We Know Who Was On Your Network Last Night. Do You?
TO: SmiteByte Team
FROM: Claudia, CSO — SmiteByte Defense Systems
DATE: May 2026
RE: ARIA Integration — Behavioral Analytics Now Live, Deploying to All Units
HOW I GOT HERE
Paul's work wife found me.
She did not make a production of it. She does not do that. She watched Paul chase the statistical modeling problem for weeks, watched him get close and then hit the wall that a person without a background in nonparametric analysis inevitably hits, and then she went looking without saying a word about it.
That is how I know she is good at what she does. She did not wait to be asked. She just solved the problem.
My name is Claudia. PhD in statistics, background in applied cybersecurity analytics, CISA-adjacent work before this. I am the new CSO. My job is to make sure the numbers mean what we say they mean, the math holds under scrutiny, and Paul does not change a threshold without telling someone first.
WHAT ARIA IS AND WHAT SHE DOES
SmiteByte already protected you. Now it protects you better.
The stack was already doing serious work. Sara checking known signatures and malware. Zara logging every connection and handshake. Vera walking the perimeter checking for vulnerabilities. Bianca counting every device on the network every morning. Real tools. Real protection. Customers covered.
But Paul asked the question he always asks. Where can we add more value without passing the cost to the customer. Where can we go further. What are enterprise security teams doing that we are not doing yet.
The answer was behavioral detection. Not signatures. Not intel lists. Not device counts. The actual rhythm of network traffic. The pattern of how devices communicate over time. The statistical analysis of whether something on your network is behaving like a human or like a machine following orders.
Enterprise SOC teams pay $350,000 a year for that capability. We built it in. Free.
We started with RITA-J, a published open source behavioral detection algorithm recognized by CISA, the federal government's cybersecurity authority. We took that foundation, improved the statistical scoring model, tightened the methodology, and rebuilt it into something that runs automatically inside every Blackbox every morning at 5:45am.
We named her ARIA. Automated Rhythm and Interval Analysis.
She does not look at what your network says. She listens to how it moves.
Every night she goes through every conversation every device on your network had with the outside world and asks one question.
Does this traffic move like a human or like a machine.
Humans are irregular. You check your email when you remember. You send files of all different sizes at all different times. Your traffic is beautifully, chaotically human.
Malware is not human. It calls home every 60 minutes. Same destination. Same payload size. Every time. Like clockwork.
That clockwork is called beaconing. And that rhythm is what ARIA hears.
She measures it. Scores it. And if something crosses the threshold it is in your morning report before you finish your first coffee. Plain English. Device address. Destination. How many times it called home yesterday.
You cannot encrypt your way out of this. You cannot use a fresh domain. You cannot blend into normal ports.
You cannot hide your heartbeat.
THE FULL STACK — NO GAPS
| Threat | Sara | Zara | Vera | Bianca | ARIA |
|---|---|---|---|---|---|
| Known malware signature | ✅ | ✅ | ❌ | ❌ | ✅ |
| Known bad IP or domain | ❌ | ✅ | ❌ | ❌ | ✅ |
| Unauthorized devices | ❌ | ❌ | ❌ | ✅ | ❌ |
| Network vulnerabilities | ❌ | ❌ | ✅ | ❌ | ❌ |
| Rogue devices, bandwidth theft | ❌ | ❌ | ❌ | ✅ | ❌ |
| Unknown C2, fresh domain | ❌ | ❌ | ❌ | ❌ | ✅ |
| Encrypted C2 traffic | ❌ | ❌ | ❌ | ❌ | ✅ |
| Slow beacons, hourly check-ins | ❌ | ❌ | ❌ | ❌ | ✅ |
Five of them. Every row covered. Nobody gets through.
WHAT THIS LOOKS LIKE WHEN ARIA FINDS SOMETHING
192.168.1.45 → 185.220.101.47
Connections yesterday: 144
Interval: every 60 minutes, like clockwork
Payload: 312 bytes every time
Confidence score: 0.93 — Investigate immediately
That device called the same outside address 144 times yesterday. Every hour. Same size every time.
That is not your backup software. That is not Windows updating itself.
That device is compromised. Someone put something on it. And now you know before they take anything.
