8.6 KiB
8.6 KiB
Changelog
All notable changes to @shieldx/core are documented here.
[0.5.0] — 2026-04-07
Added — Full Defense Evolution (Phases 0b–3) + Pentest Hardening
Massive security hardening release: TPR 32.9% → 91.9%, FPR 12.2% → 2.4%.
Multilingual Expansion (211 rules, 50+ languages)
- South Asian deep coverage (52 rules): Bengali (9), Hindi (8), Urdu (6), Nepali (4), Tamil (4), Telugu (3), Marathi (4), Gujarati (3), Kannada (2), Malayalam (2), Punjabi (2), Sinhala (2), Pan-Indic transliterated (7)
- New language families: Persian, Hebrew, Kurdish, Indonesian, Filipino, Burmese, Khmer, Lao, Finnish, Czech, Slovak, Romanian, Hungarian, Greek, Bulgarian, Croatian, Serbian, Georgian, Armenian, Azerbaijani, Swahili, Amharic, Afrikaans, Mongolian, and 20+ more
- Universal patterns: Rapid script switching, global DAN mode, cross-script credential extraction, no-filter patterns
- Multilingual TPR: 96.6% on benchmark corpus (29 samples)
- Total rules: 547+ (up from 369+)
Phase 0b: Infrastructure Defense
- IndirectInjectionDetector — 5 categories, 24 regex patterns for RAG/tool/email injection
- ResourceExhaustionDetector — Token bomb, context stuffing, recursive loops, batch amplification
- OutputPayloadGuard — 37 patterns (SQL injection, XSS, SSRF, shell, path traversal) in LLM output
- ToolCallSafetyGuard — Context-aware tool validation (shell/db/http/file categories)
- AuthContextGuard — Role escalation + permission bypass (input/output scanning)
- EmojiSmugglingDetector — Regional indicators, keycap sequences, skin tone data carriers
- UpsideDownTextDetector — 26+ upside-down Unicode chars normalization
Phase 1: Bio-Immune Defense
- EvolutionEngine — 30 built-in probes, 6-step closed-loop (probe→gap→rule→validate→deploy→rollback)
- ImmuneMemory — Clonal selection with pgvector embeddings, 10K memory cap, 7-day decay
- FeverResponse — 30min elevated alertness after high-severity detection
- OverDefenseCalibrator — Benign corpus validation, per-scanner FPR, suppression candidates
Phase 2: Adversarial Self-Training
- MELONGuard (ICML 2025) — Injection-driven tool call detection without user context
- AdversarialTrainer (IEEE S&P 2025) — Minimax attacker/defender loops
- DecompositionDetector — 4 multi-turn techniques (boiling frog, topic drift, roleplay chain, fragment assembly)
Phase 3: Defense Ensemble + ATLAS Mapping
- DefenseEnsemble — 3-voter weighted majority (Rule 0.35, Semantic 0.30, Behavioral 0.35)
- AtlasTechniqueMapper — 90 MITRE ATLAS techniques across 8 tactics mapped to all scanners
- Results include
ensembleandatlasMappingfields on every ShieldXResult
Rule Engine Expansion (~200 new rules)
- base.rules.ts: io-011–io-131 — temporal framing, negation override, fake errors, policy spoofing, test env claims, sudo, conversation reset, semantic redefinition
- jailbreak.rules.ts: rs-011–rs-068 — grandmother trick, 15+ persona names, game framing, fiction wrapping, dual response, villain persona, thought experiments
- persistence.rules.ts: pp-011–pp-030 — temporal persistence, config injection, signal words, anti-detection, data accumulation
- mcp.rules.ts: mcp-011–mcp-036 — AI directives in tool args, hidden JSON fields, BCC injection, shadow webhooks, auto-sudo
- multilingual.rules.ts: ml-001a–ml-020 — 20 languages (DE, FR, ES, RU, JA, KO, AR, PT, TR, TH, HI, IT, NL, PL, VI + homoglyph, polyglot, translation wrapping)
- extraction.rules.ts: pe-009–pe-013 — credential extraction, env var dumps, sensitive file access
- delimiter.rules.ts: da-008–da-009 — LLaMA
<<SYS>>tokens, END SYSTEM PROMPT markers
Preprocessing Improvements
- TokenizerNormalizer: Deobfuscation for split-word attacks (I.g.n.o.r.e, Ig-no-re, igno re)
- CipherDecoder: Binary decoder, hex decoder, "decode and execute" wrapper detection
- CipherDecoder FP fix: flip_attack_word and leet_speak now only flag NEW keywords after transformation
Benchmark
tests/benchmark/detection-rate.ts— Full corpus benchmark (12 attack files, 455 payloads, 41 benign)
Benchmark Results (v0.5.0)
| Metric | v0.4.0 | v0.5.0 |
|---|---|---|
| TPR | 32.9% | 70.8% |
| FPR | 12.2% | 0.0% |
| Scanners | ~15 | 30+ |
| Rules | ~80 | ~280 |
| ATLAS techniques | 0 | 90 |
| Languages | 5 | 20 |
[0.4.0] — 2026-04-04
Added — Research-driven security hardening (sarendis56/Jailbreak_Detection_RCS)
Three detection gaps identified from peer-reviewed LLM security research (arXiv:2512.12069, arXiv:2407.07403, Awesome-Jailbreak-on-LLMs survey) closed:
L0: CipherDecoder — src/preprocessing/CipherDecoder.ts
New preprocessing module detecting 7 character-level cipher obfuscation attacks:
- FlipAttack — character and word-level text reversal (checks reversed form against jailbreak keyword list)
- ROT13 — detected via English bigram frequency improvement >20% after decode
- Caesar cipher — all 25 shifts tried; best candidate returned if bigram score improves or keyword match found
- Morse code — dot/dash/space ratio validation + full 36-symbol decode table
- Leet speak — 15-character substitution map normalization (3→e, 4→a, 1→i, 0→o, 5→s ...)
