Upload folder using huggingface_hub

Browse files

Files changed (8) hide show

API_REFERENCE.md +749 -0
LICENSE +21 -0
README.md +273 -0
c2_sentinel.json +11 -0
c2_sentinel.safetensors +3 -0
c2sentinel.py +1855 -0
examples/advanced_usage.py +236 -0
examples/basic_usage.py +105 -0

API_REFERENCE.md ADDED Viewed

	@@ -0,0 +1,749 @@

+# C2Sentinel API Reference
+Complete technical documentation for the C2Sentinel Python API.
+**Author:** Daniel Ostrow
+**Website:** [neuralintellect.com](https://neuralintellect.com)
+---
+## Table of Contents
+1. [C2Sentinel Class](#c2sentinel-class)
+2. [AnalysisResult Class](#analysisresult-class)
+3. [ConnectionContext Class](#connectioncontext-class)
+4. [ReconSupport Class](#reconsupport-class)
+5. [FeatureExtractor Class](#featureextractor-class)
+6. [LogParser Class](#logparser-class)
+7. [Enums and Constants](#enums-and-constants)
+---
+## C2Sentinel Class
+Main interface for C2 detection.
+### Constructor
+```python
+C2Sentinel(model: LogBERTC2Sentinel, config: C2SentinelConfig, device: str = 'auto')
+```
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `model` | LogBERTC2Sentinel | The neural network model |
+| `config` | C2SentinelConfig | Model configuration |
+| `device` | str | Device for inference ('auto', 'cpu', 'cuda') |
+### Class Methods
+#### load
+```python
+@classmethod
+def load(cls, path: str, device: str = 'auto') -> 'C2Sentinel'
+```
+Load a pre-trained model from safetensors format.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `path` | str | Path to model files (without extension) |
+| `device` | str | Device for inference |
+**Returns:** C2Sentinel instance
+**Example:**
+```python
+sentinel = C2Sentinel.load('c2_sentinel')
+sentinel = C2Sentinel.load('/path/to/c2_sentinel', device='cuda')
+```
+#### create_new
+```python
+@classmethod
+def create_new(cls, device: str = 'auto') -> 'C2Sentinel'
+```
+Create a new untrained model instance.
+**Returns:** C2Sentinel instance with random weights
+---
+### Instance Methods
+#### analyze
+```python
+def analyze(
+    self,
+    connections: List[Dict],
+    threshold: float = 0.5,
+    context: Optional[ConnectionContext] = None,
+    include_features: bool = False,
+    strict_mode: bool = False
+) -> AnalysisResult
+```
+Analyze a list of connections for C2 activity.
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `connections` | List[Dict] | required | List of connection records |
+| `threshold` | float | 0.5 | Detection threshold (0.0-1.0) |
+| `context` | ConnectionContext | None | Optional context for enrichment |
+| `include_features` | bool | False | Include raw feature vector in result |
+| `strict_mode` | bool | False | Enforce minimum 0.7 threshold |
+**Returns:** AnalysisResult object
+**Connection Record Fields:**
+```python
+{
+    'timestamp': float,      # Required: Unix timestamp
+    'dst_ip': str,           # Required: Destination IP
+    'dst_port': int,         # Required: Destination port
+    'bytes_sent': int,       # Required: Bytes sent
+    'bytes_recv': int,       # Required: Bytes received
+    'src_ip': str,           # Optional: Source IP
+    'src_port': int,         # Optional: Source port
+    'protocol': str,         # Optional: 'tcp' or 'udp'
+    'duration': float        # Optional: Duration in seconds
+}
+```
+**Example:**
+```python
+connections = [
+    {'timestamp': 1000, 'dst_ip': '10.0.0.1', 'dst_port': 443,
+     'bytes_sent': 200, 'bytes_recv': 500},
+    {'timestamp': 1060, 'dst_ip': '10.0.0.1', 'dst_port': 443,
+     'bytes_sent': 200, 'bytes_recv': 500},
+]
+result = sentinel.analyze(connections)
