File size: 11,403 Bytes
3dac39e | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 | #!/usr/bin/env python3
"""Audit label consistency across Arcspan cybersecurity NER data sources."""
import json
import re
import sys
from collections import Counter, defaultdict
from pathlib import Path
VALID_LABELS = {"Malware", "Indicator", "Organization", "System", "Vulnerability"}
FILES = {
"enriched": Path("/home/ubuntu/alkyline/data/processed/enriched_5class_train_cleaned.jsonl"),
"aptner": Path("/home/ubuntu/alkyline/data/processed/aptner_5class_train.jsonl"),
"securebert2": Path("/home/ubuntu/alkyline/data/processed/securebert2_5class_train.jsonl"),
"defanged": Path("/home/ubuntu/alkyline/data/processed/defanged_augmented.jsonl"),
}
# Known entities for suspicious label detection
KNOWN_MALWARE = {
"apt28", "apt29", "apt30", "apt32", "apt33", "apt34", "apt37", "apt38", "apt39", "apt40", "apt41",
"emotet", "wannacry", "trickbot", "cobalt strike", "cobaltstrike", "ryuk", "conti", "revil",
"sodinokibi", "darkside", "lockbit", "maze", "petya", "notpetya", "stuxnet", "duqu", "flame",
"regin", "shamoon", "mirai", "qbot", "qakbot", "dridex", "ursnif", "gootkit", "formbook",
"agent tesla", "remcos", "njrat", "nanocore", "poison ivy", "plugx", "gh0st", "gh0st rat",
"darkcomet", "zeus", "zloader", "icedid", "bumblebee", "raccoon", "redline", "vidar",
"asyncrat", "quasar", "havex", "industroyer", "triton", "blackenergy", "energetic bear",
"lazarus", "kimsuky", "turla", "sofacy", "fancy bear", "cozy bear", "sandworm",
"hafnium", "nobelium", "fin7", "fin8", "carbanak", "solarwinds", "sunburst",
"raspberry robin", "bazar", "bazarloader", "bazarbackdoor", "lokibot", "smokeloader",
"amadey", "xworm", "lumma", "lummastealer", "dcrat", "warzone", "warzone rat",
}
KNOWN_ORGS = {
"microsoft", "google", "cisco", "apple", "amazon", "facebook", "meta", "ibm", "oracle",
"intel", "amd", "nvidia", "samsung", "huawei", "kaspersky", "symantec", "mcafee",
"crowdstrike", "palo alto", "palo alto networks", "fireeye", "mandiant", "sophos",
"fortinet", "checkpoint", "check point", "trend micro", "eset", "avast", "norton",
"vmware", "citrix", "adobe", "sap", "salesforce", "dell", "hp", "lenovo",
"nsa", "fbi", "cisa", "nist", "mitre", "cert", "us-cert",
}
CVE_RE = re.compile(r"^CVE-\d{4}-\d+$", re.IGNORECASE)
IP_RE = re.compile(r"^\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}$")
HASH_RE = re.compile(r"^[a-fA-F0-9]{32,64}$")
URL_RE = re.compile(r"^https?://", re.IGNORECASE)
DOMAIN_RE = re.compile(r"^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?\.[a-zA-Z]{2,}(\.[a-zA-Z]{2,})?$")
# Defanged patterns
DEFANGED_IP_RE = re.compile(r"^\d{1,3}\[\.\]\d{1,3}\[\.\]\d{1,3}\[\.\]\d{1,3}$")
DEFANGED_URL_RE = re.compile(r"^hxxps?://", re.IGNORECASE)
DEFANGED_DOMAIN_RE = re.compile(r"^[a-zA-Z0-9]([a-zA-Z0-9\-]*[a-zA-Z0-9])?\[\.\][a-zA-Z]{2,}")
def load_file(path):
"""Load JSONL, return list of (text, spans_dict, source_in_info)."""
