medOS ultra

Publication

RUDS: Rogue User Detection System — platform-wide behavioral threat detection across 16 services

2026-05-10PublicationSecurity

A behavioral threat-detection design unifying four audit-log silos, with 17 seed rules, two-tier scoring, and an AI second opinion under hard clinical constraints.

RUDS is a platform-wide behavioral threat-detection design that consolidates four separate audit-log silos into one events hypertable.

A rule engine with JSON predicates — the same shape as the policy-gate and CDS engines — drives a two-tier scorer: an inline check under 50ms plus a nightly batch, against a per-user behavioral baseline.

Seventeen seed rules span credential abuse, exfiltration, snooping, escalation, and off-hours access. An AI second opinion can promote novel patterns, but under hard constraints: it cannot block, cannot escalate to the top tier, and never sees PHI.

Ask Anything