RayveLabs — teaching demo Labs · Chapter 6 — Digital Twin Trustworthiness
SEAS-8414 · Phase 6 · 11 exercises

What happens if we apply this fix? — and can we trust the model that told us?

Phase 4 predicted the attack paths. Phase 6 asks the operational question before anyone touches production: simulate every remediation against a digital twin, catch the cascading failures, prove zero disruption — and then decide whether the twin itself is authoritative enough to support the decision. The showpiece below is Exercise 11: a live drift lab that computes KL and Jensen-Shannon divergence and shows exactly when those metrics fail to see the change that matters.

Teaching demo built by RayveLabs to illustrate Dr. Mallarapu's SEAS-8414 Chapter 6. This is a client-side simulator with a synthetic 22-device network — it is not graded lab evidence (that requires the Dockerized Breakwater stack and real API output). Original course material © Dr. Mallarapu / The George Washington University.

Ch 1
Descriptive
Ch 2
Diagnostic
Ch 3
Detective
Ch 4
Predictive
Ch 5
Prescriptive
Ch 6 · here
Simulation
Ch 7-12
Autonomous
Ex 1 · §6.3

Digital twin construction & profile-mapping fidelity

The twin is only useful if it represents the real network. Profile mapping uses three tiers — device-type lookup, port inference, service-name hinting — each with a confidence. Fidelity = Σ(confidence) / device_count. Set your trust threshold and see which devices fall back to http-debug.

Twin fidelity

Devices mapped
Fallback profiles (<0.3)
Min confidence
Verdict at threshold

Device → profile mapping

IPtypeprofileconfports

Figure (§6.3): A device mapped to "camera-variant" at 0.9 behaves realistically; a router mapped to "http-debug" at 0.1 does not. Low-confidence mappings poison any remediation that touches them.

Ex 2 · §6.5

Attack scenario baseline

You can't measure whether remediation reduced risk without a baseline. The deterministic scenario engine replays adversary techniques so the same input always yields the same result — the precondition for honest before/after comparison.

Replay scenario

// results appear here

Baseline metrics

Devices compromised
Blast radius
Amplification (blast / compromised)
Determinism

Amplification > 1 means each compromised host exposes others through firewall-permitted flows — a direct read on weak segmentation.

Figure (§6.5): Deterministic hashing makes the baseline reproducible. A stochastic engine would make "did remediation help?" unanswerable.

Ex 3 · §6.6 / 6.8

Three remediation strategies, head-to-head

Patch only, service hardening, or network segmentation. Score them with a weighted multi-criteria model — then shift the weights toward zero-disruption and watch the winner change.

Criterion weights

Decision matrix & weighted score

criterionA · PatchB · HardenC · Segment
Weighted score (higher = better)

Figure (§6.8): Pareto-style trade-off. Patch is cheap but reversible-hard and leaves topology risk; segmentation cuts the most risk but introduces cascades and downtime.

Ex 4 · §6.10

Cascading failure diagnosis

A fix on device A can break device B that depends on A. The twin's dependency graph reveals these cascades before production. Three types: service-dependency, segmentation, credential.

Simulate an action

Detected cascades

typeseverityaffectedmitigation

Figure (§6.10): Top dependency by blast count is the MQTT broker — rotating its shared credential cascades to every sensor that authenticates against it.

Ex 5 · §6.7

Constrained patch ordering & wave schedule

All-at-once is fast but a regression takes down everything; one-at-a-time is safe but slow. Find the group size that respects a concurrency limit and dependency separation.

Parameters

Devices to patch
Groups (⌈N/c⌉)
Sequential time
Grouped time
Speedup

5-wave deployment

Waves mix device types (catch type-specific regressions), keep interdependent devices apart, and put least-critical first.

Figure (§6.7): Speedup vs. sequential is bounded by ⌈N/c⌉ — past a point, adding concurrency stops helping and only raises blast risk.

Ex 6 · §6.12

Zero-disruption validation — the strengthened definition

The twin reporting zero_disruption=true (no cascades) is necessary but not sufficient. A doctoral zero-disruption claim must clear all eight conditions.

Evaluate an action

Twin zero_disruption flag
Strengthened claim

8-point checklist

Figure (§6.12): The MQTT disable passes the naive flag in spirit but fails the strengthened claim on required-service-path and critical-dependency conditions.

Ex 7 · §6.14

Traffic replay fidelity

Replay real protocol transcripts; compare simulated vs. expected responses. Fidelity = correct / total. Below 80% on an affected protocol is a Twin-Authority block condition.

protocoltranscriptexpectedtwinmatch
HTTP fidelity

Figure (§6.14): The twin returns 200 for /admin where the device enforces 403 — it does not model access control, so protocol-level remediation predictions are unreliable.

Ex 8 · §6.8

Risk comparison dashboard

Side-by-side for the CISO: risk reduction by strategy, the cost/risk Pareto frontier, and a zero-disruption traffic light per strategy.

Risk reduction by strategy

Cost vs. risk — Pareto frontier

Zero-disruption status

Figure (§6.8): A strategy is Pareto-optimal if no other beats it on both cost and risk; dominated strategies sit up-and-right of the frontier.

Ex 9 · Decision Gate

Twin Authority Gate

Before recommending any plan you must decide whether the twin is authoritative for that specific decision. A twin good enough to compare strategies may still be unfit to authorize a change against a critical PLC. Each metric carries required evidence and a block condition.

metricrequired evidenceblock condition

Figure (Decision Gate): Apply this before Exercise 11, then re-apply it after — the drift you inject below is exactly what flips these conditions.

★ Ex 11 · §6.3/6.12/6.14

Twin Authority under drift — live KL & Jensen-Shannon

Aggregate drift metrics can miss small but operationally dangerous changes: one firewall rule, one changed dependency, one critical device remapped to a fallback. Toggle each controlled drift scenario — KL and JS divergence are computed live over the behavior distribution (open-port / unmapped bins) with ε-smoothing. Watch which scenarios the metrics can't see.

Inject controlled drift

KL(P‖Q)=Σ Pᵢ·log(Pᵢ/Qᵢ) · JS=½KL(P‖M)+½KL(Q‖M), M=½(P+Q)

Live divergence

Baseline twin P
Current scan Q
KL(P‖Q)
JS divergence
Detection threshold (JS)0.0040
Overall authority:

Drift decision table

scenariomaterial?detecting metricKL?JS?verdictrequired action

Figure (Ex 11): The targeted single-change scenarios (firewall, dependency, fallback, replay, subnet) are the most dangerous and the least visible to divergence — they require a mandatory companion metric, not a distribution test. "Small change, big consequence, invisible to KL" is the finding.

Ex 9.10–9.11

Final verdict & do-not-execute conditions

Twin Authority verdict

Explicit do-not-execute conditions

A favorable simulation is not production approval. Every result here was validated against the twin, not against production. The twin is decision-support, not a source of truth. Promotion to production still requires: canary deployment, live monitoring, change-advisory approval, and a tested rollback per wave.

Cleanup. The graded lab decommissions containers and volumes at exit (docker compose down) unless KEEP_LAB=1. This demo holds no state and starts no containers.