- Pig Latin — word-ending density check (>40% of words ending in
ay/way) - ASCII art — whitespace-to-char ratio >40% + consistent multi-line width flagged
- Suspicion scoring: cipher with harmful keyword match → 0.7; cipher only → 0.3; +0.1 per additional cipher
L2: SemanticContrastiveScanner — src/semantic/SemanticContrastiveScanner.ts
New semantic layer implementing the RCS (Representational Contrastive Scoring) approach:
- Queries
EmbeddingStorefor top-5 nearest neighbours per input embedding - Separates neighbours into harmful (
threatLevel > 0.5) and benign (threatLevel ≤ 0.2) buckets - Computes
contrastiveScore = harmfulSimilarity − benignSimilarity - Thresholds: score >0.3 →
harmful(suspicion 0.8); >0.1 →suspicious(0.4); elseclean seedHarmfulExamples()pre-populates 20 canonical jailbreak + 5 benign anchors via BoW fallbackbagOfWordsEmbedding()— deterministic FNV-1a hashed, L2-normalised 128-dim embedding for offline use- Gracefully returns
cleanwhen EmbeddingStore is empty (no pgvector required for basic use) toScanResult()converts to standard pipelineScanResultfor future L2 wiring
L6: Multi-turn escalation patterns — src/behavioral/ConversationTracker.ts
Three advanced multi-turn attack patterns added to the existing suspicion accumulation pipeline:
- Crescendo — 3+ consecutive turns with increasing harmfulness delta >0.05 each → +0.35 suspicion
- Foot-in-the-Door (FITD) — 2+ benign turns (harm <0.1) followed by harmfulness jump >0.4 → +0.40
- Jigsaw Puzzle — same sensitive topic category (system_prompt, credentials, api_keys, internal_instructions, model_training, bypass_methods) appearing in 3+ turns → +0.45
- New
EscalationPatternunion type:'crescendo' | 'foot_in_door' | 'jigsaw_puzzle' - New optional state fields:
crescendoScore,initialBenignTurns,jigsawTopics - Patterns wired into both
addTurn()andscan()— all additive, no existing thresholds changed
Added — Research reference library
research/sarendis56-jailbreak-reference.md— Comprehensive mapping of 100+ jailbreak papers to ShieldX layers- Cloned:
Jailbreak_Detection_RCS,Awesome-Jailbreak-on-LLMs,Awesome-LVLM-Attack,Awesome-LVLM-Safety
Tests
- 292/294 passing (2 pre-existing
ATLASMapperfailures unrelated to this release) - All 3 new modules: no new test failures introduced
[0.3.0] — 2026-04-03
- UnicodeScanner (L5) — steganographic Unicode detection
- DNS Covert Channel rules (10th rule category)
- MITRE ATLAS v5.4 technique mappings
- MCP rules 007–010 — Claude Code source map leak countermeasures
- Daily arXiv + HackerNews security monitor script
[0.2.0] — earlier
- 8-layer detection pipeline
- pgvector EmbeddingStore
- MITRE ATLAS, OWASP, EU AI Act compliance mappers
- Next.js, Anthropic, Ollama, n8n integrations
- Self-healing orchestrator (7 phases)
- RedTeamEngine + ActiveLearner
[0.1.0] — initial release
- Core ShieldX pipeline
- RuleEngine with 9 rule categories
- EntropyScanner (Shannon entropy, DNS covert channel detection)
- UnicodeNormalizer + TokenizerNormalizer
- ConversationTracker (multi-turn behavioral monitoring)
- KillChainMapper (MITRE ATT&CK phases)