CIS490/references/IEEE 9881803 — network-behavior trust scoring.md

Per-device trust from network behaviour

IEEE Xplore document 9881803 (https://ieeexplore.ieee.org/document/9881803).

This paper is the citation behind the motivation scene in the deck — specifically the claim that a per-host detector becomes much stronger when its output is combined with network-level behaviour signals (peer observations, gateway traffic patterns, cross-host relationships) to compute a fleet-wide trust score.

What we borrow

• Trust as a multi-source aggregate. A single host's classifier is noisy by itself; the paper makes the case that trust should be computed from local verdicts plus network behaviour, not either alone. Our per-host detector is positioned as one input to that broader signal — not a final verdict.
• Fast-recovery framing. Detection time gates how quickly a device can be reset to a known-good snapshot. The motivation scene borrows this framing to argue that low detection latency directly shrinks both blast radius (containment) and forensic dwell time (recovery).

Where it differs

• Their focus is the trust-aggregation layer above per-device classifiers; this project focuses on the per-device classifier itself. The paper's argument is what makes our local model worth building well — even a lossy on-host signal is useful when it's combined with the rest of the fleet's view.

If/when the PDF is dropped into this directory with a matching stem, the references viewer in the deck will pick it up automatically. Until then this sidecar stands alone as the citation note.