rows = []
with open(path) as f:
for line in f:
line = line.strip()
if not line:
continue
obj = json.loads(line)
source = obj.get("info", {}).get("source", "unknown")
rows.append((obj["text"], obj.get("spans", {}), source))
return rows
def parse_spans(spans_dict):
"""Yield (label, surface_text, offsets) from spans dict."""
for key, offsets_list in spans_dict.items():
if ": " not in key:
continue
label, entity_text = key.split(": ", 1)
for offsets in offsets_list:
yield label, entity_text, offsets
def is_indicator_like(text):
"""Check if text looks like an indicator (IP, hash, URL, domain)."""
t = text.strip()
return bool(IP_RE.match(t) or HASH_RE.match(t) or URL_RE.match(t) or
DEFANGED_IP_RE.match(t) or DEFANGED_URL_RE.match(t) or
DEFANGED_DOMAIN_RE.match(t))
def main():
# ββ Load all data ββ
all_data = {} # filename -> rows
for name, path in FILES.items():
if not path.exists():
print(f"WARNING: {path} not found, skipping")
continue
all_data[name] = load_file(path)
print(f"Loaded {name}: {len(all_data[name])} examples")
# ββ Extract (entity_lower, label) per source ββ
# source_entities[source] = {entity_lower: {label: count}}
source_entities = defaultdict(lambda: defaultdict(Counter))
# Also track invalid labels
invalid_labels = defaultdict(list)
for fname, rows in all_data.items():
for text, spans, src in rows:
for label, entity_text, _ in parse_spans(spans):
if label not in VALID_LABELS:
invalid_labels[fname].append((label, entity_text))
source_entities[fname][entity_text.lower()][label] += 1
print(f"\n{'='*80}")
print("LABEL CONSISTENCY AUDIT REPORT")
print(f"{'='*80}")
# ββ 0. Invalid labels ββ
print(f"\n{'β'*80}")
print("0. INVALID LABELS (not in {Malware, Indicator, Organization, System, Vulnerability})")
print(f"{'β'*80}")
any_invalid = False
for fname, items in invalid_labels.items():
if items:
any_invalid = True
counts = Counter(items)
print(f"\n [{fname}] {len(items)} invalid label occurrences:")
for (lbl, ent), cnt in counts.most_common(20):
print(f" {lbl}: {ent!r} (x{cnt})")
if not any_invalid:
print(" None found.")
# ββ 1. Cross-source conflicts ββ
print(f"\n{'β'*80}")
print("1. CROSS-SOURCE ENTITY LABEL CONFLICTS")
print(f"{'β'*80}")
# Merge: global_entities[entity_lower] = {source: {label: count}}
global_entities = defaultdict(lambda: defaultdict(Counter))
for fname, ents in source_entities.items():
for ent_lower, label_counts in ents.items():
for label, count in label_counts.items():
global_entities[ent_lower][fname][label] += count
cross_conflicts = []
for ent_lower, source_map in sorted(global_entities.items()):
all_labels = set()
for src, lc in source_map.items():
all_labels.update(lc.keys())
if len(all_labels) > 1 and len(source_map) > 1:
# Check if different sources disagree
cross_conflicts.append((ent_lower, source_map, all_labels))
print(f"\n Found {len(cross_conflicts)} entities with conflicting labels across sources.")
