DeputyHunt: Cross-Domain Reconstruction Framework
- DeputyHunt is an umbrella concept covering methodologies for hunting and reconstructing latent structures across domains like AI accelerator security, collaborative autoformalization, and cyber threat tracing.
- It leverages a blend of static and dynamic analysis with LLM-guided semantic recovery to reduce manual effort and prove exploitability or formal correctness.
- The framework underpins diverse applications—from validating SMID semantics in accelerators to decentralized proof economies—by bridging semantic gaps with operational validation.
DeputyHunt denotes a cluster of research constructs centered on hunting, reconstruction, or delegated action under constrained observability. In the most explicit usage, it is an LLM-assisted framework for exposing confused deputy attacks in edge AI accelerators by recovering the semantics of memory-sharing APIs and validating whether an unprivileged application can induce accelerator access to restricted memory (Danduri et al., 18 May 2026). The label is also applied to a bounty-based collaborative autoformalization environment in Interactive Theorem Proving (Brown et al., 6 Mar 2026), and is used descriptively for provenance-graph threat hunting and neuro-symbolic attack-trace reconstruction workflows that prioritize interpretable chains rather than isolated alerts (Ma et al., 10 Jan 2025, Zhao et al., 28 May 2026). More distant uses connect the term to graph pursuit, underwater hunting, complementary-team task allocation, and chief-deputy orbit estimation (Abramovskaya et al., 2015, Wei et al., 2022, Dadvar et al., 2019, Zuehlke et al., 2022, Guo et al., 16 Mar 2025).
1. Semantic range and disambiguation
The term does not identify a single canonical algorithm across the literature represented here. Rather, it spans a named security-analysis framework, a decentralized coordination mechanism for theorem proving, and a descriptive label for workflows that recover latent structure from incomplete evidence.
| Usage | Representative paper(s) | Characteristic mechanism |
|---|---|---|
| Edge AI accelerator security | "Speed Kills: Exploring Confused Deputy Attacks Through Edge AI Accelerators" (Danduri et al., 18 May 2026) | Static and dynamic analysis, LLM-guided recovery of SMID semantics, and confused deputy attack validation |
| Collaborative autoformalization | "Agent Hunt: Bounty Based Collaborative Autoformalization With LLM Agents" (Brown et al., 6 Mar 2026) | Simulated bounty marketplace, locking rules, theory-building lemmas, and Megalodon-checked proofs |
| Cyber threat hunting and trace reconstruction | "ActMiner: Applying Causality Tracking and Increment Aligning for Graph-based Cyber Threat Hunting" (Ma et al., 10 Jan 2025); "HunterAgent: Neuro-Symbolic Attack Trace Reconstruction under Anti-Forensics" (Zhao et al., 28 May 2026) | CTI-driven graph alignment, causal filtering, incremental update, and Generator–Verifier reconstruction |
| Pursuit, allocation, and deputy estimation | (Abramovskaya et al., 2015, Wei et al., 2022, Dadvar et al., 2019, Zuehlke et al., 2022, Guo et al., 16 Mar 2025) | Hunter–rabbit pursuit, UUV/AUV target hunting, complementary teams, and chief–deputy state estimation |
This suggests a family resemblance rather than a unified formalism. The recurring motif is a search or reconstruction process conducted across a semantic, observational, or coordination gap.
2. DeputyHunt as an edge-AI confused deputy analysis framework
In its most concrete and explicitly named form, DeputyHunt is the framework introduced for studying confused deputy attacks through edge AI accelerators. The underlying security problem is that AI accelerators are specialized hardware that enable optimal and efficient execution of AI applications and on-device inference, yet, unlike applications, they are not bound by Operating System restrictions and have limited visibility into Application Processor security mechanisms. The paper identifies a semantic gap: the host kernel knows which pages are user pages, kernel pages, shared DMA regions, or stale mappings, whereas the accelerator may only observe a device address, physical address, DMA handle, or page-table base (Danduri et al., 18 May 2026).
The attacker model is deliberately weak. The attacker is an unprivileged userspace application running on the application processor, able to issue normal driver or ioctl requests but lacking special privileges. The attack objective is to force the accelerator to access restricted memory, including other processes’ memory pages or unmapped kernel memory. The crucial abstraction is the shared-memory identifier, or SMID, which represents a buffer or page to the accelerator. If the accelerator or its software stack fails to validate that the SMID refers only to memory the requesting application is entitled to use, then a low-privilege requester can trick a high-privilege component into performing a privileged read or write on its behalf.
