§5

Habituation

Adaptive baseline recalibration inspired by neuroplasticity, formal pre-conditions, seasonal profiles (the digital circadian rhythm), safety guards, and the principle of never normalizing pathology.

Based on Whitepaper v2.1 — Sections 5.5, 6.6 & 6.12 · ~20 min read

1. The False Positive Problem

A recurring problem in anomaly detection systems is chronic false positive fatigue: when the legitimate workload changes permanently — a new version is deployed that consumes more memory, a microservice is migrated to the node, the user base grows organically — the detector continues signaling anomaly indefinitely, because the current state deviates from a baseline that no longer represents reality.

Without Habituation

  • Deploy v2.0 uses 20% more memory
  • DM rises and stays elevated
  • Alert fires — operator investigates
  • "It's the new version, ignore it"
  • Alert fires again tomorrow…
  • Operator silences the alert
  • Real anomaly occurs — nobody notices
  • → Alert fatigue → missed incident

With Habituation

  • Deploy v2.0 uses 20% more memory
  • DM rises and stays elevated
  • HOSA detects stable plateau
  • Pre-conditions verified (30 min)
  • Baseline recalibrated to new normal
  • DM returns to low values
  • Real anomaly → immediately detected
  • → Zero alert fatigue → full sensitivity

The challenge is distinguishing between two superficially identical states:

  • Legitimate plateau shift — the workload genuinely changed, the system is healthy at its new operating point, and the baseline should be updated (Regime +1).
  • Pathological stabilization — an attacker has established persistent presence and is consuming resources at a steady rate, or a progressive failure has reached a plateau just before collapse (Regime +3 or +4).

Both produce the same signature: elevated DM with derivative near zero. The difference lies in the structural indicators — the covariance structure, the syscall distribution, the propagation index — which distinguish benign change from pathology. These indicators form the formal pre-conditions for habituation.

2. Biological Inspiration — Neuroplasticity

In neuroscience, habituation is the simplest form of non-associative learning: a decrease in response to a stimulus that is repeatedly presented without reinforcement [1]. When you put on a watch, you feel it on your wrist for a few minutes. Then the sensation fades — not because the watch was removed, but because your nervous system learned that the stimulus is persistent, non-threatening, and can be safely ignored.

The biological mechanism is synaptic depression: repeated activation of the same sensory pathway reduces the synaptic transmission efficiency, effectively raising the threshold for that stimulus. Critically, habituation is stimulus-specific: habituating to the watch on your wrist does not reduce sensitivity to a bee sting on the same wrist.

HOSA's habituation mechanism mirrors these properties:

Biological PropertyHOSA Implementation
Repeated, non-threatening stimulus Elevated DM with derivative ≈ 0 for sustained period, no system failures (no OOM, no crash, no timeout)
Specificity Habituation recalibrates μ and Σ — sensitivity to new deviations from the updated baseline is fully preserved
Dishabituation If a novel stimulus appears (covariance deformation, syscall entropy shift), habituation is blocked and full sensitivity is restored
Context-dependence Habituation can occur within a specific temporal segment without affecting other segments (seasonal profiles)

"HOSA adapts to legitimate variation but refuses to normalize pathology. The distinction is not philosophical — it is mathematical: pathology deforms the covariance structure; legitimate change preserves it."

3. Mechanism — Weighted Welford Decay

3.1. Exponential Decay of Historical Weights

HOSA's standard baseline accumulation uses the Welford algorithm (see §3 — Welford), which treats all historical samples with equal weight. For habituation, HOSA switches to a weighted variant that applies exponential decay to older samples:

w(t, τ) = e−λ(t − τ)
Equation 1 — Exponential Decay Weight

Where:

  • t — current time
  • τ — time at which the sample was collected
  • λ — decay rate, controlling how quickly old samples lose influence (higher λ = faster adaptation, lower λ = more conservative)

The effect is that recent samples receive progressively more weight in the computation of μ and Σ, while older samples (from the pre-change baseline) gradually lose influence. The baseline drifts toward the new operating point over a configurable time horizon.

