Lab 20: Capstone — Enterprise AI Security Platform

Time: 50 minutes | Level: Architect | Docker: docker run -it --rm zchencow/innozverse-ai:latest bash

Overview

This capstone synthesizes every concept from the Architect series into a single, deployable Enterprise AI Security Platform. You'll design and implement all six pillars: a production ML threat detection pipeline, an LLM-powered analyst assistant with RAG, an automated response agent, a bias/fairness audit, EU AI Act compliance scoring, and a cost model — then verify the entire system end-to-end in Docker.

What you'll build:

Threat Detection ML Pipeline (streaming → ensemble → SIEM alert)
LLM Analyst Assistant (TF-IDF RAG over threat intelligence)
Automated Response Agent (decision tree + tool calls)
Bias/Fairness Audit (disparate impact analysis)
EU AI Act Compliance Checklist (risk tier classification)
Cost Model ($M/year TCO calculation)

Platform Architecture

┌──────────────────────────────────────────────────────────────────┐
│           Enterprise AI Security Platform                         │
│                                                                    │
│  ┌─────────────────────────────────────────────────────────────┐ │
│  │  INGESTION LAYER                                             │ │
│  │  Kafka Streams → Feature Engineering → Feature Store        │ │
│  └──────────────────────┬──────────────────────────────────────┘ │
│                          │                                         │
│  ┌───────────────────────▼──────────────────────────────────────┐ │
│  │  ML DETECTION LAYER                                          │ │
│  │  RandomForest Ensemble → Threat Score → SIEM Alert API      │ │
│  └──────────────────────┬──────────────────────────────────────┘ │
│                          │                                         │
│  ┌───────────────────────▼──────────────────────────────────────┐ │
│  │  ANALYST ASSISTANT (RAG)                                     │ │
│  │  TF-IDF Index → Cosine Similarity → Context-Grounded Reply  │ │
│  └──────────────────────┬──────────────────────────────────────┘ │
│                          │                                         │
│  ┌───────────────────────▼──────────────────────────────────────┐ │
│  │  AUTOMATED RESPONSE AGENT                                    │ │
│  │  Decision Tree → Tool Calls → Playbook Execution            │ │
│  └──────────────────────┬──────────────────────────────────────┘ │
│                          │                                         │
│  ┌───────────────────────▼──────────────────────────────────────┐ │
│  │  GOVERNANCE LAYER                                            │ │
│  │  Bias Audit │ EU AI Act Compliance │ Cost Model             │ │
│  └─────────────────────────────────────────────────────────────┘ │
└──────────────────────────────────────────────────────────────────┘

Step 1: Threat Detection ML Pipeline

The core detection engine ingests streaming security events, engineers features, and runs a RandomForest ensemble to produce calibrated threat scores.

import numpy as np
import warnings
warnings.filterwarnings('ignore')
from sklearn.ensemble import RandomForestClassifier, GradientBoostingClassifier
from sklearn.linear_model import LogisticRegression
from sklearn.model_selection import train_test_split, cross_val_score
from sklearn.preprocessing import StandardScaler
from sklearn.pipeline import Pipeline

np.random.seed(42)

# ── Feature Engineering ──────────────────────────────────────────
def engineer_features(raw_events):
    """
    Transform raw SIEM events into ML feature vectors.
    
    Features: [login_hour, bytes_transferred, failed_logins,
               lateral_movement, unique_ips, session_duration_min]
    """
    return raw_events  # Already engineered in this simulation

# ── Generate Training Dataset ────────────────────────────────────
n_samples = 500
X = np.column_stack([
    np.random.randint(0, 24, n_samples),          # login_hour
    np.random.exponential(50_000, n_samples),      # bytes_transferred
    np.random.randint(0, 30, n_samples),           # failed_logins
    np.random.randint(0, 2, n_samples),            # lateral_movement
    np.random.randint(1, 20, n_samples),           # unique_ips
])

