π‘οΈ Shubi Offline Forensic AI
AI-Powered Security Analysis That Learns & Forgets
Offline security log analyzer powered by ERLA (Ephemeral Recursive Learning Agents). Continuous improvement with zero data retention. Your logs stay on your machineβonly abstract patterns survive.
β οΈ The Problem: Learning vs Privacy
Modern AI systems face a fundamental tension: to improve, they must learn from data; but to preserve privacy, they must not retain data. This creates an impossible constraint for security tools handling sensitive logs, PII, and confidential information.
β Our Solution: Agents That Learn & Die
Shubi spawns ephemeral agents for each analysis task. They process your logs, extract abstract security patterns, then self-destructβleaving only generalized knowledge that improves future detection. Your specific data is never stored.
β‘ ERLA Architecture
Ephemeral Recursive Learning Agents: The engine behind Shubi's privacy-preserving intelligence.
Agent Lifecycle (Each Task)
Spawn: Agent created with task context β Analyze: Process logs via two-speed system β Learn: Extract abstract patterns β Distill: Push to knowledge base β Destroy: Purge all specific data
π Key Features
Enterprise-grade security analysis that runs entirely on your machine.
Two-Speed Response
Fast path (~10ms) for known patterns, slow path for novel threats. Gets faster as it learns.
Zero Data Retention
Sensitive data exists only during analysis. Cryptographic erasure after each task.
100% Offline
No cloud APIs, no data exfiltration. Works in air-gapped environments.
65K+ Threat Indicators
Malicious domains, IPs, detection rules, and behavioral signatures built-in.
Recursive Improvement
Every analysis makes the system smarter. No manual retraining required.
Multi-Category Detection
C2, credential theft, persistence, exfiltration, stalkerware, and more.
π How Shubi Compares
ERLA fills a gap that existing approaches cannot address.
| Approach | Continuous Learning | Privacy Preserving | Offline Capable |
|---|---|---|---|
| RAG Systems | β | β | Partial |
| LangChain / Orchestration | β | β | β |
| Lifelong Learning LLMs | β | β | β |
| Federated Learning | β | β | β |
| Shubi (ERLA) | β | β | β |
π Test Results (Feb 2026)
Validated against 344 test scenarios across 7 device types and 14 attack categories.
π― Attack Categories Tested
14 attack types validated across 344 test scenarios with real-world threat patterns.
π¬ OSINT-Based Validation
18 real-world threat scenarios from trusted intelligence sources. 100% coverage rate.
Emotet Malware Dropper
CISA Alert AA20-280A β’ 19 recommendations β’ Windows malware with credential theft
Pegasus Zero-Click Exploit
Citizen Lab β’ 4 recommendations β’ iPhone stalkerware/spyware detection
Mirai Botnet Scanning
Shadowserver Foundation β’ 10 recommendations β’ IoT port scanning detection
Business Email Compromise
FBI IC3 Report β’ 8 recommendations β’ Account security patterns
Cryptominer Hijacking
Unit 42 Cloud Report β’ 9 recommendations β’ Server compromise detection
AirTag Stalking
Apple Safety Alerts β’ 4 recommendations β’ Physical tracking detection
Log4Shell Exploitation
CISA Alert β’ 3 recommendations β’ Injection pattern detection
SIM Swap Attack
Krebs on Security β’ 8 recommendations β’ Account takeover prevention
π Edge Cases Also Tested
10 additional "might struggle" scenarios validated: Deepfake Vishing (WSJ), Supply Chain NPM Attack (Snyk), Bluetooth Tracking (EFF), Adversarial ML (MITRE ATLAS), Starlink Interception (Citizen Lab), QR Code Phishing (FBI), USB Rubber Ducky (Hak5), Juice Jacking (FBI Denver), Smart Car Hacking (DEF CON), AI Chatbot Data Leak (Samsung incident).
β Compliance by Design
Privacy isn't a featureβit's the architecture.
π― Use Cases
Built for security professionals who can't compromise on privacy.
π Incident Response
Analyze breach logs without creating additional data exposure. Patterns learned, specifics forgotten.
π± Mobile Forensics
Detect stalkerware and mobile threats with 600+ behavioral signatures. No cloud upload required.
π’ Enterprise SOC
On-premises log analysis that improves over time without accumulating sensitive data.
ποΈ Government / Military
Air-gapped security analysis for classified environments. Zero external dependencies.
β Frequently Asked Questions
Common questions about ERLA and Shubi.
Isn't this just fine-tuning with extra steps?
LoRA is a technique; ERLA is an architecture. The innovation is the ephemeral agent lifecycle combined with knowledge abstraction. Fine-tuning alone doesn't address privacy, continuous learning, or recursive improvement.
Why not just use RAG?
RAG excels for frequently changing data. Training is better for stable domain expertise. RAG stores data in vector databases; ERLA abstracts knowledge and destroys dataβcritical for privacy-sensitive applications.
How does this compare to LangChain?
LangChain orchestrates LLMs with tools and APIs. ERLA creates your own model. They're complementaryβyou could use LangChain with an ERLA-trained model.
Isn't offline AI a niche use case?
GDPR, HIPAA, SOC2 often require on-premises data. Air-gapped environments can't use cloud APIs. Edge AI spending is projected to grow 20%+ annually through 2028.
Can small models match GPT-4 quality?
For narrow domains, yes. A 7B model trained on your data often outperforms GPT-4 on your specific tasks. The trade-off is generality for specialization.
What are the genuine limitations?
Not suitable for rapidly changing data (use RAG). Requires technical setup. 8GB RAM minimum, 16GB+ recommended. Training requires some ML knowledge.
π Get Started with Shubi
Download the ERLA whitepaper for the full technical deep-dive, or explore our case studies to see Shubi in action.
DOI: 10.5281/zenodo.18422395 | License: CC BY 4.0
