Acra Core
Acra Core is a lightweight engine for device-specific behavioral anomaly detection. It runs locally, learns per-device baselines over time, and emits structured anomaly events designed for integration into existing systems.
Overview
Device-centric behavioral modeling, designed for local operation.
Acra Core learns the normal behavioral cadence of individual devices using locally observed network activity. Instead of relying on centralized data aggregation or broad cross-environment training, it establishes per-device baselines and detects meaningful deviations from expected patterns.
The engine is built to integrate into existing infrastructure through structured anomaly events. This keeps data ownership local while allowing operators and vendors to route events into their current monitoring, alerting, or workflow systems.
- Local learning and inference by default
- Per-device baselines that adapt gradually over time
- Structured events designed for integration
How it works
A continuous loop of learning, monitoring, and detection.
Acra Core is designed to learn normal behavior locally and surface only meaningful deviations. The engine continuously adapts to gradual change while remaining sensitive to anomalous events that warrant attention.
1 — Learning
Acra Core observes device activity during an initial training period and builds a baseline model of expected behavior. This baseline is device-specific and derived from local context rather than global averages.
2 — Monitoring
Once trained, the engine evaluates live behavior against learned expectations. It adapts gradually to benign drift (e.g., routine usage changes) without constantly retraining from scratch.
3 — Detection
When behavior deviates beyond expected bounds, Acra Core emits a structured anomaly event with the context needed for downstream workflows. Response behavior remains policy-driven and external to the core engine.
4 — Prevention (Certain Configurations)
For inline configurations, when a threat is detected, Acra Core can optionally block attacks.
Output
Structured anomaly events designed for integration.
Acra Core produces structured anomaly events rather than alerts tied to a specific dashboard or workflow. Events are intended to be consumed programmatically and routed into the systems operators already use.
Output is designed to provide actionable context while preserving local data ownership. The core engine focuses on surfacing high-quality signals; triage, enrichment, and response remain configurable and external.
Typical event includes
- Device identity and local context
- Anomaly type and severity signal
- Timestamp window and supporting metadata
- Optional fields for deployment-specific integration
Note: event structure is intentionally stable and designed to integrate into existing monitoring, ticketing, and automation pipelines.
Deployment modes
Designed to run where behavior occurs.
Acra Core supports multiple deployment modes depending on environment constraints and integration needs. In all cases, learning and inference occur locally, and output is emitted as structured anomaly events.
Inline
Gateway / router / access point
Acra Core runs within network infrastructure to observe local traffic and model device behavior as it traverses the gateway. This mode is well-suited for managed networks and environments where centralized inspection is impractical.
- Best for multi-device visibility at the edge
- Minimal operational overhead once deployed
Host-based
Endpoint / appliance
Acra Core runs as a local service on an endpoint system or appliance, enabling behavioral modeling within the constraints of the host environment. This mode is useful when inline placement is unavailable or when detection must remain tied to a specific system boundary.
- Useful for targeted deployments and appliances
- Preserves full local control and policy boundaries
Embedded
OEM / vendor integration
Acra Core is integrated as a software component within a vendor platform or custom system. This enables infrastructure providers to ship local anomaly detection as part of their product without building and maintaining proprietary behavioral models.
- Ideal for productized deployments at scale
- Integrates cleanly into existing management layers
Scope
Focused intentionally on local detection.
Acra Core is designed to do one thing well: learn device-specific behavior locally and emit high-quality anomaly signals for downstream systems. This focus keeps deployments efficient, predictable, and easy to integrate.
Capabilities that expand operational overhead or require centralized data retention are intentionally excluded from the core engine.
In scope
- Local learning and inference
- Per-device behavioral baselining
- Structured anomaly events for integration
- Passive monitoring by default, policy-driven response externally
Out of scope (by design)
- Full packet capture retention
- Long-term historical analytics and reporting
- Threat intelligence aggregation
- Automated remediation and SOC replacement workflows
This boundary keeps Acra Core lightweight and adaptable across embedded, on-premise, and constrained deployments.
Comparison
Where Acra fits in the security stack.
| Capability / characteristic | Acra Core | Edge Threat Managers(e.g., Arista ETM) | Network Platforms(e.g., Fortinet) | Endpoint Security(e.g., SentinelOne) |
|---|---|---|---|---|
Local-first operation (no cloud required) | ✓ | × | × | × |
Continuous cloud dependency | × | ✓ | ✓ | ✓ |
Device-specific behavioral learning | ✓ | ~ | × | ~ |
Network traffic–based detection | ✓ | ✓ | ~ | × |
Endpoint OS behavior analysis | × | × | × | ✓ |
Signature / rule-based detection | × | ~ | ✓ | ~ |
Behavioral anomaly detection | ✓ | ✓ | ~ | ✓ |
Operates on constrained / embedded hardware | ✓ | × | × | × |
Inline / embedded deployment | ✓ | ~ | ✓ | × |
Full security platform (dashboards, workflows) | × | ✓ | ✓ | ✓ |
Structured anomaly event output (API / logs) | ✓ | ✓ | ~ | ~ |
Designed as a standalone signal engine | ✓ | × | × | × |
Privacy-preserving by default (minimal data movement) | ✓ | × | × | × |
Note: Acra Core is not intended to replace existing security platforms such as firewalls, EDR, SIEM, or network detection tools. It is designed to operate alongside them by providing local, device-specific behavioral anomaly signals that can complement broader security workflows.
Research
Built on prior research in behavioral detection and distributed systems.
The design of Acra Core is informed by published research in anomaly detection, distributed systems, and privacy-preserving machine learning. This work explores how meaningful behavioral signals can be learned and evaluated locally without relying on centralized data aggregation.
Rather than exposing academic models directly, Acra translates these ideas into a production-oriented engine designed to operate reliably within real-world constraints.