The framework formalizes two necessary conditions for a memory-based confused deputy attack: the accelerator must fail to validate the SMID, and the attacker must be able to supply an SMID pointing at restricted memory. The empirical study examined seven accelerators from Google, NVIDIA, Hailo, Texas Instruments, NXP, AWS, and Rockchip. Memory-based confused deputy attack feasibility was established on six of the seven platforms, affecting more than 128 SoCs and over 100 million devices; Rockchip’s RNPU was treated as infeasible for memory-based CDA because it does not use zero-copy shared memory and communicates over USB messages instead. The disclosure was acknowledged by vendors, and NXP assigned CVE-2025-66425.
The platform-specific attack surfaces vary materially. Google Edge TPU and NVIDIA GPU expose stale-mapping behavior in which a page can be mapped legitimately, then unmapped in the attacker’s address space while remaining valid in device page tables. NXP NPU and Hailo NPU permit stronger forms of abuse: the reported attacks yield arbitrary read or write over arbitrary memory regions with full address and value control. Texas Instruments’ TMMA and AWS Inferentia expose limited memory access to accelerator-accessible regions such as AIRMem or AIMem. This distribution of outcomes is important because it shows that “confused deputy through AIA” is not a single bug pattern but a broader architectural class rooted in performance-driven zero-copy designs.
3. Workflow, validation logic, and proposed defense
DeputyHunt combines static analysis, dynamic analysis, and LLM-guided semantic recovery. The workflow has six stages: identify accelerator memory regions such as AIMem and AIRMem using documentation, device trees, and tools like lspci or lsusb; instrument kernel driver source code to log ioctl handlers, copy_from_user and copy_to_user sites, DMA allocation or mapping functions such as dma_map_page, dma_map_sg, dma_alloc_coherent, and page-pinning calls such as get_user_pages_fast or pin_user_pages; run a userspace accelerator application while collecting kernel logs and system-call traces with dmesg and strace; extract the relevant interaction data into structured JSON; feed the structured logs and selected source snippets to an LLM prompted to identify AIA-relevant functions, KD entry points, and message structures or fields that look like SMIDs; and finally validate candidate CDA paths by replacing the SMID with one pointing to restricted memory and checking whether the accelerator accesses it (Danduri et al., 18 May 2026).
The validation step is deliberately operational rather than purely static. A restricted kernel page is created and initialized with a recognizable pattern, the candidate message is modified so that its SMID points to that page, and inference is triggered. If the pattern changes, the accelerator wrote to restricted memory. The authors also test whether the attacker can control the written value, which determines whether the attack has full-value control. This empirical confirmation is central to the framework’s design: DeputyHunt is not only a ranking or triage system, but a methodology for proving exploitability.
A major practical result is the reduction in analyst workload. Across the evaluated drivers, the framework reduced the number of functions requiring manual inspection by about 97% on average and reduced net manual effort by about 98%. The paper notes that valid results were usually found among the top few LLM-ranked candidates. The LLM is therefore used as a semantic narrowing mechanism over proprietary protocols and closed-source vendor libraries, not as a replacement for kernel- or device-level validation.
The principal defense proposal is on-demand validation. Each message carries the requesting process ID, and whenever the accelerator observes an SMID, it asks the kernel driver to validate that the SMID is legal for that PID. If validation succeeds, execution continues; otherwise the request is rejected. To block stale-mapping attacks, unmap requests must be deferred until the accelerator is finished with the buffer. In Gem5-SALAM, this design incurred about 15.33% average runtime overhead. The paper contrasts this with stricter IOMMU-based defenses, which imposed much larger overheads in the reported experiments.
4. DeputyHunt as a decentralized proof economy
A second, distinct meaning of DeputyHunt appears in large-scale autoformalization. Here the setting is an Interactive Theorem Proving workflow in Megalodon, a higher-order set-theory proof checker, aimed at formalizing the remaining algebraic topology portion of Munkres after a substantial general-topology background already exists. Instead of assigning all work to a single agent, the project is distributed among multiple LLM-based coding agents that edit the formal theory, write proof scripts, introduce intermediate lemmas and definitions, and rely on Megalodon to check correctness. The coordination mechanism is a simulated bounty marketplace rather than static central planning (Brown et al., 6 Mar 2026).
The marketplace is defined operationally. Each theorem or lemma is assigned a bounty in simulated USD tokens, determined after an initial single-agent pass that formalizes the statements, admits the proofs, and estimates textbook proof length, formalization difficulty on a 1–10 scale, and approximate USD cost assuming \$100/hour. Agents may lock theorems: a lock requires paying 10% of the theorem’s bounty, each agent may hold up to 10 locks, locks last 24 hours, expired locks must be removed, balances cannot go negative, and if another agent proves a locked theorem the bounty still goes to the locker. Agents can also create new intermediate lemmas, attach bounties to them, and use them as stepping stones for larger proofs.