+result = sentinel.analyze(connections, threshold=0.7, strict_mode=True)
+```
+---
+#### analyze_batch
+```python
+def analyze_batch(
+    self,
+    connection_groups: List[List[Dict]],
+    threshold: float = 0.5,
+    contexts: Optional[List[ConnectionContext]] = None,
+    parallel: bool = True
+) -> List[AnalysisResult]
+```
+Analyze multiple connection groups.
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `connection_groups` | List[List[Dict]] | required | List of connection lists |
+| `threshold` | float | 0.5 | Detection threshold |
+| `contexts` | List[ConnectionContext] | None | Context for each group |
+| `parallel` | bool | True | Enable parallel processing |
+**Returns:** List of AnalysisResult objects
+**Example:**
+```python
+groups = [
+    [conn1, conn2, conn3],
+    [conn4, conn5, conn6],
+]
+results = sentinel.analyze_batch(groups)
+```
+---
+#### analyze_logs
+```python
+def analyze_logs(
+    self,
+    log_lines: List[str],
+    group_by_dst: bool = True,
+    threshold: float = 0.5
+) -> List[Dict]
+```
+Parse and analyze raw log lines.
+| Parameter | Type | Default | Description |
+|-----------|------|---------|-------------|
+| `log_lines` | List[str] | required | Raw log lines |
+| `group_by_dst` | bool | True | Group connections by destination IP |
+| `threshold` | float | 0.5 | Detection threshold |
+**Returns:** List of result dictionaries, sorted by probability (descending)
+**Supported Formats:**
+- JSON logs with standard fields
+- Zeek/Bro conn.log (tab-separated)
+- Syslog with IP:port patterns
+**Example:**
+```python
+with open('conn.log') as f:
+    lines = f.readlines()
+results = sentinel.analyze_logs(lines, group_by_dst=True)
+for r in results:
+    print(f"{r['dst_ip']}: {r['c2_probability']}")
+```
+---
+#### add_whitelist
+```python
+def add_whitelist(
+    self,
+    ips: List[str] = None,
+    domains: List[str] = None
+)
+```
+Add IPs or domains to the whitelist. Whitelisted destinations receive reduced C2 probability.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `ips` | List[str] | IP addresses to whitelist |
+| `domains` | List[str] | Domain names to whitelist |
+**Example:**
+```python
+sentinel.add_whitelist(
+    ips=['8.8.8.8', '1.1.1.1'],
+    domains=['google.com', 'github.com']
+)
+```
+---
+#### add_blacklist
+```python
+def add_blacklist(
+    self,
+    ips: List[str] = None,
+    domains: List[str] = None
+)
+```
+Add IPs or domains to the blacklist. Blacklisted destinations receive increased C2 probability.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `ips` | List[str] | IP addresses to blacklist |
+| `domains` | List[str] | Domain names to blacklist |
+---
+#### save
+```python
+def save(self, path: str)
+```
+Save model to safetensors format.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `path` | str | Output path (without extension) |
+Creates two files:
+- `{path}.safetensors` - Model weights
+- `{path}.json` - Configuration
+---
+### Instance Attributes
+| Attribute | Type | Description |
+|-----------|------|-------------|
+| `model` | LogBERTC2Sentinel | The neural network |
+| `config` | C2SentinelConfig | Model configuration |
+| `device` | torch.device | Inference device |
+| `feature_extractor` | FeatureExtractor | Feature extraction module |
+| `log_parser` | LogParser | Log parsing module |
+| `context_engine` | ContextInference | Context inference module |
+| `recon` | ReconSupport | Reconnaissance module |
+---
+## AnalysisResult Class
+Dataclass containing analysis results.
+### Attributes
+| Attribute | Type | Description |
+|-----------|------|-------------|