3.2. The Recalibration Process

Habituation is not an instantaneous event — it is a gradual process that unfolds over the stabilization period:

  1. Detection of stability. HOSA detects that DM has been elevated but stable (|dD̄M/dt| < εd) for a sustained period.
  2. Pre-condition verification. All formal pre-conditions (§4) are checked continuously. If any pre-condition fails, the habituation timer resets.
  3. Weighted accumulation begins. Once the minimum stabilization time Tmin (default: 30 minutes) is reached with all pre-conditions continuously satisfied, HOSA activates exponential decay weighting on the Welford accumulators.
  4. Gradual convergence. Over the next decay period (typically 2–3× the half-life = ln(2)/λ), the baseline μ and Σ converge toward the statistics of the new operating regime.
  5. Completion. When DM computed against the updated baseline drops below θ₁, the recalibration is considered complete. The new baseline is the baseline. Normal Welford (equal-weight) accumulation resumes.
Memory Footprint

The weighted Welford variant maintains the same O(n²) memory footprint as the standard algorithm. No data windows are stored — only the running weighted mean, weighted co-moment matrix, and effective sample count are maintained. For n = 10 dimensions, the entire habituation state occupies approximately 900 bytes.

4. Formal Pre-Conditions

Baseline recalibration is permitted if and only if all of the following conditions are satisfied simultaneously and continuously for the entire stabilization period:

Habituation ⟺

  |dD̄M/dt| < εd     (stabilization — derivative near zero)
∧ ρ(t) < ρthreshold     (covariance structure preserved)
∧ ΔH(t) < ΔHthreshold     (syscall distribution stable)
∧ ICP(t) < ICPthreshold     (no propagation behavior)
∧ DM(t) < DM,safety     (plateau below safety ceiling)
∧ tstable > Tmin     (sustained stabilization, default: 30 min)
∧ temporal coherence of φ(t)     (if φ < 0, coherent with seasonal profile)
Equation 2 — Habituation Pre-Conditions (conjunction)

Each pre-condition addresses a specific failure mode of naïve habituation:

Pre-ConditionFailure Mode PreventedMetric
Stabilization Habituating to a still-growing anomaly (memory leak that hasn't yet reached plateau) |dD̄M/dt| < εd
Covariance preserved Habituating to adversarial activity that deforms the correlation structure (cryptominer, DDoS) ρ(t) < ρthreshold
Syscalls stable Habituating to a compromised process that has altered the system call profile ΔH(t) < ΔHthreshold
No propagation Habituating to a worm or lateral movement that has established steady-state propagation ICP(t) < ICPthreshold
Safety plateau Habituating to a state dangerously close to resource exhaustion (92% memory is not a "new normal") DM(t) < DM,safety
Sustained Habituating to a transient spike that happens to be briefly stable tstable > Tmin
Temporal coherence Habituating to anomalous silence (Regime −3) by misclassifying it as idleness φ(t) coherent with seasonal profile

If any single pre-condition fails at any point during the stabilization period, the habituation timer resets to zero. The process must restart from the beginning, with all conditions continuously satisfied for the full Tmin duration.

The Conjunction is Non-Negotiable

The conjunction (∧) of all pre-conditions is a deliberate design decision. A system where covariance is preserved but the propagation index is elevated must not habituate — the preserved covariance might be coincidental while the propagation behavior represents a real threat. The bar for habituation is intentionally high: all indicators must simultaneously confirm that the deviation is benign.

5. Habituation Across the Regime Spectrum

The interaction between regimes and habituation follows a symmetric pattern centered on homeostasis: habituation is permitted in the central regimes and blocked at the extremes.

5.1. Permitted Regimes (−2 to +2)

RegimeHabituation PolicyRationale
−2 Structural Idleness Permitted (with persistent FinOps flag) The node is permanently over-provisioned. Habituating eliminates false positives from chronic low utilization. However, the FinOps signaling remains active — HOSA stops alerting but continues reporting the waste.
−1 Legitimate Idleness Incorporated into seasonal profiles Nighttime idleness is not an anomaly — it is the normalcy of that temporal segment. Each segment accumulates its own baseline.
0 Homeostasis N/A (is the baseline) No habituation needed — this is the reference state.
+1 Plateau Shift Permitted if all pre-conditions satisfied This is the primary use case for habituation. A new deploy or organic growth has shifted the operating point. The system is stable, healthy, and the covariance structure is preserved.
+2 Seasonality Intra-segment Habituation occurs within each temporal segment, not globally. The Monday-morning peak has its own baseline; the Saturday-night valley has its own baseline.

5.2. Blocked Regimes (−3, +3 to +5)

RegimeHabituation PolicyRationale
−3 Anomalous Silence Blocked A server that should be active and isn't represents a potential failure or compromise. HOSA does not adapt to unexplained silence.
+3 Adversarial Blocked The covariance deformation ratio ρ(t) exceeds the threshold. The structural fingerprint of the system has been altered. An attacker who establishes persistent presence must never be able to "train" the detector into accepting the intrusion as normal.
+4 Local Failure Blocked while derivative positive A monotonically growing anomaly (memory leak, disk degradation) is a progressive failure, not a new normal. Habituation is only considered if the failure stabilizes and the system transitions to Regime +1.
+5 Viral Propagation Categorically blocked Propagation behavior (ICP > threshold) indicates active threat to other nodes. HOSA never habituates to propagation patterns, regardless of stability or duration.

