ai-agent detection

the L1-L4 diagnostic

a vm-attestation defense in four layers, read as a post-mortem: what each layer detected when an attacker forged the browser from within, and what happens when a vision-language model drives a real, unmodified browser instead. costs rarely vanish, they shift, to the orchestration layer, the deployment container, or inference latency.

• L1a static environmental introspectiondegraded

  reads navigator properties, webgl vendor/renderer, dom prototype-chain integrity, font lists, audiocontext, tcp/ip stack, looking for a forged or virtualized environment.

  under a vlm: the browser is legitimate, so the page-level checks pass. but running a vlm at scale means containers (docker, k8s, cloud vms) that bleed os/network anomalies: missing system fonts, webgl mismatched against the declared os, anomalous tcp/ip fingerprints. the cost shifts from browser-forgery to container-evasion engineering, not to zero.

• L1b dynamic sensor telemetrydegraded

  scores live mouse kinematics, scroll cadence, click timing, touch pressure against human-distribution models, the behavioral-biometric layer.

  under a vlm: the vlm picks targets with human-like cognition, but it outputs coordinates, not a kinematic trajectory. an orchestration layer (pyautogui, accessibility apis) translates coordinates into movement; naive linear interpolation or constant-velocity profiles stay statistically distinguishable from human motion. biometrics keep leverage against poor orchestration; the cost shifts to a kinematic-smoothing layer.

• L2 code obfuscation + polymorphismcollapsed

  self-modifying opcodes, compile rotation, and a custom register-based vm raise the reverse-engineering cost of the defensive bytecode.

  under a vlm: the vlm never inspects the bytecode, it executes the vm as a black box, so t_re is roughly zero at the vm level and the temporal arms race terminates there. application-level workflow re (dom structure, selectors, navigation) still costs, but that is a per-target prompt-engineering cost, not the layer's premise.

• L3 execution trapsdegraded

  console-bound traps, anti-debugger hooks, and prototype-integrity checks fire when a runtime is instrumented or devtools is opened.

  under a vlm: no devtools is opened and nothing is instrumented, so the traps never fire. but the premise shifts to a cognitive/perceptual layer: dom-enumerating agent frameworks (seeact, cogagent) treat every rendered element as interactable, so a cognitive honeypot (a transparent full-viewport decoy) catches them. pixel-level vlms reading screenshots are immune, so it is a partial, multi-surface trap.

• L4 chronometric integritysurvives

  performance.now() polling and timing-delta seed mutation detect the microsecond timing noise that javascript instrumentation introduces.

  under a vlm: the microsecond instrumentation gap closes under native execution, but the target shifts to macroscopic latency. a human clears a vm challenge in 200-800ms; a vlm needs 30-120s of think-time per action, a 25-50x gap bounded below by model inference speed. the attacker cannot orchestrate it away, they must wait for faster inference. this is the one signal the vlm era cannot close.

architecture × resilience