Ship single k=8 discriminative model (host 0.993/0.990, engineered 0.919/0.896, 5-class 0.708); breaks adversary at order 7

ADVERSARIAL.md

@@ -2,63 +2,54 @@
 
 Composition-based DNA classifiers, including this one and other homology-free engineered-sequence
 detectors, reduce to a k-mer frequency statistic. A detector that reads k-mer counts is an
-order-(k-1) sufficient statistic and nothing more, which has a direct security consequence: an
-adversary who reproduces the order-(k-1) composition of the target class produces sequence the
-detector cannot distinguish from genuine, because the two have the same expected k-mer spectrum.
+order-(k-1) sufficient statistic, which has a direct security consequence: an adversary who
+reproduces the order-(k-1) composition of the target class produces sequence the detector cannot
+separate from genuine, because the two have the same expected k-mer spectrum.
 
 ## Test
 
 Fit an order-m Markov model to real human coding sequence, generate synthetic sequence from it,
 and measure whether a k-mer detector separates real human from the order-m synthetic. Sweeping
-both the detector order k and the adversary order m gives the boundary:
+both the detector word length k and the adversary order m gives the boundary:
 
-| detector | adversary m=0 | m=1 | m=2 | m=3 | m=4 | m=5 |
-|---|---|---|---|---|---|---|
-| k=2 | 0.98 | 0.50 | 0.50 | 0.52 | 0.56 | 0.55 |
-| k=4 | 1.00 | 0.97 | 0.87 | 0.51 | 0.50 | 0.50 |
-| k=6 | 1.00 | 0.98 | 0.92 | 0.79 | 0.67 | 0.53 |
+| detector | m=0 | m=1 | m=2 | m=3 | m=4 | m=5 | m=6 | m=7 |
+|---|---|---|---|---|---|---|---|---|
+| k=4 | 1.00 | 0.97 | 0.87 | 0.51 | 0.50 | 0.50 | 0.50 | 0.50 |
+| k=6 | 1.00 | 0.98 | 0.92 | 0.79 | 0.66 | 0.52 | 0.58 | 0.52 |
+| **k=8 (this model)** | 1.00 | 0.97 | 0.93 | 0.88 | 0.82 | 0.80 | 0.72 | 0.55 |
 
 (AUROC, real human vs order-m-matched synthetic.)
 
 ## Result
 
-Each detector collapses to chance exactly when the adversary reaches its order: the k=2 detector
-breaks at m=1, k=4 at m=3, and k=6 at m=5, matching the sufficient-statistic account: a detector
-reading k-mer counts cannot separate sequence whose order-(k-1) statistics have been reproduced.
-The hexamer detector this model uses is at chance against an adversary that matches the order-5
-composition of human DNA (AUROC 0.53 at m=5).
+Each detector reaches chance when the adversary matches its order: k=4 breaks at m=3, k=6 at m=5,
+and k=8 at m=7. This model uses 8-mers, so evading it by composition matching requires reproducing
+the order-7 statistics of the target class, which fixes every 8-mer frequency. Lower-order forgeries,
+including anything that matches only hexamer or shorter composition, are caught. Longer words push
+the bar higher at the cost of more parameters and data.
 
 ## The neural model is not evaded
 
 Scoring the same order-m-matched synthetic human with Carbon-8B (zero-shot per-base likelihood)
-separates it from real human across every order, exactly where composition fails:
+separates it from real human at every order, including the order where this model reaches chance:
 
-| adversary order m | closed-form k=6 (AUROC) | Carbon-8B (AUROC) |
+| adversary order m | this model (k=8) | Carbon-8B |
 |---|---|---|
-| 2 | 0.95 | 1.00 |
-| 3 | 0.77 | 1.00 |
-| 4 | 0.68 | 1.00 |
-| 5 | 0.53 | 1.00 |
-| 6 | 0.52 | 1.00 |
-| 7 | 0.52 | 1.00 |
+| 5 | 0.80 | 1.00 |
+| 6 | 0.72 | 1.00 |
+| 7 | 0.55 | 1.00 |
+| 8 | 0.54 | 1.00 |
 
-At order 5 the hexamer detector is at chance (0.53) while the model separates the same sequences at
-1.00. At order 7, which reproduces every 8-mer frequency of human DNA, the model still scores 0.997,
-because it reads long-range structure (codon-pair grammar, gene organization, motif context) that no
-fixed-order composition encodes. Where composition loses discrimination at high adversary order, the
-model retains it.
+At order 7 the k=8 detector is at chance while Carbon-8B holds at 1.00, because the model reads
+long-range structure (codon-pair grammar, gene organization, motif context) that no fixed-order
+composition encodes. Where composition runs out at high adversary order, the model still separates.
 
 ## Implication for biosecurity screening
 
-Homology-free, composition-based screening, the family that includes k-mer engineered-DNA
-detectors, has a precise and inherent evasion boundary. It reliably catches naive recoding and
-composition that drifts from the target, but it cannot by construction flag a construct that has
-been matched to the order-(k-1) statistics of a natural class. Raising k raises the bar the
-adversary must clear (the k=6 detector forces an order-5 match, which constrains the design more
-than an order-1 match), but it never closes the gap, and higher k costs data and invites
-overfitting. Detecting an order-(k-1)-matched adversary requires signal that is not in global
-composition at all: per-position, context-dependent modeling of the kind a neural sequence model
-provides, which is where composition methods stop and a learned model is required.
-
-This boundary is a property of the method, not of any particular trained weights, and it applies
-equally to other composition-based detectors.
+Homology-free, composition-based screening has an inherent evasion boundary. It catches naive
+recoding and composition that drifts from the target, but by construction it cannot flag a
+construct matched to the order-(k-1) statistics of a natural class. Raising k raises the bar the
+adversary must clear; this model's 8-mers force an order-7 match. Detecting an order-(k-1)-matched
+adversary requires signal that is not in global composition at all: per-position, context-dependent
+modeling of the kind a neural sequence model provides. This boundary is a property of the method,
+and it applies equally to other composition-based detectors.