Hugging Face's logo

danielostrow
/
c2sentinel

Other
PyTorch
Safetensors
English
security
cybersecurity
network-security
c2-detection
beacon-detection
threat-detection
malware-detection
logbert
transformer
Model card Files
xet
Community
c2sentinel / README.md
danielostrow's picture
danielostrow
Update file list to include API reference
4ad28eb verified
preview code
|
raw
history blame contribute delete
8.66 kB
metadata
license: mit
language:
  - en
library_name: pytorch
tags:
  - security
  - cybersecurity
  - network-security
  - c2-detection
  - beacon-detection
  - threat-detection
  - malware-detection
  - logbert
  - transformer
  - safetensors
pipeline_tag: other

C2Sentinel

Downloads License Demo

A machine learning model for detecting Command and Control (C2) beacon communications in network traffic. Built on a fine-tuned LogBERT transformer architecture.

Author: Daniel Ostrow Website: neuralintellect.com Release Date: January 18, 2026

Base Model

This model is fine-tuned from the LogBERT architecture for log anomaly detection.

Overview

C2Sentinel analyzes network connection patterns to identify C2 beacon activity. The model uses behavioral analysis rather than port-based filtering, enabling detection of C2 communications on any port. This approach catches C2 activity regardless of whether attackers use expected ports (4444) or attempt to blend in on common ports (443, 80, 53).

Capabilities

  • Detection of 34+ C2 framework behavioral patterns across all ports
  • Slow beacon detection (intervals from seconds to hours)
  • Legitimate traffic pattern recognition (SSH keepalive, health checks, database connections)
  • Optional context enrichment (process information, reputation scores, threat intelligence)
  • IP reconnaissance and IOC generation
  • Safetensors format for secure model loading

Installation 

pip install torch numpy safetensors huggingface_hub

Usage

Loading from HuggingFace Hub 

from c2sentinel import C2Sentinel

sentinel = C2Sentinel.from_pretrained('danielostrow/c2sentinel')

Loading from Local Files 

from c2sentinel import C2Sentinel

sentinel = C2Sentinel.load('c2_sentinel')

Analyzing Connections 

connections = [
    {
        'timestamp': 1000000,
        'dst_ip': '10.0.0.1',
        'dst_port': 443,
        'bytes_sent': 200,
        'bytes_recv': 500
    },
    {
        'timestamp': 1000060,
        'dst_ip': '10.0.0.1',
        'dst_port': 443,
        'bytes_sent': 200,
        'bytes_recv': 500
    },
]

result = sentinel.analyze(connections)

if result.is_c2:
    print(f"C2 detected: {result.c2_type}")
    print(f"Probability: {result.c2_probability}")
else:
    print("No C2 detected")

Connection Record Format

Field Type Required Description
timestamp float Yes Unix timestamp
dst_ip str Yes Destination IP address
dst_port int Yes Destination port
bytes_sent int Yes Bytes sent
bytes_recv int Yes Bytes received
src_ip str No Source IP address
src_port int No Source port
protocol str No Protocol (tcp/udp)
duration float No Connection duration in seconds

Analysis Options

Threshold 

# Default threshold (0.5)
result = sentinel.analyze(connections)

# Lower threshold for higher sensitivity
result = sentinel.analyze(connections, threshold=0.3)

# Higher threshold for higher precision
result = sentinel.analyze(connections, threshold=0.7)

# Strict mode enforces minimum 0.7 threshold
result = sentinel.analyze(connections, strict_mode=True)

Context 

from c2sentinel import ConnectionContext

context = ConnectionContext(
    process_name='sshd',
    known_good=True,
    ip_reputation=0.95,
    dns_queries=['api.example.com']
)

result = sentinel.analyze(connections, context=context)

Whitelist and Blacklist 

sentinel.add_whitelist(ips=['8.8.8.8'], domains=['google.com'])
sentinel.add_blacklist(ips=['10.10.10.10'], domains=['malware.example'])

Result Object

The AnalysisResult object contains:

Attribute Type Description
is_c2 bool True if C2 detected
c2_probability float Probability score (0.0-1.0)
c2_type str Detected C2 framework type
confidence float Model confidence
detection_method str Method used (signature/ml/context/whitelist)
immediate_detection bool True if signature-based
risk_factors list Factors supporting C2 classification
mitigating_factors list Factors against C2 classification
matched_legitimate_pattern str Matched legitimate pattern name
service_type str Detected service type
recommendations list Suggested actions

Batch Analysis 

connection_groups = [
    [conn1, conn2, conn3],
    [conn4, conn5, conn6],
]

results = sentinel.analyze_batch(connection_groups)

Log File Parsing 

with open('conn.log', 'r') as f:
    log_lines = f.readlines()

results = sentinel.analyze_logs(log_lines, group_by_dst=True)

Supported formats: JSON, Zeek conn.log, syslog

Reconnaissance

IP Analysis 

info = sentinel.recon.analyze_ip('104.16.132.229')
# Returns: is_valid, is_private, is_cdn, cdn_provider, reverse_dns

Pattern Analysis 

patterns = sentinel.recon.analyze_connection_patterns(connections)
# Returns: timing stats, volume stats, behavioral indicators

IOC Generation 

if result.is_c2:
    iocs = sentinel.recon.generate_iocs(connections, result.to_dict())
    # Returns: ips, ports, timing_signatures, behavioral_indicators

Detection Methodology

C2 Indicators

  • Consistent beacon intervals (low timing variance)
  • Consistent packet sizes (low size variance)
  • Single persistent destination
  • Balanced request/response ratio

Signature Detection

Immediate detection for high-confidence C2 ports with matching behavioral patterns:

  • Port 4444 (Metasploit default)
  • Port 5555 (Metasploit alternative)
  • Port 31337 (Sliver)
  • Port 40056 (Havoc)

Legitimate Traffic Indicators

  • High response size variance
  • Asymmetric traffic patterns (small requests, large responses)
  • Multiple destinations
  • SSH keepalive patterns (small symmetric packets on port 22)
  • Health check patterns (regular intervals, variable response sizes)

Model Specifications

Specification Value
Architecture LogBERT Transformer
Parameters 4.9 million
Feature Dimensions 40
Encoder Layers 6
Attention Heads 8
Hidden Dimension 256
Format Safetensors
Size 20 MB

Repository Contents

File Description
c2sentinel.py Main module with model and analysis code
c2_sentinel.safetensors Trained model weights
c2_sentinel.json Model configuration
normalization_params.npz Feature normalization parameters
API_REFERENCE.md Complete API documentation for scripting
LICENSE MIT License

License

MIT License

Copyright (c) 2026 Daniel Ostrow

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.