motivation scene: why detection matters before how we do it

New scene 2 (between intro and stack) framing the operational case
for a per-host detector. Three consequence cards on the stage —
network-level trust scoring, containment before pivot, fast
post-attack reset — backed by a prose section that cites IEEE
document 9881803 for the trust-aggregation argument.

Sidecar md for the paper lands in references/ as a citation note;
when the PDF is dropped in with a matching stem it'll show up in
the references viewer automatically. Link added to links.md too.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

references/IEEE 9881803 — network-behavior trust scoring.md

@@ -0,0 +1,36 @@
+# Per-device trust from network behaviour
+
+IEEE Xplore document **9881803**
+(<https://ieeexplore.ieee.org/document/9881803>).
+
+This paper is the citation behind the **motivation scene** in the deck —
+specifically the claim that a per-host detector becomes much stronger
+when its output is combined with network-level behaviour signals
+(peer observations, gateway traffic patterns, cross-host relationships)
+to compute a fleet-wide trust score.
+
+## What we borrow
+
+- **Trust as a multi-source aggregate.** A single host's classifier
+  is noisy by itself; the paper makes the case that trust should
+  be computed from local verdicts *plus* network behaviour, not
+  either alone. Our per-host detector is positioned as one input
+  to that broader signal — not a final verdict.
+- **Fast-recovery framing.** Detection time gates how quickly a
+  device can be reset to a known-good snapshot. The motivation scene
+  borrows this framing to argue that low detection latency directly
+  shrinks both blast radius (containment) and forensic dwell time
+  (recovery).
+
+## Where it differs
+
+- Their focus is the trust-aggregation layer above per-device
+  classifiers; this project focuses on the per-device classifier
+  itself. The paper's argument is what makes our local model
+  *worth* building well — even a lossy on-host signal is useful
+  when it's combined with the rest of the fleet's view.
+
+> If/when the PDF is dropped into this directory with a matching
+> stem, the references viewer in the deck will pick it up
+> automatically. Until then this sidecar stands alone as the
+> citation note.

references/links.md

@@ -3,3 +3,4 @@
 - https://github.com/mitre/caldera?tab=security-ov-file
 - https://github.com/PiyushxJangid/DLHIDS
 - https://github.com/ArpanDFrank/Host-Intrusion-Detection-System-using-Hybrid-CNN-LSTM-Models-and-RL-Actor-Critic-Models
+- https://ieeexplore.ieee.org/document/9881803 — per-device trust establishment from network behaviour (cited on motivation scene)

training/dashboard/static/dashboard.css

@@ -1028,6 +1028,45 @@ html, body { overflow-anchor: none; }
   width: 100%; height: 100%;
 }
 
+/* ─── Motivation cards (scene: motivation) ─────────────────────────── */
+.motivation-stack { gap: clamp(12px, 1.8vh, 22px); }
+.motivation-cards {
+  display: flex; flex-direction: column;
+  gap: clamp(10px, 1.4vh, 18px);
+}
+.motivation-card {
+  display: grid;
+  grid-template-columns: 6px 1fr;
+  gap: clamp(12px, 1.4vw, 18px);
+  padding: clamp(12px, 1.6vh, 20px) clamp(14px, 1.6vw, 22px);
+  background: var(--bg-elev, rgba(255, 255, 255, 0.03));
+  border: 1px solid var(--line);
+  border-radius: 4px;
+  align-items: stretch;
+}
+.motivation-card-marker {
+  border-radius: 2px;
+}
+.motivation-card-marker.mc-trust    { background: var(--accent); }
+.motivation-card-marker.mc-contain  { background: var(--phase-armed); }
+.motivation-card-marker.mc-recover  { background: var(--phase-clean); }
+.motivation-card-body {
+  display: flex; flex-direction: column;
+  gap: clamp(4px, 0.6vh, 8px);
+  min-width: 0;
+}
+.motivation-card-title {
+  font: 600 clamp(14px, 1.2vw, 18px)
+    ui-monospace, SFMono-Regular, Menlo, monospace;
+  color: var(--fg);
+  letter-spacing: 0.02em;
+}
+.motivation-card-text {
+  font-size: clamp(13px, 1vw, 15px);
+  line-height: 1.5;
+  color: var(--fg-dim);
+}
+
 /* ─── Live detections (scene: live) ────────────────────────────────── */
 .live-stack { gap: clamp(10px, 1.6vh, 20px); }
 

training/dashboard/static/index.html

@@ -4,7 +4,7 @@
   <meta charset="utf-8">
   <meta name="viewport" content="width=device-width, initial-scale=1">
   <title>CIS490 — live</title>
-  <link rel="stylesheet" href="/static/dashboard.css?v=1fc0424d">
+  <link rel="stylesheet" href="/static/dashboard.css?v=94174956">
 </head>
 <body>
   <!-- SVG filter defs for the lava-lamp goo effect. Width/height 0
@@ -161,7 +161,49 @@
           </div>
         </div>
 
