What are stateful observation windows?

Stateful observation windows are sliding time intervals that track validator behavior metrics over configurable durations (1 minute to 24 hours). Unlike simple threshold alerts, observation windows maintain state across evaluation cycles, detecting trends and patterns that point-in-time checks would miss.

How does anomaly detection work?

The system establishes baseline behavior for each validator using historical observation data. When current metrics deviate beyond configured thresholds for a sustained period within the observation window, an anomaly is flagged. This reduces false positives from transient spikes.

What is progressive alert escalation?

Alerts escalate through severity levels based on duration and magnitude: Info (brief anomaly), Warning (sustained deviation), Critical (threshold breach in observation window), Emergency (multiple critical alerts across validators). Higher severity triggers more aggressive remediation responses.

How do observation windows support fleet health?

By maintaining stateful context across evaluation cycles, observation windows detect slow degradation patterns (memory leaks, disk fill, network deterioration) that instantaneous checks miss. This enables proactive remediation before issues impact consensus.

Stateful Observation Windows

Executive Summary

The stateful observation window mechanism prevents false-positive remediation by requiring anomalies to persist across multiple consecutive inspection cycles before triggering action. Per-rule, per-node trigger counters track sustained anomalies while filtering transient spikes. A critical exception exists for security rules that bypass the observation window entirely.

Observation Window Mechanics

Parameter	Value	Purpose
Inspection cycle	60 seconds	Metric collection and rule evaluation interval
Required consecutive triggers	3 cycles (~3 minutes)	Sustained anomaly before remediation
Counter reset	On any non-triggering cycle	Transient spike filtering
Security exception	SEC_DIGEST_MISMATCH	Fires immediately, bypasses window

A rule must trigger on 3 consecutive 60-second inspection cycles (approximately 3 minutes of sustained anomaly) before generating a remediation recommendation. If any cycle does not trigger the rule, the counter resets to zero.

Counter State Machine

// Per-rule, per-node state
state = {
    rule_id: "PERF_CPU_HIGH",
    node_id: "validator-us",
    consecutive_triggers: 0,  // 0, 1, 2, or 3+
    last_evaluated: timestamp,
    fired: false
}

// Each inspection cycle:
if rule_triggers(node):
    state.consecutive_triggers += 1
    if state.consecutive_triggers >= 3:
        emit_remediation_recommendation()
        state.fired = true
else:
    state.consecutive_triggers = 0  // RESET
    state.fired = false

Security Exception

The SEC_DIGEST_MISMATCH rule (image tampering detection) is the sole exception to the observation window requirement. When a digest mismatch is detected, the remediation recommendation fires immediately on the first detection without waiting for consecutive triggers.

Rationale: A tampered container image represents an active supply-chain attack. Waiting 3 minutes (3 cycles) before responding gives an attacker time to sign fraudulent bridge withdrawals or corrupt consensus. Immediate isolation is the only safe response.

Benefits

False positive reduction: Network blips, brief CPU spikes, and momentary latency increases are filtered out by the 3-cycle requirement
Cascade prevention: Transient issues don't trigger unnecessary restarts that could themselves cause outages
Security responsiveness: Real threats (code tampering) are still addressed immediately
Observability: Counter states are visible in the fleet dashboard for operational insight

Patent Claim

Dependent Claim 14: The system of claim 11, further comprising stateful observation windows maintaining per-rule, per-node trigger counters, requiring 3 consecutive 60-second inspection cycles of sustained anomaly before generating a remediation recommendation, with counter reset on non-triggering cycles.

How It Works

Tokenomics

Roadmap

Humanitarian Impact Fund

FAQ

Wallet

DEX

LaunchPad

Token Factory

Vaults

About

Contact

Stateful Observation Windows

Executive Summary

Observation Window Mechanics

Counter State Machine

Security Exception

Benefits

Patent Claim