To stop students from just using AI to write code, teachers need to watch how they work. They should monitor the process, not just the final result. This new system, called VISMATIC, creates a safe, "sandboxed" (isolated) digital workspace. It tracks how students interact with their code. It does this without letting them hack the school's computers.
In Computer Science education, mastery comes from iterative refinement. This is the process of repeated trial and error. However, the rise of Generative AI has broken the traditional grading model. An AI can synthesize syntactically perfect graphics code instantly. Therefore, looking at a final submission no longer proves a student learned the logic. To protect integrity, educators must shift from grading the "artifact" (the finished code) to monitoring the "process" (how the code was built).
This shift creates a major security headache. Instructors often use centralized platforms like JupyterHub to monitor students. These allow students to run code remotely. But these environments permit arbitrary shell command execution (running direct instructions on the server's command line). This creates a huge attack surface. A single student could exploit a kernel vulnerability (a flaw in the core OS) to move laterally across the network. Lateral movement allows an attacker to jump from one system to another.
The paradox of monitored execution
The fundamental problem is a security trade-off. More control for the instructor means more risk for the network. Traditional multi-tenant environments (servers hosting many different users) are difficult to secure. This is especially true when users have remote execution capabilities. As the authors note, vulnerabilities like "Copy Fail" (CVE-2026-31431) are dangerous. These flaws allow an unprivileged user to bypass container boundaries. They can then escalate their privileges to the host level.
Standard container setups often rely on a root-privileged (administrative) Docker daemon. This provides a broad path for attackers. Once an isolation boundary is breached, the whole system is at risk. Educators are caught in a trap. They need monitored environments to detect AI-assisted plagiarism. Yet, those environments become targets for unauthorized system manipulation.
A defense-in-depth architecture
The authors propose VISMATIC to resolve this tension. They use a "defense-in-depth" strategy. This means using multiple overlapping security controls. This approach helps contain the "blast radius" (the extent of damage a single breach causes).
The architecture starts with rootless containerization using Podman. Unlike traditional methods, this does not require administrative privileges. VISMATIC leverages Linux User Namespaces. This maps student processes to unprivileged IDs on the host. Even if a student escapes their container, they have no power on the host. They cannot modify system binaries or interfere with peers.
The framework uses three containment layers, as shown in : 1.
An Apache2 reverse proxy: This handles SSL encryption and WebSocket tunneling. It ensures the internal infrastructure is never directly exposed to the internet. 2. A rootless Podman execution layer: This provides the primary isolation for student processes. 3. A loop-device filesystem backend: The authors mount fixed-size ext4 images via loop devices. This acts as a digital quota. It sets an absolute physical ceiling on storage. This prevents "Disk Exhaustion" Denial-of-Service (DoS) attacks.
To keep costs low, the authors use Raspberry Pi 5 nodes. They optimize the limited I/O (input/output) bandwidth of microSD cards. They use a "shared asset strategy." Large, read-only files like textures are bind-mounted (linked) into every workspace. This prevents duplicating large files across many users.
Detecting the "non-human" rhythm
The most significant technical departure in VISMATIC is how it collects data. Most platforms use "passive heartbeats." These are automated signals sent by the browser to say "I'm still here." The authors argue these are unreliable. They can be faked by a background tab or a simple script.
Instead, VISMATIC intercepts explicit HTTP API requests. It tracks three categories of human-driven interaction: file modifications, kernel code executions, and terminal operations. This allows the framework to build a behavioral profile.
The results from a pilot cohort of 19 students show promise. This telemetry can distinguish organic learning from automated workflows. As seen in [Figure 4a], genuine human engagement follows a "staircase" pattern. There are periods of steady growth. These are interrupted by flat plateaus. These plateaus represent cognitive breaks or offline thinking. In contrast, automated "stay-alive" scripts produce unnaturally linear trajectories. Some even show continuous sessions exceeding 24 hours without a single break.
The authors also use "Session Intensity" (the ratio of actions to time). This helps flag anomalies. As shown in [Figure 4b], authentic human coding has variable intensity. It involves bursts of debugging followed by pauses. Accounts at the extreme edges of this distribution are flagged. These show constant, high-intensity activity for hours. This is consistent with non-human automation.
Limitations of the telemetry
The framework is effective at spotting statistical oddities. However, the authors note these metrics do not provide absolute proof of misconduct. The primary limitation is intent. API-level logs capture patterns, but they do not capture why a student acted.
A student might use a macro for a legitimate reason. They might automate a repetitive setup task. Alternatively, they might do most coding offline. They might only use the platform for final validation. In these cases, "workflow decoupling" occurs. This is when a student has high completion rates but very low platform engagement. This might look like AI usage even if the student worked locally.
Because the system cannot definitively prove cheating, the authors suggest using it as a screening tool. Instructors should triangulate these flags with other methods. They might use oral interviews to test conceptual understanding. They could also manually check code against known AI outputs.
The verdict: A scalable blueprint for the AI era
VISMATIC is a pragmatic solution to a pedagogical crisis. It moves the focus from the final code to interaction telemetry. This helps verify "authentic inquiry" in an age of AI.
The technical takeaway is clear. You do not need expensive, enterprise-grade servers. The combination of rootless Podman and resource capping works well. Students are limited to 1.5 CPU cores and 0.5 GB of RAM. This allowed a single Raspberry Pi to support 10 to 20 concurrent students.
The framework is ready for low-budget environments. It works where security is paramount. Administrators must remember that the system is a compass. It detects anomalies, but it is not a judge that delivers a final verdict.
Figures from the paper
How this was made
Model: nvidia/Gemma-4-26B-A4B-NVFP4
Persona: academic_accessible
Template: engineering_deepdive
Refinement: 0
Pipeline: forge-1.1
Evaluator: nvidia/Gemma-4-26B-A4B-NVFP4
Score: 94% (passed)
Claims verified: 17 / 17
Model: nvidia/Gemma-4-26B-A4B-NVFP4
NVIDIA GB10 · 128 GB unified · NVFP4 · 100% local · $0 cloud
Tokens: 72,675
Wall-time: 391.3s
Tokens/s: 185.7