Search papers, labs, and topics across Lattice.
This paper establishes a finite-state semantics for layered cybersecurity pipelines by introducing a layer-order automaton and deterministic sequential security transducers, allowing for a formal understanding of how the order of transformations affects security fact visibility. The authors analyze HTTP request desynchronization to illustrate how different processing orders can lead to varying detection outcomes, thereby highlighting the critical role of framing evidence in decision-making layers. Key findings reveal that while certain regular policies can be recognized, they may not be deployable as enforcers, providing a nuanced understanding of order-sensitive security failures in layered systems.
Layer order in cybersecurity pipelines can dramatically alter the visibility of security facts, with implications for how we design and audit layered enforcement systems.
Layered cybersecurity pipelines transform evidence before they decide on it, and the order of those transformations determines which security facts become visible to which layer. This paper gives layer order a finite-state semantics built from a layer-order automaton, deterministic sequential security transducers, evidence markers, and a final decision automaton. The worked case is HTTP request desynchronization: front-end and back-end processors compute incompatible request boundaries, and the same trace is detected or missed according to whether framing evidence reaches the parser-differential layer before it commits. The results separate completed-trace recognition, online editing, decision synthesis, and faithful enforcement; characterize faithful online enforcement as the regular prefix-closed case under causal visibility; and show that regular policies beyond that boundary remain recognizable without becoming deployable enforcers. The framework is monolithically equivalent to finite-output deterministic edit automata, while preserving layer-local invariants such as marker birth, marker survival, and reorder-sensitive visibility. A concrete parser-pair semantics identifies the forbidden marker factor with CL.TE, TE.CL, TE.TE, and HTTP/2-downgrade boundary disagreement under the stated abstraction, and a contextual reorder congruence classifies which component permutations induce the same decision language. The result is an automata-theoretic account of order-sensitive security failures and a compositional vocabulary for auditing, synthesizing, and comparing layered enforcement pipelines.