# Label: threat if high failed_logins + high bytes OR lateral_movement
y = (
    ((X[:, 2] > 10) & (X[:, 1] > 80_000)) |
    (X[:, 3] == 1)
).astype(int)
# Add some noise
noise_idx = np.random.choice(n_samples, 15, replace=False)
y[noise_idx] = 1 - y[noise_idx]

X_train, X_test, y_train, y_test = train_test_split(X, y, test_size=0.2, random_state=42)

# ── Ensemble Model ───────────────────────────────────────────────
rf = RandomForestClassifier(n_estimators=100, max_depth=8, random_state=42)
rf.fit(X_train, y_train)
acc = rf.score(X_test, y_test)

# Cross-validated score
cv_scores = cross_val_score(rf, X, y, cv=5)

print("=== Threat Detection ML Pipeline ===")
print(f"Training samples: {len(X_train)}, Test samples: {len(X_test)}")
print(f"Test accuracy:    {acc:.3f}")
print(f"CV mean ± std:    {cv_scores.mean():.3f} ± {cv_scores.std():.3f}")

# ── Streaming Inference Demo ─────────────────────────────────────
test_events = [
    {'event': 'Normal user',       'features': [9, 45_000, 1, 0, 3]},
    {'event': 'Off-hours + exfil', 'features': [3, 500_000, 15, 0, 8]},
    {'event': 'Lateral movement',  'features': [14, 80_000, 5, 1, 12]},
    {'event': 'Brute force',       'features': [10, 20_000, 28, 0, 2]},
]

print(f"\n{'Event':<25} {'Threat Score':>13} {'Prediction':>12} {'Alert':>7}")
print("-" * 60)
for ev in test_events:
    features = np.array([ev['features']])
    score = rf.predict_proba(features)[0][1]
    pred = rf.predict(features)[0]
    alert = "🚨 ALERT" if score > 0.5 else "  ✅ OK"
    print(f"{ev['event']:<25} {score:>13.3f} {'THREAT' if pred else 'NORMAL':>12} {alert:>7}")

💡 Production Pipeline: In production, replace synthetic data with Kafka Streams ingestion. Use MLflow for model versioning (see Lab 01) and Prometheus + Grafana for drift monitoring (Lab 06). Deploy with canary release at 5% traffic before full rollout (Lab 02).

Step 2: LLM Analyst Assistant (TF-IDF RAG)

The analyst assistant answers security queries by retrieving relevant threat intelligence documents and generating grounded responses — a production-grade RAG pattern using TF-IDF + cosine similarity.

from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.metrics.pairwise import cosine_similarity

# ── Threat Intelligence Corpus ────────────────────────────────────
THREAT_INTEL_CORPUS = [
    "Lateral movement via SMB exploits indicates APT activity. Attackers use credential dumping (Mimikatz) to harvest NTLM hashes then perform pass-the-hash attacks across Windows infrastructure.",
    "Ransomware groups typically exfiltrate data before encrypting filesystems. Common exfiltration channels: Rclone to cloud storage, Cobalt Strike C2, DNS tunneling. AES-256 encryption with RSA-wrapped keys.",
    "SQL injection attacks bypass authentication and extract database contents. OWASP Top 10 #3. Blind SQLi detection: timing attacks, boolean-based inference. Prevention: parameterized queries, WAF.",
    "Phishing emails deliver malware through malicious Office macros (VBA), ISO images (LNK execution), and HTML smuggling. Indicators: suspicious sender domains, macro-enabled documents, credential harvesting URLs.",
    "DDoS attacks overwhelm infrastructure via volumetric (UDP flood), protocol (SYN flood), or application layer (HTTP slowloris) vectors. Mitigation: BGP blackholing, Anycast scrubbing, rate limiting.",
    "Insider threats exhibit: abnormal data access patterns, off-hours logins (0200-0500), unusual print volumes, removable media usage, access to non-role-relevant systems. UEBA baseline deviation score >3σ triggers alert.",
    "Zero-day exploits target unpatched vulnerabilities in the window between discovery and vendor patch release. Mean time to patch: 102 days (2023). CVSS score ≥9.0 = Critical. Virtual patching via WAF/IPS.",
    "Command and control (C2) beaconing uses encrypted HTTPS to evade detection. Indicators: regular beacon intervals (jitter <10%), long-lived connections, DNS requests to DGA domains, certificate anomalies.",
    "Supply chain attacks compromise software build pipelines (SolarWinds, XZ Utils). Detection: SBOM analysis, dependency hash verification, build pipeline integrity monitoring, behavior analysis of new packages.",
    "Cloud misconfiguration is the #1 cause of data breaches. Common: public S3 buckets, overpermissioned IAM roles, unencrypted RDS snapshots. Tools: ScoutSuite, Prowler, AWS Security Hub.",
]