+| `is_c2` | bool | True if C2 detected |
+| `c2_probability` | float | Probability score (0.0-1.0) |
+| `anomaly_score` | float | Anomaly detection score |
+| `evasion_score` | float | Evasion technique detection score |
+| `confidence` | float | Model confidence in prediction |
+| `c2_type` | str | Detected C2 framework type |
+| `c2_type_confidence` | float | Confidence in C2 type classification |
+| `detection_method` | str | Detection method used |
+| `immediate_detection` | bool | True if signature-based detection |
+| `context_applied` | bool | True if context was applied |
+| `original_probability` | float | Probability before context adjustment |
+| `probability_modifier` | float | Context probability modifier |
+| `matched_legitimate_pattern` | str | Name of matched legitimate pattern |
+| `legitimate_confidence` | float | Confidence in legitimate pattern match |
+| `risk_factors` | List[str] | Factors supporting C2 classification |
+| `mitigating_factors` | List[str] | Factors against C2 classification |
+| `service_type` | str | Detected service type |
+| `recommendations` | List[str] | Suggested follow-up actions |
+| `features` | List[float] | Raw 40-dimensional feature vector |
+### Methods
+#### to_dict
+```python
+def to_dict(self) -> Dict[str, Any]
+```
+Convert result to dictionary.
+**Returns:** Dictionary representation of all attributes
+---
+## ConnectionContext Class
+Dataclass for providing additional context to improve detection accuracy.
+### Constructor
+```python
+ConnectionContext(
+    # Process information
+    process_name: Optional[str] = None,
+    process_path: Optional[str] = None,
+    process_pid: Optional[int] = None,
+    parent_process: Optional[str] = None,
+    command_line: Optional[str] = None,
+    # Network metadata
+    dns_queries: Optional[List[str]] = None,
+    resolved_hostname: Optional[str] = None,
+    tls_sni: Optional[str] = None,
+    tls_ja3: Optional[str] = None,
+    tls_ja3s: Optional[str] = None,
+    certificate_issuer: Optional[str] = None,
+    certificate_subject: Optional[str] = None,
+    certificate_valid: Optional[bool] = None,
+    http_user_agent: Optional[str] = None,
+    http_host: Optional[str] = None,
+    # Reputation
+    ip_reputation: Optional[float] = None,
+    domain_reputation: Optional[float] = None,
+    known_good: Optional[bool] = None,
+    known_bad: Optional[bool] = None,
+    threat_intel_match: Optional[str] = None,
+    # Host context
+    source_hostname: Optional[str] = None,
+    source_user: Optional[str] = None,
+    source_is_server: Optional[bool] = None,
+    source_is_workstation: Optional[bool] = None,
+    # Additional
+    geo_country: Optional[str] = None,
+    geo_asn: Optional[str] = None,
+    tags: Optional[List[str]] = None
+)
+```
+### Attribute Details
+| Attribute | Type | Effect on Analysis |
+|-----------|------|-------------------|
+| `process_name` | str | Known processes reduce probability |
+| `known_good` | bool | True reduces probability by 90% |
+| `known_bad` | bool | True increases probability by 5x |
+| `ip_reputation` | float | Score > 0.8 reduces probability |
+| `threat_intel_match` | str | Match increases probability by 5x |
+| `tls_ja3` | str | Known C2 JA3 increases probability |
+| `certificate_valid` | bool | False increases probability |
+### Methods
+#### to_dict
+```python
+def to_dict(self) -> Dict[str, Any]
+```
+Convert to dictionary, excluding None values.
+---
+## ReconSupport Class
+Reconnaissance and enrichment utilities.
+### Class Methods
+#### analyze_ip
+```python
+@classmethod
+def analyze_ip(cls, ip: str) -> Dict[str, Any]
