Evolaris: Self-Evolving Threat Analysis System

• Evolaris is a dynamic self-evolving threat analysis platform that integrates multi-agent intelligence processing from diverse formal, informal, and underground sources.
• It employs a modular workflow with specialized agents—Discovery, Interpretation, Gap Completion, Validation, and Risk Detection—to capture, interpret, and validate threat intelligence.
• System performance metrics, including F1 scores around 0.89 and high throughput levels, demonstrate robust scalability and reduced false positives through continual adaptive learning.

Evolaris is a self-evolving software intelligence system for threat analysis, designed to autonomously capture, interpret, and respond to dynamically emerging security threats across diverse and fragmented data sources. It employs a multi-agent architecture coordinated over a shared, versioned context store, enabling robust knowledge acquisition, reasoning, validation, and risk management. Evolaris integrates formal, informal, and underground intelligence, adapts its analytical models, and refines detection logic to sustain high performance and situational awareness in the evolving software security landscape (Liu et al., 6 Oct 2025).

1. Multi-Agent Architecture and Coordination

Evolaris operates as a collective of five specialized agents communicating via a lightweight Pub/Sub bus over a context store implemented as a versioned JSON-LD or RDF graph database. Each agent executes a distinct phase of the threat intelligence workflow:

• DiscoveryAgent: Continuously crawls and filters threat documents from over 30 authoritative sources (NVD, OSV, Snyk, GitHub Advisory) and >100 open-web venues (vendor blogs, forums, social media). Annotated raw documents are injected into the context store.
• InterpretationAgent: Performs named-entity recognition (NER) and relation extraction, aligns findings to an evolving ontology, and merges knowledge into per-case graphs.
• GapCompletionAgent: Identifies missing intelligence fields (e.g., severity, exploit condition) using a learned meta-model; infers or looks up missing facts by analogy across similar cases.
• ValidationAgent: Generates or retrieves proof-of-concept (POC) test cases, provisions minimal runtime containers, executes POC scenarios, and collects validation evidence.
• RiskDetectionAgent: Applies both rule-based and LLM-enhanced reasoning over validated graphs to classify risks, compute scores, and update detection logic.

Agent outputs are structured as JSON-LD documents or RDF triples and published to context-linked topics (“doc:raw,” “case:partial,” “case:enriched,” “case:validated,” “alert:risk”).

Agent	Primary Task	Input/Output Channel
DiscoveryAgent	Crawl/filter threat docs	“doc:raw”
InterpretationAgent	NER, relation extraction, ontology merge	“case:partial”
GapCompletionAgent	Infer missing intelligence fields	“case:enriched”
ValidationAgent	Execute/observe POC threats	“case:validated”
RiskDetectionAgent	Risk classification, rule update	“alert:risk”

This modular agent composition supports horizontal scalability, with each agent type running 3–5 replicas in a container cluster, and facilitates dynamic plasticity in intelligence processing pipelines (Liu et al., 6 Oct 2025).

2. Formal Self-Evolution Model

Evolaris conceptualizes its state as a knowledge graph $K_t = (V_t, E_t, W_t)$ at time $t$:

• $V_t$: Entities (software components, vulnerabilities, exploits, authors).
• $E_t \subseteq V_t \times R \times V_t$: Typed relations (“affects,” “hasPOC,” “hasSeverity”).
• $W_t: V_t \cup E_t \rightarrow \mathbb{R}$: Confidence weight function.

New intelligence $I_t$ initiates updates: $$\Delta K_t = \text{Discover}(I_t) \cup \text{Interpret}(I_t, K_t) \cup \text{Complete}(I_t, K_t) \cup \text{Validate}(I_t, K_t)$$

$K_{t+1} = K_t \cup \Delta K_t$

Confidence weights are refined via Bayesian-style smoothing: $$w_{t+1}(x) = \alpha \cdot w_t(x) + (1-\alpha) \cdot \text{conf}_{t+1}(x)$$ where $\text{conf}_{t+1}(x)$ is the agent’s updated confidence and $\alpha \in [0,1]$ modulates decay.

Threat documents $d$ are parsed into triples $T(d) = \{(s, p, o)\}$; new triples augment the graph while existing ones update their confidence. Attributes absent from initial discovery are filled by analogy: $$\text{infer}(v.\text{attr}) = \arg\max_a P(\text{attr} = a \mid \text{similarCases})$$ This model enables continual learning and incremental adaptation to new threat semantics, source types, and detection paradigms.