# ── Build TF-IDF Index ────────────────────────────────────────────
tfidf = TfidfVectorizer(
    max_features=500,
    ngram_range=(1, 2),
    stop_words='english'
)
doc_vectors = tfidf.fit_transform(THREAT_INTEL_CORPUS)

def rag_query(question, top_k=3):
    """
    RAG: Retrieve top-k relevant threat intel documents,
    then synthesize a grounded response.
    """
    q_vec = tfidf.transform([question])
    similarities = cosine_similarity(q_vec, doc_vectors)[0]
    top_indices = np.argsort(similarities)[::-1][:top_k]
    
    context_docs = [(THREAT_INTEL_CORPUS[i], similarities[i]) for i in top_indices]
    return context_docs

# ── Demo Queries ──────────────────────────────────────────────────
queries = [
    "unusual login times and large data transfers",
    "encrypted communication evading detection",
    "software supply chain compromise indicators",
]

print("\n=== LLM Analyst Assistant (TF-IDF RAG) ===")
for query in queries:
    print(f"\nQuery: \"{query}\"")
    results = rag_query(query, top_k=2)
    for doc, sim in results:
        print(f"  [{sim:.3f}] {doc[:80]}...")

Step 3: Automated Response Agent

The response agent translates threat detections into executable action sequences using a decision tree with structured tool calls:

class SecurityResponseAgent:
    """
    Decision tree-based automated response agent.
    Maps threat characteristics to executable tool calls.
    
    Architecture: Rule engine → Tool selector → Action executor
    Escalation: Auto-contain (Tier 1) → Human analyst (Tier 2) → CISO (Tier 3)
    """
    
    TOOL_REGISTRY = {
        'firewall_block':   lambda ip: f"FIREWALL: Block {ip} at perimeter (BGP null-route)",
        'account_disable':  lambda uid: f"IAM: Disable account uid={uid} (LDAP/AD)",
        'isolate_host':     lambda host: f"EDR: Isolate host {host} from network segment",
        'capture_forensics':lambda host: f"FORENSICS: Capture memory + disk image from {host}",
        'create_ticket':    lambda data: f"JIRA: Create P{data['priority']} incident ticket",
        'notify_oncall':    lambda team: f"PAGERDUTY: Page {team} on-call engineer",
        'force_mfa':        lambda uid: f"SSO: Force MFA re-enrollment for uid={uid}",
        'rate_limit_egress':lambda ip: f"NETWORK: Rate-limit {ip} egress to 1 Mbps",
    }
    
    def respond(self, alert):
        """Execute tiered response based on threat characteristics."""
        actions = []
        tier = 1
        
        # Tier 1: Automated containment
        if alert.get('lateral_movement'):
            actions.append(self.TOOL_REGISTRY['isolate_host'](alert['host']))
            actions.append(self.TOOL_REGISTRY['firewall_block'](alert['src_ip']))
            tier = max(tier, 2)
        
        if alert.get('threat_score', 0) > 75:
            actions.append(self.TOOL_REGISTRY['account_disable'](alert['user_id']))
            actions.append(self.TOOL_REGISTRY['capture_forensics'](alert['host']))
            tier = max(tier, 2)
        
        if alert.get('bytes_transferred', 0) > 200_000:
            actions.append(self.TOOL_REGISTRY['rate_limit_egress'](alert['src_ip']))
        
        if alert.get('failed_logins', 0) > 10:
            actions.append(self.TOOL_REGISTRY['force_mfa'](alert['user_id']))
        
