation's incident documentation requirements. Probabilistic detection scores are not DORA evidence. "Our model flagged unusual activity" is not a tamper-evident forensic record.

2. The architectural response: kernel-layer behavioral attestation

H7 operates at the Linux kernel syscall layer via an eBPF probe attached at execve. The probe is a Rust no_std program — zero heap allocation, no kernel module, no OS dependency beyond the kernel itself. CPU overhead under sustained production load: under 0.4%.

At probe attachment, H7 begins a configurable baseline window (default: 30 seconds). During this window it constructs a behavioral fingerprint of the monitored agent namespace across five independent detection channels.

3. Five detection channels

Each channel operates independently. A detection on any single channel produces an alert and a signed certificate.

L1 — Scheduling-entropy drift detection. H7 models the expected distribution of kernel scheduling events (sched_switch) for the agent namespace during the baseline window. Post-baseline, a behavioral divergence measure is computed per batch of scheduling events. When the measure crosses the detection threshold, H7 raises a DRIFT_DETECTED event.

L2 — Process-execution classification. When an AI agent spawns a shell interpreter (bash, sh, python) as a child process, H7 classifies the execve event as LLM_AGENT_HIJACK. Shell spawns are the canonical behavioral consequence of prompt injection — the agent was instructed to run an OS command it was not designed to run.

L3 — Structural process-causality analysis. H7 builds a causal graph of process relationships from the kernel event stream. Structural deviations from the baseline causal graph — unexpected directed cycles, unfamiliar call-graph patterns — are flagged independent of any individual syscall identity.

L4 — Network egress detection. H7 hooks sys_enter_connect and sys_enter_sendmsg for monitored namespaces. It monitors destination addresses against a configurable allowlist and detects egress call-rate bursts. Payload content, TLS handshakes, and DNS queries are not inspected.

L5 — Process-attach detection. H7 monitors for ptrace(ATTACH) and ptrace(SEIZE) operations targeting monitored agent processes. Any unexpected ptrace operation triggers an immediate PTRACE_ATTACH_DETECTED alert.

4. The .cal certificate: cryptographic properties

When a detection threshold is crossed on any channel, H7 emits a signed attestation certificate — the .cal file. The certificate is produced locally on the monitored host. No network call is made. The Ed25519 private key never leaves the host.

The certificate body is a canonical JSON object (sorted keys, no whitespace) containing:

• agent_id — unique identifier of the monitored process namespace
• ts_ns — nanosecond-precision UTC timestamp of the detection event
• host — hostname of the machine running the H7 sensor
• channel — detection channel (L1–L5) that triggered the alert
• divergence — behavioral divergence measure at time of alert
• syscall_trace — kernel event sequence preceding the detection
• action — alert action (ALERT_EMITTED; containment is operator-initiated)
• signature — Ed25519 signature over all fields

The Ed25519 signature covers the entire canonical encoding. A single flipped bit in any field invalidates the signature. Verification requires only the published public key:

$ make verify [verify] signature: VALID ✓ [verify] No network required. ✓

5. Regulatory mapping

The same .cal certificate satisfies the documentary requirements of three regulatory frameworks without separate tooling or separate evidence trails.

DORA Art. 17 (ICT incident reporting). The certificate provides: incident timestamp (ts_ns), affected ICT asset (agent_id + host), detection mechanism (channel + divergence), full incident evidence chain (syscall_trace), actions taken (action), and cryptographic non-repudiation (signature).

NIS2 Art. 21 (supply-chain security). The certificate's agent_id maps to the third-party supply-chain component. Continuous behavioral baseline attestation per agent provides the monitoring evidence required by Art. 21.

EU AI Act Art. 9 (high-risk AI system logging). The certificate provides the runtime audit trail required for deployers of high-risk AI systems under Art. 9(1)(e). It applies to AI agent deployers, not GPAI model providers.

6. Architecture invariants

Three properties hold by construction and are verifiable by anyone with the demo kit:

• Zero runtime network calls. After Ed25519 license token validation at startup, H7 makes no outbound connections. Verifiable with strace -e trace=network -p $(pgrep h7-sensor).
• All data on host. The kernel event stream, the behavioral baseline, and every .cal certificate remain on the monitored host. No telemetry is sent to Pulsaride infrastructure.
• Offline verification. .cal certificate verification requires only the published Ed25519 public key — a 113-byte PEM file. Disconnect the network and run make verify: it works identically.

7. Reproducing the detection

The H7 demo kit ships with attack scripts for L1 (scheduling entropy noise), L2 (shell spawn via injected tool call), L4 (unknown destination), and L5 (ptrace attach). Clone the kit and run the CI/CD compromise scenario:

git clone https://github.com/pulsaride/h7-demo-kit cd h7-demo-kit make setup && make calibrate && make up make attack-vercel   # triggers L1 + L5 detection make verify          # verifies the emitted .cal certificate

The demo kit runs on any Linux 5.8+ system with Docker. No cloud account, no signup, no Pulsaride infrastructure required.