5.3. The Symmetry Principle

Figure 1 Habituation policy across the bipolar spectrum
−3 −2 −1 0 +1 +2 +3 +4 +5
BLOCKED Permitted Seasonal Baseline Permitted Intra-seg BLOCKED BLOCKED BLOCKED
← Pathological extremes ADAPTS Pathological extremes →

The pattern is symmetric: HOSA adapts to legitimate variation in the center of the spectrum but refuses to normalize pathology at the extremes. This reflects a fundamental principle: homeostasis is bidirectional equilibrium, not passive acceptance of any steady state.

6. Seasonal Profiles — The Digital Circadian Rhythm

Many workloads exhibit periodic temporal patterns: daily peaks and valleys, weekday/weekend differences, monthly cycles (payroll, accounting close), or annual events (Black Friday, holiday season). If HOSA operates with a single global baseline, these predictable variations are misclassified as anomalies — the morning peak triggers Level 1 every day, the overnight valley triggers sub-demand alerts every night.

HOSA solves this with temporal segmentation of the baseline: instead of maintaining a single (μ, Σ) pair, the agent maintains N baseline profiles indexed by temporal context — a digital circadian rhythm.

6.1. Periodicity Detection via Autocorrelation

The segmentation is determined automatically during the first weeks of operation through analysis of the autocorrelation function (ACF) of the DM time series:

  1. HOSA accumulates the DM(t) series for a minimum observation period (configurable, default: 7 days to detect weekly cycles).
  2. Computes the autocorrelation function ACF(τ) for the accumulated series.
  3. Identifies lags τ with statistically significant autocorrelation peaks (above a significance threshold derived from the series length).
  4. If a peak at lag = 24h is detected → daily cycle. If peak at lag = 168h → weekly cycle. Both may be present simultaneously.
  5. Segments the baseline profiles ℬ automatically into temporal windows corresponding to the detected periodicities.

6.2. Temporal Segmentation

The set of baseline profiles is formalized as:

ℬ = { (μi, Σi, wi) | i = 1, 2, …, N }
Equation 3 — Set of Temporal Baseline Profiles

where wi represents the temporal window associated with profile i (e.g., "Monday–Friday, 08:00–12:00" or "Saturday, 00:00–08:00").

A typical server with daily and weekly patterns might produce:

SegmentWindowExpected Behavior
1Mon–Fri 08:00–12:00Morning peak — highest baseline
2Mon–Fri 12:00–14:00Lunch dip — moderate baseline
3Mon–Fri 14:00–18:00Afternoon activity — high baseline
4Mon–Fri 18:00–08:00Overnight — low baseline
5Sat–Sun 00:00–24:00Weekend — minimal activity

Each segment accumulates its own independent μi and Σi via its own Welford accumulator.

6.3. Per-Segment Baseline Accumulation

When a new sample x(t) arrives, HOSA routes it to the Welford accumulator of the currently active temporal segment i(t). Only that segment's baseline is updated. This means:

  • The Monday-morning baseline is only updated with Monday-morning data
  • The weekend baseline is only updated with weekend data
  • A permanent increase in Monday traffic recalibrates the Monday profile without affecting the weekend profile

6.4. Context-Indexed DM Calculation

At each instant t, the Mahalanobis Distance is calculated against the contextually appropriate baseline:

DM(t) = √[ (x(t) − μi(t))ᵀ · Σi(t)⁻¹ · (x(t) − μi(t)) ]
Equation 4 — Context-Indexed Mahalanobis Distance

where i(t) is the index of the active baseline profile for time t.

Practical implication: The 09:00 Monday peak is compared against the "Monday 08:00–12:00" baseline — not against the "Sunday 03:00" baseline. This eliminates seasonal false positives without sacrificing detection sensitivity.

Benefits to the Negative Semi-Axis

Temporal segmentation equally benefits sub-demand detection. The overnight valley accumulates its own low-activity baseline, allowing Regime −3 (Anomalous Silence) to be detected precisely when activity drops below what is expected for that specific time window. A drop at 03:00 is coherent with the overnight profile (Regime −1). The same drop at 10:00 on a Tuesday is incoherent (Regime −3).