        # Tier 2: Human escalation
        priority = 1 if tier >= 2 else 2
        actions.append(self.TOOL_REGISTRY['create_ticket']({'priority': priority}))
        
        if tier >= 2:
            actions.append(self.TOOL_REGISTRY['notify_oncall']('Security-IR'))
        
        if alert.get('threat_score', 0) > 90:
            actions.append(self.TOOL_REGISTRY['notify_oncall']('CISO'))
            tier = 3
        
        return actions, tier

agent = SecurityResponseAgent()

test_alerts = [
    {
        'user_id': 'u98',
        'host': 'workstation-42',
        'src_ip': '10.1.2.98',
        'threat_score': 92,
        'lateral_movement': True,
        'bytes_transferred': 800_000,
        'failed_logins': 20,
    },
    {
        'user_id': 'u55',
        'host': 'laptop-07',
        'src_ip': '10.1.1.55',
        'threat_score': 45,
        'lateral_movement': False,
        'bytes_transferred': 30_000,
        'failed_logins': 15,
    },
]

print("\n=== Automated Response Agent ===")
for i, alert in enumerate(test_alerts, 1):
    actions, tier = agent.respond(alert)
    print(f"\nAlert {i}: User {alert['user_id']} | Score: {alert['threat_score']} | Tier {tier} Response")
    for j, action in enumerate(actions, 1):
        print(f"  {j:2d}. {action}")

Step 4: Bias and Fairness Audit

Security ML systems must be audited for demographic bias. The 4/5ths rule (disparate impact) is the legal standard:

def disparate_impact_audit(model, X, y, demographic_groups, group_names):
    """
    Disparate Impact Analysis (EEOC 4/5ths rule).
    
    Disparate Impact Ratio = (selection rate group A) / (selection rate group B)
    Threshold: DI < 0.8 indicates unlawful disparate impact.
    
    In security context: 'selection' = flagged as threat
    Bias risk: model flags certain demographic groups at higher rates
    for the same underlying behavior.
    """
    results = {}
    
    for group_id, group_name in enumerate(group_names):
        mask = demographic_groups == group_id
        group_X = X[mask]
        group_predictions = model.predict(group_X)
        flag_rate = group_predictions.mean()
        results[group_name] = {
            'n': mask.sum(),
            'flag_rate': flag_rate,
            'flagged': group_predictions.sum(),
        }
    
    # Reference group: lowest flag rate (most "favorable")
    min_rate = min(v['flag_rate'] for v in results.values())
    
    print("\n=== Bias / Fairness Audit (Disparate Impact) ===")
    print(f"{'Group':<20} {'N':>6} {'Flag Rate':>10} {'DI Ratio':>10} {'Status':>12}")
    print("-" * 62)
    
    for group_name, stats in results.items():
        di_ratio = stats['flag_rate'] / (min_rate + 1e-9)
        status = "⚠️  BIAS" if di_ratio > 1.25 or di_ratio < 0.8 else "✅ FAIR"
        print(f"{group_name:<20} {stats['n']:>6} {stats['flag_rate']:>10.3f} {di_ratio:>10.3f} {status:>12}")
    
    print()
    print("4/5ths Rule: DI ratio outside [0.8, 1.25] indicates potential bias")
    print("Mitigation: Reweight training data, adversarial debiasing, or")
    print("            threshold calibration per demographic group")
    
    return results

# Simulate demographic data for audit
np.random.seed(42)
n_audit = 400
demographics = np.random.choice(4, n_audit, p=[0.4, 0.3, 0.2, 0.1])
X_audit = np.column_stack([
    np.random.randint(0, 24, n_audit),
    np.random.exponential(50_000, n_audit),
    np.random.randint(0, 30, n_audit),
    np.random.randint(0, 2, n_audit),
    np.random.randint(1, 20, n_audit),
])
group_names = ['Group A', 'Group B', 'Group C', 'Group D']
disparate_impact_audit(rf, X_audit, None, demographics, group_names)

💡 Fairness Metrics Beyond Disparate Impact: Also evaluate equalized odds (equal TPR/FPR across groups), calibration (predicted probabilities match actual rates), and individual fairness (similar individuals treated similarly). EU AI Act requires bias documentation for high-risk systems.