+```
+Analyze an IP address.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `ip` | str | IP address to analyze |
+**Returns:**
+```python
+{
+    'ip': str,              # Original IP
+    'is_valid': bool,       # Valid IP format
+    'is_private': bool,     # RFC 1918 private range
+    'is_loopback': bool,    # Loopback address
+    'is_multicast': bool,   # Multicast address
+    'is_cdn': bool,         # Known CDN range
+    'cdn_provider': str,    # CDN name if applicable
+    'ip_version': int,      # 4 or 6
+    'reverse_dns': str,     # Reverse DNS lookup result
+    'numeric': int          # Numeric representation
+}
+```
+**Known CDN Ranges:**
+- Cloudflare
+- AWS
+- Google Cloud
+- Azure
+- Akamai
+---
+#### analyze_connection_patterns
+```python
+@classmethod
+def analyze_connection_patterns(cls, connections: List[Dict]) -> Dict[str, Any]
+```
+Analyze connection patterns for threat hunting.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `connections` | List[Dict] | Connection records |
+**Returns:**
+```python
+{
+    'connection_count': int,
+    'unique_destinations': int,
+    'unique_ports': int,
+    'timing': {
+        'duration_seconds': float,
+        'mean_interval': float,
+        'interval_stddev': float,
+        'interval_cv': float       # Coefficient of variation
+    },
+    'volume': {
+        'total_sent': int,
+        'total_recv': int,
+        'mean_sent': float,
+        'mean_recv': float,
+        'sent_recv_ratio': float
+    },
+    'ports': {
+        port_number: count,        # Port distribution
+        ...
+    },
+    'destinations': {
+        ip: analyze_ip_result,     # Per-IP analysis
+        ...
+    },
+    'indicators': {
+        'single_destination': bool,
+        'consistent_timing': bool,
+        'consistent_sizes': bool,
+        'uses_common_port': bool,
+        'uses_high_port': bool,
+        'has_cdn_destination': bool,
+        'all_private_destinations': bool
+    }
+}
+```
+---
+#### generate_iocs
+```python
+@classmethod
+def generate_iocs(
+    cls,
+    connections: List[Dict],
+    result: Dict
+) -> Dict[str, List[str]]
+```
+Generate Indicators of Compromise from detected C2.
+| Parameter | Type | Description |
+|-----------|------|-------------|
+| `connections` | List[Dict] | Connection records |
+| `result` | Dict | Analysis result dictionary |
+**Returns:**
+```python
+{
+    'ips': List[str],                  # Destination IPs
+    'ports': List[str],                # Destination ports
+    'timing_signatures': List[str],    # Beacon timing patterns
+    'behavioral_indicators': List[str] # Behavioral markers
+}
+```
+Only generates IOCs if `result['is_c2']` is True.
+---
+## FeatureExtractor Class
+Extracts 40-dimensional feature vectors from connections.
+### Constants
+#### C2_TYPES
+List of detectable C2 framework types:
+```python
+[
+    'unknown', 'metasploit', 'cobalt_strike', 'sliver', 'havoc',
+    'mythic', 'poshc2', 'merlin', 'empire', 'covenant',
+    'brute_ratel', 'koadic', 'pupy', 'silenttrinity', 'faction',
+    'ibombshell', 'godoh', 'dnscat2', 'iodine', 'dns_generic',
+    'http_custom', 'https_custom', 'websocket', 'domain_fronting',
+    'cloud_fronting', 'cdn_abuse', 'apt_generic', 'apt28', 'apt29',
+    'apt41', 'lazarus', 'fin7', 'turla', 'winnti', 'custom'
+]
+```
+### Methods
+#### extract_features
+```python
+def extract_features(self, connections: List[Dict]) -> np.ndarray
+```
+Extract 40-dimensional feature vector.
+**Returns:** numpy array of shape (40,)
+**Feature Groups:**
+- Features 0-9: Timing (intervals, jitter, regularity, periodicity)