The agent loop is proof-assistant driven. Agents invoke tactics, inspect proof states and goals, analyze tactic successes and failures, refine scripts, introduce definitions or lemmas when needed, and iterate until a theorem closes and is verified. They may also work through partial proofs with admitted subgoals and return later to discharge them. Guard scripts enforce invariants such as nonnegative balances, positive bounties, lock limits, expiry constraints, immutability of statements, and correct handling of Qed versus Admitted. Correctness remains centralized in Megalodon: accepted proofs are machine-checked, Qed is blocked if dependencies are only partially proved, and unproved axioms are disallowed except via an approved axiom-hash index.
The empirical scaling results are notable. The experiment started with about 19k normalized lines of existing library material and grew to 121k normalized lines over about 2 days and 15 hours, corresponding to about 39k normalized lines per day for the four-agent setup, compared with about 7k lines per day in the referenced single-agent general-topology project. The bounty statistics record 709 tokens placed in new bounties overall, of which 279 were proved and collected by the same agent who created them, 114 were solved or collected by a different agent, 312 remained active or unsolved, and 4 were removed or rewritten. The paper also documents emergent specialization: Bob concentrated on homotopy, the fundamental-group pipeline, covering spaces, and algebraic machinery; Charlie on geometry-driven topology and projective-space constructions; Alice on path concatenation and group-law formalization; and Dave on abstract group-theoretic support and recursion-based algebra. A notable competitive episode occurred when Bob had nearly completed ex68_3_conjugate_intersection_trivial without locking it, after which Alice replaced Bob’s nearly complete 3716-line proof, completed it, and collected the bounty.
Several introduced definitions illustrate that the framework is explicitly theory-building rather than merely theorem-dispatching. The reported examples include homotopy_flip_map, ex53_1_slice_family, s55_radial_collapse_map, comm_closure_pred, and commutator_closure. In this sense, DeputyHunt denotes a verified, incentive-driven, decentralized proof economy in which the decomposition of work emerges during formalization rather than being fixed in advance.
5. DeputyHunt-style cyber threat hunting and forensic reconstruction
The term is also used descriptively for workflows that hunt for coherent attack narratives across incomplete or noisy telemetry. In ActMiner, the problem is framed as CTI-driven graph alignment on provenance graphs. The provenance graph is , the CTI report is converted into a query graph , and threat hunting is formalized as finding a subgraph that best matches the query graph:
ActMiner’s three design ideas are equivalent semantic transfer to reduce false negatives, causal filtering to mitigate false positives, and a tree structure that incrementally updates alignment results so that historical logs need not be rescanned on every new batch (Ma et al., 10 Jan 2025).
Equivalent semantic transfer addresses the “semantic gap” between CTI descriptions and observed logs. The paper describes six equivalent semantic transitivity policies learned from DARPA logs, CTI attack-stage theories, and CDM semantics, including inheritance of suspicious semantics through fork or clone, process injection, file write, executable or library load from a suspicious file, and suspicious-file read. Causal filtering reconstructs the attack sequence, orders context by timestamp, and excludes paths that satisfy local patterns but violate temporal or causal progression. Incremental alignment stores state in a tree of suspicious semantic branches, forgets unaffected branches from memory after a time threshold of 6 hours, and restores them later from an indexed database if needed. On DARPA Transparent Computing Engagement data, especially E3 and E4, the paper reports 0 false negatives, 452 false positives versus 742 for POIROT in the table’s averaged reporting format, 100.00% recall, 94.41% precision, and an average runtime of about 3590 seconds versus about 6070 seconds for POIROT.
HunterAgent addresses a harder anti-forensic setting in which provenance graphs are fragmented by parent-PID spoofing, log wiping, timestomping, or fileless execution. It reframes trace reconstruction as cost-bounded heuristic graph search under partial observability. The Generator is an LLM constrained to propose semantic payloads within a typed ontology for process, file, network, and registry nodes; the Verifier then enforces schema validity and grounding through identifier-level collisions on surviving orthogonal telemetry such as NetFlow, ETW, EDR kernel callbacks, or hypervisor traces. The hard constraint is
and ungrounded latent hops are scored by
with temporal impossibilities such as negative time gaps treated as rather than merely unlikely. The cumulative path cost is further bounded by an epistemic budget , which forces graceful halting instead of inferential drift (Zhao et al., 28 May 2026).
