Biosecurity lifecycle monitoring with ML-driven anomaly detection

The brief

Sector: Biotechnology. Regulatory context: EU Dual-Use Regulation, Nagoya Protocol compliance. Need: an automated screening system to flag anomalous access patterns in a biological materials repository, with full audit trail for regulatory inspection.

Workstream decomposition

• WS-1: Access pattern modelling. Build a baseline model of normal access frequency, volume, and researcher profiles from two years of historical data.
• WS-2: Anomaly detection pipeline. Design and train an ML pipeline (isolation forest + LSTM sequence model) to flag deviations from baseline.
• WS-3: Provenance chain design. Architect the chain-of-custody data model to support regulatory audit from sample receipt to disposal.

Method highlight

The key challenge was false-positive management. Early versions of the isolation forest flagged 12% of legitimate accesses. We introduced a two-stage architecture: the isolation forest generates candidates, which are then scored by the LSTM model trained on confirmed-legitimate sequences. This reduced false positives to 1.8% while maintaining detection of all synthetically injected anomalies in testing.

Deliverable shape

• Trained ML pipeline with documented training data provenance
• Provenance chain data model with API specification
• Research dossier: 34 source rows
• Regulatory compliance mapping for EU Dual-Use export controls

Outcomes

The system was deployed in a staged rollout across three repository sites. Two genuine anomalies were detected in the first quarter of operation — both traced to administrative errors rather than security incidents, confirming the system's sensitivity without generating alarm fatigue.