7. Safety Guards Against Premature Habituation

Each formal pre-condition in the conjunction (Equation 2) functions as an independent safety guard against a specific class of premature or dangerous habituation. This section details the mechanism and rationale for each guard.

7.1. Covariance Preservation (ρ)

The Covariance Deformation Ratio ρ(t) measures whether the correlation structure between variables has changed — not just the magnitude of the variables:

ρ(t) = ‖Σrecent − ΣbaselineF / ‖ΣbaselineF
Equation 5 — Covariance Deformation Ratio

Why this matters: A legitimate workload change (deploy v2.0 uses more memory) typically scales the covariance ellipsoid without deforming it — CPU and memory continue to correlate in the same direction, just at higher magnitude. An adversarial presence (cryptominer) deforms the ellipsoid — CPU rises without corresponding increases in application throughput, creating new correlations that don't exist in the legitimate profile.

When ρ(t) > ρthreshold, habituation is blocked regardless of stability. The agent will not learn to accept a deformed correlation structure as normal.

7.2. Syscall Stability (ΔH)

The change in Shannon entropy of the syscall distribution ΔH(t) detects whether the behavioral fingerprint of the system has changed at the kernel interface level:

ΔH(t) = |H(S, t) − Hbaseline|

where H(S, t) = −Σ pᵢ(t) log₂ pᵢ(t)
Equation 6 — Syscall Entropy Change

A legitimate workload change may alter resource consumption levels but typically preserves the type of operations — the same syscalls are called, just more frequently. Malicious activity often introduces new syscall patterns: connect() and sendto() for exfiltration, mmap() for cryptomining, fork()/exec() for propagation.

7.3. Propagation Absence (ICP)

The Propagation Behavior Index ICP(t) (see §3 — Supplementary Metrics) aggregates indicators of outbound propagation: connection explosion, destination entropy, anomalous forks, and correlation between DM and outbound traffic. When ICP exceeds its threshold, habituation is categorically blocked.

This guard is the most conservative: even if all other indicators appear benign, a high ICP indicates the node may be spreading a problem to other systems. Accepting this as the "new normal" would make HOSA complicit in the propagation.

7.4. Safety Plateau (DM,safety)

This guard prevents habituation to a state dangerously close to resource exhaustion. Stabilizing at 92% memory utilization is not a "new normal" — it is a system on the edge that has lost its safety margin.

DM,safety is set below θ₃ (the Active Containment threshold), ensuring that HOSA will never habituate to a state that would trigger containment if it were reached from homeostasis. The logic: if this state requires active containment when approached from below, it should not be accepted as baseline regardless of how long it persists.

7.5. Temporal Coherence (φ direction)

When the Load Direction Index φ(t) is negative (sub-demand), habituation requires that the idleness is coherent with the seasonal profile. Low activity at 03:00 is coherent and can be incorporated into the seasonal baseline. Low activity at 10:00 on a business day — when the seasonal profile predicts peak — is incoherent and may indicate Regime −3 (Anomalous Silence).

This guard prevents the dangerous scenario where a failed upstream stops sending traffic, the node becomes idle, and HOSA habituates to the silence, effectively hiding the failure from detection.

8. The Habituation Decision Flow

The complete decision process, evaluated at each sample cycle:

Figure 2 Habituation decision flowchart
1. Is DM elevated?
DM > θ₁ ?If NO → Level 0, no habituation needed
YES
2. Is the derivative stable?
|dD̄M/dt| < εd ?If NO → active anomaly, no habituation
YES
3. All safety guards pass?
ρ < threshold ∧ ΔH < threshold ∧ ICP < threshold ∧ DM < safety ∧ temporal coherence?If ANY fails → reset timer, no habituation
ALL PASS
4. Sustained for Tmin?
tstable > Tmin (30 min default)?If NO → continue waiting
YES
✓ Activate Weighted Welford Decay
Baseline μ, Σ drift toward new operating pointEqual-weight Welford resumes when DM < θ₁ against updated baseline

9. Walkthrough: Deploy with Higher Memory Footprint

This scenario illustrates the complete habituation lifecycle for a legitimate workload change.