+- Features 10-17: Destinations (diversity, persistence, ports)
+- Features 18-27: Payload (sizes, ratios, consistency)
+- Features 28-35: Evasion (jitter patterns, bursts, session length)
+- Features 36-39: Advanced (night activity, fast beacon ratio, duration)
+---
+#### check_metasploit_signature
+```python
+def check_metasploit_signature(
+    self,
+    connections: List[Dict]
+) -> Tuple[bool, float]
+```
+Check for Metasploit-specific signature patterns.
+**Returns:** (is_metasploit, confidence)
+---
+#### check_ssh_keepalive
+```python
+def check_ssh_keepalive(
+    self,
+    connections: List[Dict]
+) -> Tuple[bool, float]
+```
+Check for SSH keepalive pattern.
+**Criteria:**
+- Port 22
+- Small packets (< 100 bytes)
+- Symmetric traffic (sent/recv ratio 0.5-2.0)
+- Consistent sizes (CV < 0.2)
+- Regular intervals matching common keepalive values
+**Returns:** (is_ssh_keepalive, confidence)
+---
+## LogParser Class
+Parses various log formats into connection records.
+### Static Methods
+#### parse_json
+```python
+@staticmethod
+def parse_json(log_line: str) -> Optional[Dict]
+```
+Parse JSON formatted log line.
+**Recognized Fields:**
+- timestamp, @timestamp
+- src_ip, source_ip, src
+- dst_ip, dest_ip, dst
+- src_port, source_port
+- dst_port, dest_port
+- bytes_sent, bytes_out
+- bytes_recv, bytes_in
+---
+#### parse_zeek_conn
+```python
+@staticmethod
+def parse_zeek_conn(log_line: str) -> Optional[Dict]
+```
+Parse Zeek/Bro conn.log format (tab-separated).
+---
+#### parse_syslog
+```python
+@staticmethod
+def parse_syslog(log_line: str) -> Optional[Dict]
+```
+Parse common syslog/netflow patterns.
+**Recognized Patterns:**
+- `YYYY-MM-DD HH:MM:SS ... IP:port -> IP:port`
+- `src=IP ... dst=IP ... sport=port ... dport=port`
+---
+## Enums and Constants
+### DetectionMethod
+```python
+class DetectionMethod(Enum):
+    SIGNATURE = "signature"    # Port + behavior signature match
+    BEHAVIORAL = "behavioral"  # Pure behavioral analysis
+    ML = "ml"                  # Machine learning inference
+    CONTEXT = "context"        # Context-adjusted detection
+    HEURISTIC = "heuristic"    # Rule-based detection
+    WHITELIST = "whitelist"    # Matched whitelist pattern
+```
+### ServiceType
+```python
+class ServiceType(Enum):
+    SSH = "ssh"
+    HTTP = "http"
+    HTTPS = "https"
+    DNS = "dns"
+    DATABASE = "database"
+    API = "api"
+    STREAMING = "streaming"
+    GAMING = "gaming"
+    VPN = "vpn"
+    MONITORING = "monitoring"
+    UNKNOWN = "unknown"
+```
+### C2_INDICATOR_PORTS
+High-confidence C2 signature ports:
+```python
+{4444, 4445, 5555, 31337, 40056}
+```
+### C2_COMMON_PORTS
+Ports commonly used by C2 (require behavioral analysis):
+```python
+{80, 443, 53, 8080, 8443, 8888}
+```
+---
+## Convenience Functions
+### load_model
+```python
+def load_model(path: str, device: str = 'auto') -> C2Sentinel
+```
+Shorthand for `C2Sentinel.load()`.
+### create_model
+```python
+def create_model(device: str = 'auto') -> C2Sentinel
+```
+Shorthand for `C2Sentinel.create_new()`.
+### quick_analyze
+```python
+def quick_analyze(
+    connections: List[Dict],
+    model_path: str = 'c2_sentinel'
+) -> AnalysisResult
+```
+One-shot analysis without keeping model in memory.
+---
+## Error Handling
+The API uses standard Python exceptions:
+| Exception | Cause |
+|-----------|-------|
+| `FileNotFoundError` | Model files not found |
+| `ValueError` | Invalid connection format |
+| `RuntimeError` | CUDA/device errors |
+All methods handle empty or malformed input gracefully, returning neutral results rather than raising exceptions.