3. Agent Algorithms and Workflow

Each agent’s procedural logic is formalized in pseudocode:

• DiscoveryAgent iterates over seed and newly discovered sources; for each URL, fetches, link-extracts, relevance-filters, and enqueues documents. Extracted references become new seeds.
• InterpretationAgent triggers on “doc:raw”, executes NER and relation extraction, builds and aligns subgraphs, merges results, and publishes “case:partial”.
• GapCompletionAgent operates on “case:partial”, identifies missing meta-model slots, infers candidates via analogy, and outputs “case:enriched” after confidence filtering.
• ValidationAgent receives “case:enriched”, generates/retrieves POC, spins up minimal environments, executes POC, annotates results, and publishes “case:validated”.
• RiskDetectionAgent handles “case:validated”, extracts graph features, applies rule-based and LLM-enriched risk scoring, publishes high-risk alerts, mines new rules, and refines detection logic.

This tightly coupled full-stack pipeline is governed by context-based publish/subscribe topics, strict JSON/RDF formats, and versioned branching for traceability (Liu et al., 6 Oct 2025).

4. Data Structures, Formats, and Communication

Evolaris standardizes data interchange and storage using:

• Document Schema:

{ "docId": UUID, "url": string, "source": enum, "timestamp": ISO8601, "text": string, "metadata": { headers, author, ... } }

• Entity / Node:

{ "id": URI, "type": {Vulnerability, Package, Exploit, ...}, "attributes": { name, cveID, cvss, description, ... }, "confidence": float }

• Relation / Edge:

{ "source": Entity.id, "predicate": string, "target": Entity.id, "confidence": float }

• Agent Messages: JSON envelopes for transmitting Document, Subgraph, EnrichedCase, ValidatedCase, and Alert.

The context store supports versioning and branching to enable consistent state tracking and rollback, and utilizes Neptune/Blazegraph for high-throughput graph operations. Message exchange is mediated by a Kafka-based Pub/Sub system, facilitating scalable parallel agent deployments.

5. System Performance, Scalability, and Adaptability

Preliminary experimental evaluation demonstrates:

• Integration of >30 authoritative and >100 open-web sources.
• Processing of 260,000+ distinct vulnerabilities and 30,000+ malicious-code samples.

Threat metadata extraction performance:

• Named-entity & relation extraction: $P \approx 0.87$, $R \approx 0.91$, $F_1 \approx 0.89$.
• Gap completion accuracy (inferred fields): $\approx 0.82$.

Timeliness and scalability:

• Median latency (informal mention to risk alert): $\approx$ 2 hours.
• DiscoveryAgent batch throughput: $\approx$ 5,000 docs/hour per replica.

Adaptability and self-evolution:

• Integration of 18+ vulnerability sources into a unified meta-model.
• Automatic rule refinement yields a $\approx$ 15% reduction in false positives over three months of continual operation.

This suggests that Evolaris achieves operational robustness in dynamic threat environments and provides sustained accuracy and efficiency during large-scale deployments (Liu et al., 6 Oct 2025).

6. Use Case: End-to-End Threat Signal to Actionable Alert

A typical scenario involves informal blog-based threat intelligence escalation:

1. DiscoveryAgent: Crawls sources (e.g., Medium.com) and identifies a post describing an undisclosed Python-package backdoor. The document is filtered and queued as potential threat intelligence.
2. InterpretationAgent: Extracts entities (e.g., packageName=“stealer123”, function=“exfiltrate_passwords”), constructs relations (e.g., (stealer123, “executes”, exfiltrate_passwords)), and aligns nodes with existing package ontologies or creates new nodes.
3. GapCompletionAgent: Detects missing attributes (“CVE_ID”, “affectedVersions”), searches analogous cases, infers vulnerable versions ($\geq$1.2.0), and generates candidate CVE stubs.
4. ValidationAgent: Crafts a minimal Docker environment (Python 3.9 + stealer123==1.3.1), creates and runs a POC script to trigger suspicious activity, and confirms validation via observed exfiltration effects.
5. RiskDetectionAgent: Extracts relevant features (validation status, sensitive operations, patch state), combines rule-based and LLM reasoning scores ($9.2/10$), issues a risk alert, and updates detection rules to flag similar package patterns in future analyses.
6. Self-Evolution: New detection rules and ontology entries are injected back into system context, enabling rapid prioritization and improved signal capture on subsequent relevant findings.

This end-to-end workflow demonstrates how Evolaris operationalizes informal, fragmented signals into actionable, validated security intelligence while continuously refining its analytical and detection frameworks (Liu et al., 6 Oct 2025).

7. Contextual Significance and Future Implications

Evolaris establishes a sustainable foundation for proactive software security management in distributed and adversarial environments. Its multi-agent, self-evolving design supports:

• Early aggregation and rigorous validation of intelligence from formal and informal sources.
• Ongoing adaptation to emerging threat patterns and data modalities.
• Systemic reduction of false positives through continual rule refinement and meta-model updates.

A plausible implication is the enablement of accelerated situational awareness and timely security response across enterprise, open-source, and underground digital ecosystems. Evolaris’s architecture and performance metrics position it as a viable framework for future automated software threat intelligence platforms (Liu et al., 6 Oct 2025).