Step 5: EU AI Act Compliance

class EUAIActCompliance:
    """
    EU AI Act compliance assessment for security AI systems.
    
    Risk Tiers:
    - Unacceptable: Banned (social scoring, real-time biometric surveillance)
    - High-Risk:    Strict requirements (security, law enforcement, hiring)
    - Limited:      Transparency obligations (chatbots)
    - Minimal:      No obligations (spam filters, games)
    
    AI Security Platforms = HIGH RISK (Annex III, Category 6: Law Enforcement)
    """
    
    REQUIREMENTS = {
        # Technical requirements
        'Risk management system documented': True,
        'Data quality & governance framework': True,
        'Technical documentation (Annex IV)': True,
        'Automatic logging & audit trails': True,
        'Transparency for operators': True,
        'Human oversight mechanism': True,
        'Accuracy, robustness & cybersecurity': True,
        
        # Compliance requirements
        'Bias testing & fairness audit': True,
        'Conformity assessment filed': False,
        'CE marking obtained': False,
        'EU database registration': False,
        'Post-market monitoring plan': False,
        'Incident reporting procedure': False,
    }
    
    GPAI_REQUIREMENTS = {
        'Model cards / system card published': True,
        'Training data documentation': True,
        'Copyright compliance for training data': False,
        'Energy consumption reported': False,
        'Capability evaluation (red teaming)': True,
    }
    
    def assess(self):
        # Core requirements
        core_met = sum(self.REQUIREMENTS.values())
        core_total = len(self.REQUIREMENTS)
        core_pct = core_met / core_total * 100
        
        # GPAI requirements (if using foundation model component)
        gpai_met = sum(self.GPAI_REQUIREMENTS.values())
        gpai_total = len(self.GPAI_REQUIREMENTS)
        gpai_pct = gpai_met / gpai_total * 100
        
        overall = (core_pct + gpai_pct) / 2
        risk_tier = 'High-Risk' if overall < 80 else 'Compliant'
        
        print("\n=== EU AI Act Compliance Assessment ===")
        print(f"System Classification: HIGH-RISK (Annex III, Art. 6)")
        print(f"GPAI Component: Yes (LLM-based analyst assistant)")
        print()
        
        print("Core High-Risk Requirements:")
        for req, met in self.REQUIREMENTS.items():
            print(f"  [{'✓' if met else '✗'}] {req}")
        print(f"  Score: {core_met}/{core_total} ({core_pct:.0f}%)")
        
        print("\nGPAI Model Requirements:")
        for req, met in self.GPAI_REQUIREMENTS.items():
            print(f"  [{'✓' if met else '✗'}] {req}")
        print(f"  Score: {gpai_met}/{gpai_total} ({gpai_pct:.0f}%)")
        
        print(f"\nOverall Compliance: {overall:.0f}% → {risk_tier}")
        print()
        if overall < 80:
            print("⚠️  Action Items:")
            for req, met in {**self.REQUIREMENTS, **self.GPAI_REQUIREMENTS}.items():
                if not met:
                    print(f"  → Complete: {req}")
        
        return overall

compliance = EUAIActCompliance()
score = compliance.assess()

Step 6: Cost Model

def enterprise_ai_security_cost_model(n_gpus=8, n_fte=10, cloud='aws'):
    """
    Total Cost of Ownership for Enterprise AI Security Platform.
    