Context:

  • Node: api-server-12, 16GB RAM, stable for 2 weeks
  • Event: Application v3.2 deployed — new caching layer adds ~1.5GB sustained memory usage
  • Baseline: mem_used = 52% ± 4%, DM ≈ 1.0
TimeEventHOSA State
t=0 Deploy v3.2 rolls out. Memory jumps from 52% to 61%. DM spikes to 3.4. dDM/dt = +2.3. Level 0→1 (Vigilance). Sampling rate increased.
t=30s Memory stabilizes at 61%. Application serving normally. DM = 3.2. dDM/dt → 0. Derivative decelerating. Stays Level 1.
t=2min New steady state confirmed. No errors, no timeouts. DM = 3.1 (stable). dDM/dt ≈ 0. Level 1 maintained.
ρ(t) = 0.08 (low — covariance preserved ✓)
ΔH(t) = 0.02 (low — syscalls stable ✓)
ICP(t) = 0.01 (low — no propagation ✓)
DM < DM,safety
Habituation timer starts.
t=5min Brief CPU spike from background job. dDM/dt briefly positive. Timer resets. All pre-conditions must be re-satisfied continuously.
t=6min CPU spike subsides. All metrics stable again. All pre-conditions re-satisfied. Timer restarts from zero.
t=36min 30 minutes of continuous stability (from t=6min). Tmin satisfied. Habituation activates.
Weighted Welford decay begins. μ and Σ start drifting toward new operating point.
t=50min Baseline converging. DM (against updated baseline) = 1.8. Decreasing as baseline adapts.
t=70min Convergence complete. DM (against new baseline) = 0.9 < θ₁. Habituation complete.
New baseline: mem_used = 61% ± 3%.
Equal-weight Welford resumes. Level 1→0 (Homeostasis).
Full detection sensitivity restored against new baseline.

Key outcome: From the operator's perspective, HOSA briefly entered Vigilance during the deploy, confirmed the change was benign, adapted its baseline, and returned to homeostasis — all without human intervention, and without ever losing the ability to detect a genuine anomaly on top of the new workload.

10. Known Limitations

  1. Sophisticated adversarial evasion. An attacker who understands HOSA's architecture and manages to execute malicious activity that perfectly preserves the covariance structure, syscall distribution, and propagation indicators will evade the safety guards and may cause the detector to habituate to the intrusion. Formal adversarial resistance analysis (security games, theoretical evasion bounds) is a future research topic.
  2. Tmin calibration. The 30-minute default minimum stabilization period is a heuristic. Too short, and HOSA may habituate to transient anomalies; too long, and legitimate workload changes cause extended periods of false positive alerts. The experimental phase will evaluate sensitivity across workload types.
  3. Non-stationary multimodality. When the system alternates between modes randomly (not on a temporal schedule), the seasonal profiles mechanism does not apply — there is no temporal pattern to segment. Extension to Mixture of Gaussians with streaming EM is documented as future research (see §3 — Known Limitations).
  4. Decay rate λ sensitivity. The exponential decay rate controls how quickly old samples lose influence. An aggressive λ adapts quickly but may cause the baseline to "forget" important historical patterns. A conservative λ preserves history but slows adaptation. The experimental phase will quantify the optimal λ range for common workload classes.
  5. Seasonal profile cold start. Temporal segmentation requires at least 7 days of data (for weekly cycle detection) or 30 days (for monthly cycles). During this accumulation period, seasonal false positives are expected. The graduated response system mitigates the impact: Level 1 (Vigilance) does not execute any intervention, so seasonal false positives produce log entries, not destructive actions.
  6. Interaction with containment. If HOSA is actively containing at Level 2+ when a legitimate workload change occurs, the containment actions (throttling) may mask the true steady-state of the new workload. Habituation does not activate while containment is active — the system must first de-escalate to Level 0 or 1, at which point the true new operating point becomes visible.

11. References

  1. Kandel, E. R. (2001). The Molecular Biology of Memory Storage: A Dialogue Between Genes and Synapses. Science, 294(5544), 1030–1038.
  2. Thompson, R. F., & Spencer, W. A. (1966). Habituation: A Model Phenomenon for the Study of Neuronal Substrates of Behavior. Psychological Review, 73(1), 16–43.
  3. Welford, B. P. (1962). Note on a Method for Calculating Corrected Sums of Squares and Products. Technometrics, 4(3), 419–420.
  4. Mahalanobis, P. C. (1936). On the generalized distance in statistics. Proceedings of the National Institute of Sciences of India, 2(1), 49–55.
  5. Chandola, V., Banerjee, A., & Kumar, V. (2009). Anomaly Detection: A Survey. ACM Computing Surveys, 41(3), Article 15.
  6. Hellerstein, J. L., Diao, Y., Parekh, S., & Tilbury, D. M. (2004). Feedback Control of Computing Systems. John Wiley & Sons.
  7. Forrest, S., Hofmeyr, S. A., & Somayaji, A. (1997). Computer immunology. Communications of the ACM, 40(10), 88–96.