Skip to content

IP Theft Detection System

The platform implements a multi-layered IP theft detection system to protect proprietary methodology, knowledge packs, and testing architecture. The system uses passive signals that activate only when intellectual property leaves the authorized environment.

Design Principles

  • Zero impact on legitimate users -- no tracking, telemetry, or phone-home in normal operation
  • No performance degradation -- watermarks are pre-computed, canary URLs are passive
  • No privacy invasion -- signals activate only when IP exits the authorized environment
  • Not malware -- no action on the thief's system, only passive logging of callbacks

Five Detection Levels

graph TB
    subgraph "Level A: Active Trip-Wires"
        A1["Canary URLs in<br/>Knowledge Packs"]
        A1 -->|"HTTP callback"| CS["Canary Server"]
        CS -->|"Alert email"| ALERT["app@bedefended.com"]
    end

    subgraph "Level B: Passive Watermarks"
        B1["Zero-Width Characters<br/>in Reports"]
        B2["Homoglyph Substitution<br/>in Knowledge Packs"]
        B3["Trailing Whitespace<br/>in Findings"]
    end

    subgraph "Level C: Build Fingerprints"
        C1["JS Bundle ID<br/>(Vite define)"]
        C2["Flutter Binary ID<br/>(dart-define)"]
        C3["Docker Image ID<br/>(.versions.json)"]
    end

    subgraph "Level D: Honeypot Endpoints"
        D1["GET /compliance-matrix"]
        D2["GET /export/sarif"]
        D3["POST /auth/sso/saml"]
    end

    subgraph "Level E: Content Fingerprints"
        E1["Payload List<br/>Ordering"]
        E2["Synonym<br/>Substitution"]
    end

    style A1 fill:#b71c1c,color:#fff
    style CS fill:#b71c1c,color:#fff
    style ALERT fill:#b71c1c,color:#fff
    style B1 fill:#1565c0,color:#fff
    style B2 fill:#1565c0,color:#fff
    style B3 fill:#1565c0,color:#fff
    style C1 fill:#2e7d32,color:#fff
    style C2 fill:#2e7d32,color:#fff
    style C3 fill:#2e7d32,color:#fff
    style D1 fill:#e65100,color:#fff
    style D2 fill:#e65100,color:#fff
    style D3 fill:#e65100,color:#fff
    style E1 fill:#6a1b9a,color:#fff
    style E2 fill:#6a1b9a,color:#fff

Level Summary

Level Type What It Detects False Positive Rate
A Active Stolen knowledge packs being used ~0% (known UUIDs whitelisted)
B Passive Leaked reports traced to source 0% (deterministic encoding)
C Passive Leaked builds identified by customer 0% (compile-time injection)
D Active Cloned API architecture Low (unique endpoint combination)
E Passive Copied knowledge pack content 0% (deterministic permutation)

Provisioning Workflow

# 1. Generate installation UUID and inject canary URLs
python scripts/provision-canaries.py --installation-id <uuid>

# 2. Apply content watermarks (homoglyphs + ordering + synonyms)
python scripts/watermark-knowledge.py --installation-id <uuid>

# 3. Build with customer fingerprint
BD_CUSTOMER_ID=<customer> npm run build          # Frontend (C1)
BD_CUSTOMER_ID=<customer> ./desktop/build.sh     # Desktop (C2)
docker build --build-arg BD_BUILD_HASH=<hash> .  # Docker (C3)

Alert System

Canary callbacks trigger immediate email alerts to app@bedefended.com with full forensic data (UUID, source IP, User-Agent, timestamp, geolocation).

Detailed Documentation

Level Documentation
Level A Canary Tokens
Level B + E Watermarking
Level C Build Fingerprints
Level D Honeypot Endpoints