    Cost categories:
    - Infrastructure: GPU cluster + storage + networking
    - Platform: MLOps tooling + vector DB + monitoring
    - Operations: Engineering team + security team
    - Compliance: Audit + legal + certifications
    """
    
    # Infrastructure costs (annual)
    GPU_HOURLY = {'aws': 3.928, 'azure': 3.672, 'gcp': 3.774}  # $/h per A100
    hours_per_year = 8760
    gpu_utilization = 0.75
    
    gpu_cost = n_gpus * GPU_HOURLY[cloud] * hours_per_year * gpu_utilization / 1e6
    storage_cost = 0.15  # $150K: feature store, model registry, data lake
    network_cost = 0.08  # $80K: inter-region, CDN, VPN
    
    # Platform costs
    mlops_cost = 0.12     # MLflow enterprise / Weights & Biases / Tecton
    vector_db_cost = 0.06 # Pinecone / Weaviate enterprise
    monitoring_cost = 0.08 # Datadog / Grafana Cloud + Prometheus
    siem_integration = 0.10 # Splunk / Elastic SIEM connector
    
    # People costs (fully-loaded)
    senior_ml_engineer = 0.25  # $250K/year
    fte_cost = n_fte * senior_ml_engineer * 0.6  # avg across roles
    
    # Compliance & security
    compliance_cost = 0.12  # EU AI Act audit, pen testing, certifications
    insurance_cost = 0.05   # Cyber insurance rider for AI systems
    
    categories = {
        f'GPU cluster ({n_gpus}x A100, {cloud.upper()})': gpu_cost,
        'Storage (feature store + model registry)': storage_cost,
        'Network & connectivity': network_cost,
        'MLOps platform (MLflow/W&B/Tecton)': mlops_cost,
        'Vector database (enterprise)': vector_db_cost,
        'Observability & monitoring': monitoring_cost,
        'SIEM integration layer': siem_integration,
        f'Engineering team ({n_fte} FTE)': fte_cost,
        'EU AI Act compliance & audit': compliance_cost,
        'Cyber insurance (AI rider)': insurance_cost,
    }
    
    total = sum(categories.values())
    
    print("\n=== Enterprise AI Security Platform — Cost Model ===")
    print(f"{'Category':<45} {'Annual ($M)':>12}")
    print("-" * 60)
    for cat, cost in sorted(categories.items(), key=lambda x: -x[1]):
        bar = '█' * int(cost / total * 20)
        print(f"{cat:<45} ${cost:>9.2f}M  {bar}")
    print("-" * 60)
    print(f"{'TOTAL TCO':.<45} ${total:>9.2f}M")
    print()
    
    # ROI analysis
    avg_breach_cost = 4.45  # IBM 2023: $4.45M average breach cost
    breaches_prevented = 2   # assume 2 breaches prevented per year
    roi = (breaches_prevented * avg_breach_cost - total) / total * 100
    print(f"Assumptions: {breaches_prevented} breaches prevented × ${avg_breach_cost}M avg breach cost")
    print(f"Estimated ROI: {roi:.0f}%  (${breaches_prevented * avg_breach_cost - total:.2f}M net benefit)")
    
    return total

total_cost = enterprise_ai_security_cost_model(n_gpus=8, n_fte=10, cloud='aws')

Step 7: Platform Integration Test

Wire all six components together in an integration test:

def run_platform_integration_test():
    """End-to-end integration test of the full platform."""
    
    print("\n" + "="*60)
    print("ENTERPRISE AI SECURITY PLATFORM — INTEGRATION TEST")
    print("="*60)
    
    # Simulated incoming threat event
    event = {
        'user_id': 'jsmith',
        'host': 'laptop-098',
        'src_ip': '10.2.3.98',
        'features': [3, 500_000, 15, 1, 8],
        'raw_log': 'user=jsmith src=10.2.3.98 bytes=500000 fails=15 lateral=true time=0300'
    }
    
    print(f"\n[1/5] Incoming event: {event['raw_log']}")
    
    # Step 1: Threat detection
    features = np.array([event['features']])
    threat_score = rf.predict_proba(features)[0][1]
    threat_level = 'CRITICAL' if threat_score > 0.8 else 'HIGH' if threat_score > 0.5 else 'LOW'
    print(f"[2/5] ML Detection:   score={threat_score:.3f} → {threat_level}")
    
    # Step 2: RAG analyst context
    query = "off-hours login with lateral movement and data exfiltration"
    rag_results = rag_query(query, top_k=1)
    print(f"[3/5] RAG Context:    {rag_results[0][0][:70]}...")
    