# Sort by total frequency desc
cross_conflicts.sort(key=lambda x: -sum(c for sm in x[1].values() for c in sm.values()))
for ent, source_map, labels in cross_conflicts[:60]:
total = sum(c for sm in source_map.values() for c in sm.values())
print(f"\n '{ent}' (total={total}, labels={labels}):")
for src in sorted(source_map):
print(f" {src}: {dict(source_map[src])}")
# ββ 2. Within-source conflicts ββ
print(f"\n{'β'*80}")
print("2. WITHIN-SOURCE LABEL CONFLICTS")
print(f"{'β'*80}")
for fname in sorted(source_entities):
conflicts = []
for ent_lower, label_counts in source_entities[fname].items():
if len(label_counts) > 1:
conflicts.append((ent_lower, dict(label_counts)))
conflicts.sort(key=lambda x: -sum(x[1].values()))
print(f"\n [{fname}] {len(conflicts)} entities with multiple labels:")
for ent, lc in conflicts[:30]:
print(f" '{ent}': {lc}")
# ββ 3. Suspicious label assignments ββ
print(f"\n{'β'*80}")
print("3. SUSPICIOUS LABEL ASSIGNMENTS")
print(f"{'β'*80}")
suspicious = defaultdict(list) # category -> [(entity, label, source, count)]
for fname, ents in source_entities.items():
for ent_lower, label_counts in ents.items():
for label, count in label_counts.items():
# Known malware not tagged as Malware
if ent_lower in KNOWN_MALWARE and label != "Malware":
suspicious["Known malware not tagged Malware"].append(
(ent_lower, label, fname, count))
# CVE not tagged as Vulnerability
if CVE_RE.match(ent_lower) and label != "Vulnerability":
suspicious["CVE not tagged Vulnerability"].append(
(ent_lower, label, fname, count))
# Indicators not tagged as Indicator
if is_indicator_like(ent_lower) and label != "Indicator":
suspicious["IP/URL/hash/domain not tagged Indicator"].append(
(ent_lower, label, fname, count))
# Known orgs not tagged as Organization
if ent_lower in KNOWN_ORGS and label != "Organization":
suspicious["Known org not tagged Organization"].append(
(ent_lower, label, fname, count))
for category, items in sorted(suspicious.items()):
items.sort(key=lambda x: -x[3])
print(f"\n {category} ({len(items)} cases):")
for ent, label, src, count in items[:30]:
print(f" '{ent}' tagged as {label} in {src} (x{count})")
if not suspicious:
print(" None found.")
# ββ 4. Entity frequency analysis ββ
print(f"\n{'β'*80}")
print("4. ENTITY FREQUENCY ANALYSIS (top 20 per class per source)")
print(f"{'β'*80}")
for fname in sorted(source_entities):
print(f"\n ββ {fname} ββ")
# class -> Counter of entity texts
class_counts = defaultdict(Counter)
for ent_lower, label_counts in source_entities[fname].items():
for label, count in label_counts.items():
class_counts[label][ent_lower] += count
for label in sorted(VALID_LABELS):
if label not in class_counts:
continue
top = class_counts[label].most_common(20)
total_unique = len(class_counts[label])
total_mentions = sum(class_counts[label].values())
print(f"\n {label} ({total_unique} unique, {total_mentions} mentions):")
for ent, cnt in top:
# Flag potential anomalies
flag = ""
if label != "Malware" and ent in KNOWN_MALWARE:
flag = " β οΈ MALWARE?"
if label != "Organization" and ent in KNOWN_ORGS:
flag = " β οΈ ORG?"
if label != "Indicator" and is_indicator_like(ent):
flag = " β οΈ INDICATOR?"
if label != "Vulnerability" and CVE_RE.match(ent):
flag = " β οΈ CVE?"
print(f" {cnt:5d} {ent}{flag}")
# ββ Summary ββ
print(f"\n{'='*80}")
print("SUMMARY")
print(f"{'='*80}")
print(f" Files analyzed: {len(all_data)}")
print(f" Cross-source conflicts: {len(cross_conflicts)}")
for fname in sorted(source_entities):
n = sum(1 for e, lc in source_entities[fname].items() if len(lc) > 1)
print(f" Within-source conflicts [{fname}]: {n}")
total_suspicious = sum(len(v) for v in suspicious.values())
print(f" Suspicious assignments: {total_suspicious}")
for cat, items in sorted(suspicious.items()):
print(f" {cat}: {len(items)}")
if __name__ == "__main__":
main()
|