Hugging Face's logo

danielostrow
/
c2sentinel

Other
PyTorch
Safetensors
English
security
cybersecurity
network-security
c2-detection
beacon-detection
threat-detection
malware-detection
logbert
transformer
Model card Files
xet
Community
danielostrow commited on
Commit
2b5ad85
·
verified ·
1 Parent(s): 3626226

Fix false positives: high-confidence legitimate patterns no longer overridden by beacon indicators

Browse files
Files changed (1) hide show
  1. c2sentinel.py +18 -11
c2sentinel.py CHANGED
@@ -1711,25 +1711,32 @@ class C2Sentinel:
1711
  result.risk_factors.append(f"Probable C2 beacon pattern ({beacon_indicators}/5 indicators)")
1712
 
1713
  # ================================================================
1714
- # PHASE 5: Apply legitimate pattern discount (but respect strong beacon signals)
 
1715
  # ================================================================
1716
 
1717
  if matched_pattern and pattern_confidence > 0.5:
1718
- # If strong beacon indicators present, skip or reduce the legitimate pattern discount
1719
- # This prevents false negatives when C2 mimics legitimate patterns
1720
- if beacon_indicators >= 4:
1721
- # Strong C2 signal - don't discount
1722
- result.mitigating_factors.append(f"Matches {matched_pattern.name} pattern but beacon indicators override")
 
 
 
 
 
 
1723
  elif beacon_indicators >= 3:
1724
- # Moderate C2 signal - apply reduced discount
1725
- discount = 1.0 - (pattern_confidence * 0.3) # Max 30% reduction
1726
  c2_prob *= discount
1727
- result.mitigating_factors.append(f"Legitimate pattern match reduces probability by {(1-discount)*100:.0f}%")
1728
  else:
1729
- # Weak C2 signal - apply full discount
1730
  discount = 1.0 - (pattern_confidence * 0.7) # Up to 70% reduction
1731
  c2_prob *= discount
1732
- result.mitigating_factors.append(f"Legitimate pattern match reduces probability by {(1-discount)*100:.0f}%")
1733
 
1734
  # ================================================================
1735
  # PHASE 6: Apply context inference (always check whitelist/blacklist)
 
1711
  result.risk_factors.append(f"Probable C2 beacon pattern ({beacon_indicators}/5 indicators)")
1712
 
1713
  # ================================================================
1714
+ # PHASE 5: Apply legitimate pattern discount
1715
+ # High-confidence legitimate patterns should NOT be overridden by beacon indicators
1716
  # ================================================================
1717
 
1718
  if matched_pattern and pattern_confidence > 0.5:
1719
+ # High-confidence legitimate patterns (> 0.75) always get full discount
1720
+ # This prevents false positives on known good traffic
1721
+ if pattern_confidence >= 0.75:
1722
+ # Strong legitimate pattern match - apply full discount regardless of beacon indicators
1723
+ discount = 1.0 - (pattern_confidence * 0.8) # Up to 80% reduction
1724
+ c2_prob *= discount
1725
+ result.mitigating_factors.append(f"Strong {matched_pattern.name} pattern match (conf: {pattern_confidence:.0%})")
1726
+ result.detection_method = DetectionMethod.WHITELIST.value
1727
+ elif beacon_indicators >= 4 and pattern_confidence < 0.6:
1728
+ # Strong beacon + weak pattern match - beacon wins
1729
+ result.mitigating_factors.append(f"Weak {matched_pattern.name} match overridden by beacon indicators")
1730
  elif beacon_indicators >= 3:
1731
+ # Moderate beacon + moderate pattern - apply reduced discount
1732
+ discount = 1.0 - (pattern_confidence * 0.4) # Max 40% reduction
1733
  c2_prob *= discount
1734
+ result.mitigating_factors.append(f"{matched_pattern.name} pattern reduces probability by {(1-discount)*100:.0f}%")
1735
  else:
1736
+ # Weak/no beacon - apply full discount
1737
  discount = 1.0 - (pattern_confidence * 0.7) # Up to 70% reduction
1738
  c2_prob *= discount
1739
+ result.mitigating_factors.append(f"{matched_pattern.name} pattern reduces probability by {(1-discount)*100:.0f}%")
1740
 
1741
  # ================================================================
1742
  # PHASE 6: Apply context inference (always check whitelist/blacklist)