Forensic malware analysis that explains itself. Three independent analytical lenses.
Three simultaneous 3D terrain visualisations. One plain-English verdict.
EAIVP is a forensic malware analysis platform built around the principle that a security verdict is only as useful as the explanation behind it. Every file submitted to the platform is analysed simultaneously through three independent analytical lenses, each examining the file from a different perspective. The results are rendered as live 3D terrain visualisations and compiled into a professional forensic PDF report — with every finding explained in plain English.
The platform is designed for cybersecurity professionals, SOC analysts, legal teams, and compliance functions who need to understand why a file is suspicious, not just that it is.
EAIVP is positioned for compliance with EU AI Act Article 15, which requires that AI systems used in high-risk contexts provide meaningful explanations of their outputs. Every verdict produced by the Aletheia Prism includes a full forensic narrative traceable to the specific signals that triggered it.
The core of EAIVP is the Aletheia Prism: three analytical lenses that run simultaneously and independently, each targeting a different signal domain within the file under examination. No single lens determines the verdict — the combined result is a triad analysis that is substantially harder to evade than any single-signal approach.
Analyses the raw byte distribution of the file using Shannon entropy to detect the statistical fingerprint of encryption, packing, and obfuscation. Augmented with YARA signature matching to identify known malware patterns directly within the byte stream.
Visualised as a 3D terrain heightmap: height represents local entropy. Flat plateaus indicate uniform or compressed regions. Sharp peaks signal high-entropy areas consistent with encrypted payloads or packed code.
Interprets the file as pixel data and analyses its RGBA channel structure and LSB (Least Significant Bit) distribution. Detects steganographic content and structural anomalies that are invisible to entropy analysis. Applicable to image files and certain binary formats.
Visualised as a 3D dot-cloud: each point represents a pixel. Distribution shape reveals structural regularity or anomaly.
Applies Welch Power Spectral Density and temporal analysis to the file's byte sequence, treating it as a signal. Measures spectral flatness, resonance, and depth to identify the near-random distribution characteristic of encrypted or packed executables — even in cases where entropy alone is inconclusive.
Visualised as a 3D wave-surface terrain in a distinctive purple palette: a near-flat, high-amplitude surface is the spectral signature of encryption.
Measured on a 324-sample, 33-family PE corpus sourced from MalwareBazaar. All figures are leave-one-out, pre-registered against an 8.3% majority-class baseline, and dedup-robust (17.9% of the raw corpus were near-duplicates; effective n = 266 unique samples).
| Metric | Value |
|---|---|
| Family characterisation (k=1) | 49.2% [95% CI 43.3–55.2%] on 266 deduplicated samples |
| Chance baseline | 8.3% (majority class) → ×ばつ lift |
| Corroboration | 47.2% [33.0–50.3%] independent twin-suppressed method |
| Novelty (open-set, LOFO) | 23.8% recall @ 5.3% false-alarm rate |
| Benign false-positive floor | 0 / 91 on benign proof run |
Leave-one-out, pre-registered against baseline, dedup-robust.
The /reports folder contains four real forensic reports generated by the platform. These demonstrate the full output across different file types and threat levels.
| Report | File Type | Combined Verdict | Notes |
|---|---|---|---|
01_clean_png.pdf |
PNG image | LOW | All three lenses active. Low entropy, no anomaly flags. |
02_clean_zip.pdf |
ZIP archive | MEDIUM | See note below. |
03_WannaCry_dll.pdf |
DLL | CRITICAL | Lens A HIGH + Lens C CRITICAL. Spectral flatness 0.9102. |
04_LockBit_exe.pdf |
EXE | CRITICAL | Lens A CRITICAL (90.6%) + Lens C CRITICAL (98.6%). |
The 02_clean_zip.pdf report analyses a clean, benign ZIP file and returns a MEDIUM verdict. This is intentional and expected — it is not a false positive in the traditional sense.
ZIP compression inherently introduces a degree of spectral randomness: the DEFLATE algorithm produces a byte distribution that shares statistical characteristics with encrypted content. Lens C (Signwave) correctly identifies this elevated spectral flatness and flags it honestly. The forensic narrative in the report explains this distinction clearly.
This behaviour is by design. The platform's role is to surface anomalies and explain them — not to suppress signals because they are inconvenient. A SOC analyst reviewing a compressed archive flagged at MEDIUM is exactly the intended workflow: the report gives them the evidence to investigate, not a false sense of security. The combined verdict system and the plain-English narrative distinguish this type of result from a genuine CRITICAL finding.
Every analysis produces a structured PDF forensic report containing:
- Case reference and timestamp
- Combined Aletheia Prism verdict with confidence level
- Per-lens breakdown (verdict, confidence, key metrics)
- File metadata including SHA-256 hash for chain-of-custody
- Per-lens 3D terrain visualisation captures
- Full AI-generated forensic narrative in plain English
- Threat indicators summary
- Recommended action
Reports are generated by Librarian_v2.0 and are suitable for use in security incident documentation, legal proceedings, and compliance audit trails.
Three common evasion techniques were tested against the platform:
UPX packing (clean executable): No false positive triggered. The platform correctly contextualises packer signatures for known installer formats.
Dictionary padding (WannaCry DLL): Entropy evasion succeeded — padding reduced the entropy signal. YARA signatures were unaffected at all padding ratios. The multi-signal approach means padding entropy does not defeat the platform.
Archive nesting (WannaCry in zip-in-zip): Nesting increases entropy into the CRITICAL range, making this a self-defeating evasion technique. YARA is blind to zip layers; entropy compensates.
The key finding: evasion techniques that defeat entropy analysis do not defeat YARA, and vice versa. No single evasion technique defeated the multi-signal triad.
EAIVP is not designed to compete with enterprise EDR platforms on detection volume. It occupies a different niche: making AI-assisted threat analysis visually comprehensible, legally defensible, and regulatorily compliant.
| Capability | EAIVP | Enterprise EDR |
|---|---|---|
| Visual explainability | 3D terrain across 3 lenses | Dashboard scores |
| EU AI Act Article 15 | Built-in by design | Black-box ML |
| Forensic narrative | Plain-English per-signal | Alert logs |
| Analyst clarity | Shows WHERE in the file | IOC list |
| AI transparency | Deterministic signals + separated LLM layer | Opaque model |
| Corpus scope | 33 families, 266 deduplicated PE samples | Billions of events |
▶ WannaCry Live Analysis — 16 seconds
EAIVP is a research and portfolio platform. It is not commercially available. Source code is proprietary and not included in this repository.
This showcase repository contains sample forensic reports and performance documentation only.
Current state: ~78% complete. Characterisation and PDF reporting pipeline validated. Automated malware harvesting active.
Lawrence Cue — Independent Developer, Mensor XAI
Ashford, Kent, UK
All rights reserved. © 2026 Mensor XAI / Lawrence Cue.
The forensic report PDFs in /reports are provided for demonstration purposes only. No source code is included in this repository. The Aletheia Prism architecture, analysis methodology, and all associated software remain proprietary.
EAIVP — Aletheia Prism · Mensor XAI · England and Wales