Hugging Face's logo

danielostrow
/
c2sentinel

Other
PyTorch
Safetensors
English
security
cybersecurity
network-security
c2-detection
beacon-detection
threat-detection
malware-detection
logbert
transformer
Model card Files
xet
Community
c2sentinel
File size: 3,294 Bytes 
3751c05
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
 
#!/usr/bin/env python3
"""
C2Sentinel Basic Usage Example

Demonstrates loading the model and analyzing network connections
for C2 beacon detection.
"""

from c2sentinel import C2Sentinel

def main():
    # Load the model
    sentinel = C2Sentinel.load('c2_sentinel')

    # Example 1: Analyze a series of connections to a single destination
    # This pattern shows regular 60-second intervals with consistent packet sizes
    # - a common C2 beacon signature

    connections = []
    timestamp = 1705600000  # Starting timestamp

    for i in range(10):
        connections.append({
            'timestamp': timestamp + (i * 60),  # 60-second intervals
            'dst_ip': '10.0.0.100',
            'dst_port': 443,
            'bytes_sent': 200,
            'bytes_recv': 500,
        })

    result = sentinel.analyze(connections)

    print("Example 1: Regular beacon pattern")
    print(f"  Is C2: {result.is_c2}")
    print(f"  Probability: {result.c2_probability:.2f}")
    print(f"  C2 Type: {result.c2_type}")
    print(f"  Detection Method: {result.detection_method}")
    print()

    # Example 2: Legitimate SSH keepalive traffic
    # Small symmetric packets on port 22 at regular intervals

    ssh_connections = []
    timestamp = 1705600000

    for i in range(10):
        ssh_connections.append({
            'timestamp': timestamp + (i * 30),  # 30-second keepalive
            'dst_ip': '192.168.1.50',
            'dst_port': 22,
            'bytes_sent': 48,
            'bytes_recv': 48,
        })

    result = sentinel.analyze(ssh_connections)

    print("Example 2: SSH keepalive pattern")
    print(f"  Is C2: {result.is_c2}")
    print(f"  Matched Pattern: {result.matched_legitimate_pattern}")
    print(f"  Service Type: {result.service_type}")
    print()

    # Example 3: High-confidence C2 on known malicious port

    c2_connections = []
    timestamp = 1705600000

    for i in range(10):
        c2_connections.append({
            'timestamp': timestamp + (i * 30),
            'dst_ip': '45.33.32.156',
            'dst_port': 4444,  # Metasploit default
            'bytes_sent': 150,
            'bytes_recv': 300,
        })

    result = sentinel.analyze(c2_connections)

    print("Example 3: High-confidence C2 port")
    print(f"  Is C2: {result.is_c2}")
    print(f"  C2 Type: {result.c2_type}")
    print(f"  Probability: {result.c2_probability:.2f}")
    print(f"  Immediate Detection: {result.immediate_detection}")
    print(f"  Risk Factors: {result.risk_factors}")
    print()

    # Example 4: Using threshold adjustment

    print("Example 4: Threshold adjustment")

    # Lower threshold for higher sensitivity
    result_low = sentinel.analyze(connections, threshold=0.3)
    print(f"  Low threshold (0.3): is_c2={result_low.is_c2}, prob={result_low.c2_probability:.2f}")

    # Higher threshold for higher precision
    result_high = sentinel.analyze(connections, threshold=0.7)
    print(f"  High threshold (0.7): is_c2={result_high.is_c2}, prob={result_high.c2_probability:.2f}")

    # Strict mode (minimum 0.7 threshold)
    result_strict = sentinel.analyze(connections, strict_mode=True)
    print(f"  Strict mode: is_c2={result_strict.is_c2}, prob={result_strict.c2_probability:.2f}")


if __name__ == '__main__':
    main()