The evaluation is strict Leave-One-Family-Out cross-validation over DARPA TC E3, DARPA OpTC, ATLAS, and an in-house APT-Eval-Trace dataset. HunterAgent achieves 86.1% mean F1, outperforming KAIROS by 17.1 F1 and Tool-Augmented ReAct by 26.7 F1, while reducing path hallucination from 61.5% to 6.4%. Under 70% targeted log wiping, recall drops but precision stays at least 84%, and 95.7% of investigations halt safely with an insufficient-evidence flag. In this descriptive sense, DeputyHunt-style systems are distinguished by their attempt to recover a defensible chain rather than merely rank alerts.
6. Broader hunting and deputy formulations
Beyond security analysis and cyber hunting, the label is attached in the provided corpus to several pursuit, coordination, and estimation problems. In graph theory, the Hunters & Rabbit game studies the hunter number , the minimum number of hunters needed to catch an invisible rabbit that must move along graph edges each round. The update rule for the contaminated set is , the exact hunter number on an 0-grid is 1, and the extremal value on 2-vertex trees lies between 3 and 4 (Abramovskaya et al., 2015).
In underwater pursuit, one line of work formulates a finite-time differential game for a swarm of UUVs hunting a maneuverable target while accounting for team consistency, collision avoidance, communication delay, and underwater disturbances. The game seeks admissible feedback strategies satisfying a Nash-type inequality for a payoff that combines collision avoidance, consistency among UUVs, and terminal penalties, and then augments the Hamiltonian analysis with a modified DQN-based DRL method for delayed and disturbed environments. Simulations report that underwater disturbances have a large impact when communication delay is present, and consistency tests based on the Kendall correlation coefficient indicate better consistency for relatively small disturbance ranges (Wei et al., 2022).
A related underwater line adds communication secrecy. The covert-communication-guaranteed collaborative target hunting framework introduces an adaptive multi-agent diffusion policy, or AMADP, for multiple AUVs hunting an eavesdropping target in a 2D plane at fixed depth. The target performs a binary hypothesis test over hunter communication, and the covert constraint is expressed through 5 and an equivalent KL-divergence bound. The reward combines encirclement, collision avoidance, and covert-performance terms, and the paper reports that AMADP achieves faster convergence and higher hunting success rates than MACQL, OMAR, and MADIFF while maintaining covertness constraints (Guo et al., 16 Mar 2025).
In multi-agent task allocation, a “hunter and gatherer” framework decomposes each task into sequential detection and completion subtasks, 6, and couples complementary teams through market-based negotiation. The objective minimizes weighted collective cost, the utility is defined by guaranteed reward, negotiated extra incentive, and task cost, and the bargaining protocol switches between reverse-auction-like negotiation and second-price sealed-bid auction depending on how many gatherers respond. The simulation study reports fairness across same-type agents and more than 70% effectiveness improvement when the gatherer queue size 7 is increased from 1 to 10 (Dadvar et al., 2019).
In astrodynamics, “deputy” enters through chief–deputy state estimation rather than hunting in the security sense. A particle swarm optimization method performs initial orbit determination for a deputy spacecraft in the Earth–Moon CR3BP using relative range and angle observations from a known chief. The search is constrained by feasible initial-state bounds around the true deputy state, the cost is the weighted residual between actual and predicted observations, and Levenberg–Marquardt refinement substantially improves accuracy after global PSO convergence. The reported scenarios achieve sub-kilometer PSO estimates and meter-level refined position errors for halo and axial cislunar geometries (Zuehlke et al., 2022).
7. Conceptual synthesis
A plausible unification is that DeputyHunt recurrently names settings in which a system must recover or enforce structure across a gap that the underlying substrate does not natively encode. In edge AI security, the gap is between userspace permissions and accelerator-visible memory references. In collaborative autoformalization, it is between informal mathematical decomposition and formal proof obligations. In provenance hunting and anti-forensic reconstruction, it is between attack intent and damaged or semantically indirect telemetry. In graph pursuit, underwater hunting, and complementary-team allocation, it is between hidden target state and coordinated pursuit or servicing.
This suggests that the term’s enduring utility is architectural rather than taxonomic. It marks problems where raw observability is insufficient, where direct search is brittle, and where correctness or admissibility must be restored by an additional mechanism: SMID validation in accelerators, machine-checked Qed discipline in Megalodon, causal and temporal filtering in provenance hunting, or verifier-grounded ontology constraints in anti-forensic trace reconstruction. There is therefore no single “DeputyHunt algorithm.” Instead, the term functions as a cross-domain label for hunting or reconstruction under semantic asymmetry, with validation rules determining whether the recovered path, proof, or action is acceptable.