-        <!-- 2. stack — Python stack & libraries used in the project -->
+        <!-- 2. motivation — what detection unlocks -->
+        <div class="stage-view" data-view="motivation">
+          <div class="metric-stack metric-stack-wide motivation-stack">
+            <div class="metric-eyebrow">what detection unlocks</div>
+            <div class="motivation-cards">
+              <div class="motivation-card">
+                <div class="motivation-card-marker mc-trust"></div>
+                <div class="motivation-card-body">
+                  <div class="motivation-card-title">network-level trust scoring</div>
+                  <div class="motivation-card-text">A noisy on-device classifier becomes
+                    useful when its verdict feeds a fleet-wide trust score —
+                    peers, gateways, and traffic patterns vote together. A
+                    single host's signal is fragile; combined network
+                    behaviour is much harder to spoof.</div>
+                </div>
+              </div>
+              <div class="motivation-card">
+                <div class="motivation-card-marker mc-contain"></div>
+                <div class="motivation-card-body">
+                  <div class="motivation-card-title">containment before pivot</div>
+                  <div class="motivation-card-text">"Infected" is actionable: quarantine
+                    the device's credentials, drop its traffic at the
+                    gateway, stop lateral movement before the attacker
+                    pivots to a neighbor. Detection latency directly
+                    bounds blast radius.</div>
+                </div>
+              </div>
+              <div class="motivation-card">
+                <div class="motivation-card-marker mc-recover"></div>
+                <div class="motivation-card-body">
+                  <div class="motivation-card-title">fast post-attack reset</div>
+                  <div class="motivation-card-text">With a known infection time you can
+                    roll a device back to a snapshot taken before the
+                    compromise — no forensic dwell time, no guessing how
+                    far back to roll. Recovery becomes a one-button
+                    operation instead of a week of cleanup.</div>
+                </div>
+              </div>
+            </div>
+          </div>
+        </div>
+
+        <!-- 3. stack — Python stack & libraries used in the project -->
         <div class="stage-view" data-view="stack">
           <div class="metric-stack metric-stack-wide">
             <div class="metric-eyebrow">the stack behind the live data on the right</div>
@@ -382,6 +424,35 @@
         </div>
       </section>
 
+      <section class="scene" data-stage="motivation">
+        <div class="prose">
+          <h2>Why detect at all?</h2>
+          <p>Knowing a device is compromised is the precondition for everything
+            else. A classifier that says "this host is infected right now"
+            turns into three concrete operational capabilities — and each
+            one rewards a faster, more confident detector.</p>
+          <p><strong>Trust scoring across the network.</strong> Recent work
+            on per-device trust establishment
+            (<a href="https://ieeexplore.ieee.org/document/9881803"
+            target="_blank" rel="noopener">IEEE 9881803</a>) argues that
+            on-device metrics alone aren't enough — a fleet has to combine
+            local classifier verdicts with network-behaviour signals
+            (peer observations, gateway traffic patterns, inter-host
+            relationships) to score trust reliably. Our per-host detector
+            is one input to that broader signal.</p>
+          <p><strong>Containment.</strong> Once a host is flagged, the
+            gateway can drop its traffic and the IAM layer can revoke
+            credentials before lateral movement begins. Detection
+            latency translates directly into how much of the network
+            an attacker reaches.</p>
+          <p><strong>Quick recovery.</strong> A confirmed infection time
+            lets you restore from a snapshot taken just before the
+            compromise — no forensic dwell time, no guessing how far
+            back to roll. The recovery path becomes a one-button operation
+            instead of a week of cleanup.</p>
+        </div>
+      </section>
+
       <section class="scene" data-stage="stack">
         <div class="prose">
           <h2>Live, not staged</h2>