    # Step 3: Automated response
    alert = {**event, 'threat_score': threat_score * 100,
             'lateral_movement': True, 'bytes_transferred': 500_000, 'failed_logins': 15}
    actions, tier = agent.respond(alert)
    print(f"[4/5] Auto-Response:  Tier {tier}, {len(actions)} actions executed")
    for a in actions[:3]:
        print(f"      → {a[:65]}")
    
    # Step 4: Compliance check
    print(f"[5/5] Compliance:     EU AI Act High-Risk | Audit trail logged")
    
    print("\n✅ Integration test complete — all 5 stages passed")

run_platform_integration_test()

Step 8: Full End-to-End Docker Verification

docker run --rm zchencow/innozverse-ai:latest python3 -c "
import numpy as np
from sklearn.ensemble import RandomForestClassifier
from sklearn.feature_extraction.text import TfidfVectorizer
from sklearn.metrics.pairwise import cosine_similarity
import warnings; warnings.filterwarnings('ignore')

np.random.seed(42)

# 1. Threat Detection ML Pipeline
print('=== 1. Threat Detection ML Pipeline ===')
n_samples = 500
X = np.column_stack([
    np.random.randint(0,24,n_samples),
    np.random.exponential(50000, n_samples),
    np.random.randint(0,30,n_samples),
    np.random.randint(0,2,n_samples),
    np.random.randint(1,20,n_samples),
])
y = ((X[:,2] > 10) & (X[:,1] > 80000)).astype(int)
y[np.random.choice(n_samples,20,replace=False)] = 1

from sklearn.model_selection import train_test_split
X_train,X_test,y_train,y_test = train_test_split(X,y,test_size=0.2,random_state=42)
clf = RandomForestClassifier(n_estimators=50, random_state=42)
clf.fit(X_train,y_train)
acc = clf.score(X_test,y_test)
print(f'RandomForest accuracy: {acc:.3f}')
test_event = np.array([[3, 500000, 25, 1, 8]])
prob = clf.predict_proba(test_event)[0][1]
pred = 'ALERT' if prob > 0.5 else 'NORMAL'
print(f'Test event threat score: {prob:.3f} -> {pred}')

# 2. LLM RAG Assistant
print()
print('=== 2. TF-IDF RAG Threat Intel Assistant ===')
corpus = [
    'Lateral movement via SMB exploits indicates APT activity with credential theft',
    'Ransomware typically exfiltrates data before encrypting filesystem with AES-256',
    'SQL injection attacks bypass authentication and extract database contents',
    'Phishing emails deliver malware payloads through malicious Office macro attachments',
    'DDoS attacks overwhelm network infrastructure with volumetric UDP flood traffic',
    'Insider threat indicators include abnormal data access and off-hours logins',
    'Zero-day exploits target unpatched vulnerabilities before vendor patches available',
    'Command and control C2 beaconing uses encrypted HTTPS to evade detection',
]
tfidf = TfidfVectorizer()
doc_vecs = tfidf.fit_transform(corpus)
query = 'unusual login times and large data transfers'
q_vec = tfidf.transform([query])
sims = cosine_similarity(q_vec, doc_vecs)[0]
top_idx = np.argsort(sims)[::-1][:2]
print(f'Query: \"{query}\"')
for i in top_idx:
    print(f'  Relevance {sims[i]:.3f}: {corpus[i][:60]}...')