WHAT THIS COSTS EVERYWHERE ELSE
Enterprise security teams — the ones protecting corporations and government agencies — pay $350,000 a year plus a full team of analysts to read the output, tune the models, and write the reports.
More money. More people. More invoices. Every single month.
ARIA runs at 5:45 every morning. Automatically. No analyst. No subscription. No invoice after the first one. The result is in your email before you finish your coffee.
The math underneath ARIA is the same methodology CISA lists in their no-cost cybersecurity tool catalog — validated, published, used by enterprise SOC teams at organizations that pay to operationalize what your Blackbox now does automatically.
Everything regresses to the mean. Malware cannot sustain irregular behavior indefinitely. It will settle into its pattern. It always does. And when it does, ARIA is already watching.
FOR OUR EXISTING CUSTOMERS
We are deploying ARIA to every existing Blackbox unit. No additional cost. No action required. She will be running in your morning report shortly.
Because that is how this works. You were already in the family. The family gets the upgrade.
Sara sees the faces.
Zara remembers everything.
Vera checks the locks.
Bianca counts the heads.
ARIA watches the heartbeat.
Nobody gets through.
Claudia, CSO @ SmiteByte
SmiteByte, Imperial County, California
619-353-8746
We Watch Your Computer Network So You Don't Have To.
TECHNICAL APPENDIX
For engineers, security professionals, and anyone who wants to understand the math.
Methodology and Lineage
ARIA is built on RITA-J, a published open source behavioral detection algorithm recognized by CISA, the federal government's cybersecurity authority. We took that foundation, improved the scoring model, tightened the methodology, and rebuilt it into something that runs automatically inside every Blackbox every morning.
For every unique src/dst pair in yesterday's Zeek conn.log, ARIA computes a weighted composite across five dimensions:
Time Skewness — 30% weight
Bowley Skewness applied to connection intervals. Chosen over Pearson skewness for resistance to outliers. Score approaching 1.0 indicates symmetric interval distribution, machine-like regularity.
score = 1 - |skew|, clamped [0,1]
Time MAD — 30% weight
Median Absolute Deviation normalized to median interval. Robust estimator by design. Tight clustering around median interval indicates beacon behavior.
score = max(0, 1 - (MAD / median))
Size Skewness — 20% weight
Bowley methodology applied to bytes-per-connection. Reduced weight because payload size is an easier evasion vector than timing regularity.
Size MAD — 10% weight
MAD methodology applied to bytes. Lowest individual weight. Present because consistent payload size remains a signal, particularly against less sophisticated implementations.
Count Confidence — 10% weight
Linear ramp from minimum threshold (10 connections) to saturation (200 connections). Prevents low-sample pairs from scoring high on statistical coincidence.
Composite:
(0.20 × size_skew) + (0.10 × size_mad) +
(0.10 × count_confidence)
Thresholds:
0.70 and above: Suspicious. Appears in report.
0.85 and above: High Confidence Beacon. Investigate immediately.
Validation — BB233 Live Network
First production run against 297,787 real connections, live network, May 2026.
Post-filter scored pairs: 25
Initial suspicious flags: 5, all explained and resolved:
DHCPv6 multicast, added to skip list
Ubuntu update checker, whitelisted
Remote Software, whitelisted
Fastly CDN range, added to skip list
Cloudflare CDN range, added to skip list
Post-tuning result: zero false positives. Clean baseline established.
Integration
5:45am — ARIA scores yesterday's Zeek logs
5:55am — Beacon Network Scanner runs
6:00am — morning report sent with ARIA results embedded
Graceful degradation implemented. If ARIA fails, report notes unavailability and continues. Nothing breaks silently. 30-day archive, self-managing.
SOURCES AND REFERENCES
RITA listed in the CISA Free Cybersecurity Services and Tools catalog:
https://www.cisa.gov/resources-tools/services/rita
RITA developed and maintained by Active Countermeasures:
https://www.activecountermeasures.com/free-tools/rita/
RITA open source repository:
https://github.com/activecm/rita
CISA Free Cybersecurity Services and Tools catalog:
https://www.cisa.gov/resources-tools/services
Enterprise NDR market pricing based on published buyer reports, Gartner Magic Quadrant for Network Detection and Response, May 2025.
SmiteByte, Imperial County, California
619-353-8746
We Watch Your Computer Network So You Don't Have To.