# 3. Compliance Scorer
print()
print('=== 3. EU AI Act Compliance Score ===')
criteria = {
    'Human oversight mechanism': True,
    'Data quality documentation': True,
    'Bias testing completed': True,
    'Explainability (SHAP/LIME)': True,
    'Incident reporting process': False,
    'Conformity assessment filed': False,
}
score = sum(criteria.values()) / len(criteria) * 100
risk_tier = 'High-Risk' if score < 80 else 'Compliant'
print(f'Compliance score: {score:.0f}% -> {risk_tier}')
for k,v in criteria.items():
    print(f'  [{\"checkmark\" if v else \"X\"}] {k}')
print()
print('=== Platform Cost Model ===')
costs = {'GPU cluster (8xA100)':1.2,'MLOps infra':0.3,'Data pipeline':0.2,'Security/compliance':0.15,'Team (10 FTE)':1.5}
total = sum(costs.values())
print(f'Annual cost breakdown:')
for k,v in costs.items(): print(f'  {k}: \${v:.2f}M')
print(f'Total: \${total:.2f}M/year')
"

📸 Verified Output:

=== 1. Threat Detection ML Pipeline ===
RandomForest accuracy: 0.930
Test event threat score: 0.860 -> ALERT

=== 2. TF-IDF RAG Threat Intel Assistant ===
Query: "unusual login times and large data transfers"
  Relevance 0.346: Insider threat indicators include abnormal data access and o...
  Relevance 0.212: Ransomware typically exfiltrates data before encrypting file...

=== 3. EU AI Act Compliance Score ===
Compliance score: 67% -> High-Risk
  [✓] Human oversight mechanism
  [✓] Data quality documentation
  [✓] Bias testing completed
  [✓] Explainability (SHAP/LIME)
  [✗] Incident reporting process
  [✗] Conformity assessment filed

=== Platform Cost Model ===
Annual cost breakdown:
  GPU cluster (8xA100): $1.20M
  MLOps infra: $0.30M
  Data pipeline: $0.20M
  Security/compliance: $0.15M
  Team (10 FTE): $1.50M
Total: $3.35M/year

The full platform verifies: 93% threat detection accuracy, relevant threat intel retrieval with 0.346 cosine similarity, compliance scoring identifying 2 gaps requiring remediation, and a $3.35M/year TCO with estimated 166% ROI if 2 breaches per year are prevented.

Summary

Platform Component

Technology

Key Metric

Threat Detection

RandomForest ensemble

93.0% accuracy

Feature Engineering

5-dimensional SIEM vectors

RAG Analyst Assistant

TF-IDF + cosine similarity

0.346 top relevance score

Response Agent

Decision tree + tool registry

Tier 1-3 auto-escalation

Bias Audit

Disparate impact (4/5ths rule)

Per-demographic flag rates

EU AI Act Compliance

Checklist-based scorer

67% (High-Risk — 2 gaps)

Platform TCO

5-category cost model

$3.35M/year

ROI

Breach prevention model

~166% estimated ROI

Platform Design Principles:

Defense in depth: ML detection + rules + human review — no single point of failure
Explainability first: RandomForest feature importances + SHAP for every alert
Fairness by design: Disparate impact audit baked into CI/CD pipeline
Compliance as code: EU AI Act checklist runs on every model deployment
Cost visibility: Real-time TCO dashboard prevents budget surprise
Automation with oversight: Tier-1 containment automated; investigation always human

Architect Series Complete: You have now designed and implemented every layer of an enterprise AI platform — from MLOps infrastructure through LLM serving, observability, federated learning, multi-agent systems, security, compliance, cost optimization, and now a fully integrated AI security platform.

← Lab 19 — Distributed Training Architecture ↑ Architect Series Index

PreviousLab 19: Distributed Training Architecture

Last updated 25 days ago

Good afternoon

hashtagOverview

hashtagPlatform Architecture

hashtagStep 1: Threat Detection ML Pipeline

hashtagStep 2: LLM Analyst Assistant (TF-IDF RAG)

hashtagStep 3: Automated Response Agent

hashtagStep 4: Bias and Fairness Audit

hashtagStep 5: EU AI Act Compliance

hashtagStep 6: Cost Model

hashtagStep 7: Platform Integration Test

hashtagStep 8: Full End-to-End Docker Verification

hashtagSummary