LICENSE ADDED Viewed

	@@ -0,0 +1,21 @@

+MIT License
+Copyright (c) 2026 Daniel Ostrow
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md ADDED Viewed

	@@ -0,0 +1,273 @@

+# C2Sentinel
+A machine learning model for detecting Command and Control (C2) beacon communications in network traffic. Built on a fine-tuned LogBERT transformer architecture.
+**Author:** Daniel Ostrow
+**Website:** [neuralintellect.com](https://neuralintellect.com)
+**Release Date:** January 18, 2026
+---
+## Overview
+C2Sentinel analyzes network connection patterns to identify C2 beacon activity. The model uses behavioral analysis rather than port-based filtering, enabling detection of C2 communications on any port. This approach catches C2 activity regardless of whether attackers use expected ports (4444) or attempt to blend in on common ports (443, 80, 53).
+### Capabilities
+- Detection of 34+ C2 framework behavioral patterns across all ports
+- Slow beacon detection (intervals from seconds to hours)
+- Legitimate traffic pattern recognition (SSH keepalive, health checks, database connections)
+- Optional context enrichment (process information, reputation scores, threat intelligence)
+- IP reconnaissance and IOC generation
+- Safetensors format for secure model loading
+---
+## Installation
+```bash
+pip install torch numpy safetensors
+```
+---
+## Usage
+### Loading the Model
+```python
+from c2sentinel import C2Sentinel
+sentinel = C2Sentinel.load('c2_sentinel')
+```
+### Analyzing Connections
+```python
+connections = [
+    {
+        'timestamp': 1000000,
+        'dst_ip': '10.0.0.1',
+        'dst_port': 443,
+        'bytes_sent': 200,
+        'bytes_recv': 500
+    },
+    {
+        'timestamp': 1000060,
+        'dst_ip': '10.0.0.1',
+        'dst_port': 443,
+        'bytes_sent': 200,
+        'bytes_recv': 500
+    },
+]
+result = sentinel.analyze(connections)
+if result.is_c2:
+    print(f"C2 detected: {result.c2_type}")
+    print(f"Probability: {result.c2_probability}")
+else:
+    print("No C2 detected")
+```
+---
+## Connection Record Format
+| Field | Type | Required | Description |
+|-------|------|----------|-------------|
+| `timestamp` | float | Yes | Unix timestamp |
+| `dst_ip` | str | Yes | Destination IP address |
+| `dst_port` | int | Yes | Destination port |
+| `bytes_sent` | int | Yes | Bytes sent |
+| `bytes_recv` | int | Yes | Bytes received |
+| `src_ip` | str | No | Source IP address |
+| `src_port` | int | No | Source port |
+| `protocol` | str | No | Protocol (tcp/udp) |
+| `duration` | float | No | Connection duration in seconds |
+---
+## Analysis Options
+### Threshold
+```python
+# Default threshold (0.5)
+result = sentinel.analyze(connections)
+# Lower threshold for higher sensitivity
+result = sentinel.analyze(connections, threshold=0.3)
+# Higher threshold for higher precision
+result = sentinel.analyze(connections, threshold=0.7)
+# Strict mode enforces minimum 0.7 threshold
+result = sentinel.analyze(connections, strict_mode=True)
+```
+### Context
+```python
+from c2sentinel import ConnectionContext
+context = ConnectionContext(
+    process_name='sshd',
+    known_good=True,
+    ip_reputation=0.95,
+    dns_queries=['api.example.com']
+)
+result = sentinel.analyze(connections, context=context)
+```
+### Whitelist and Blacklist
+```python
+sentinel.add_whitelist(ips=['8.8.8.8'], domains=['google.com'])
+sentinel.add_blacklist(ips=['10.10.10.10'], domains=['malware.example'])
+```
+---
+## Result Object
+The `AnalysisResult` object contains:
+| Attribute | Type | Description |
+|-----------|------|-------------|
+| `is_c2` | bool | True if C2 detected |
+| `c2_probability` | float | Probability score (0.0-1.0) |
+| `c2_type` | str | Detected C2 framework type |
+| `confidence` | float | Model confidence |
+| `detection_method` | str | Method used (signature/ml/context/whitelist) |
+| `immediate_detection` | bool | True if signature-based |
+| `risk_factors` | list | Factors supporting C2 classification |
+| `mitigating_factors` | list | Factors against C2 classification |
+| `matched_legitimate_pattern` | str | Matched legitimate pattern name |
+| `service_type` | str | Detected service type |
+| `recommendations` | list | Suggested actions |
+---
+## Batch Analysis
+```python
+connection_groups = [
+    [conn1, conn2, conn3],
+    [conn4, conn5, conn6],
+]
+results = sentinel.analyze_batch(connection_groups)
+```
+---
+## Log File Parsing
+```python
+with open('conn.log', 'r') as f:
+    log_lines = f.readlines()
+results = sentinel.analyze_logs(log_lines, group_by_dst=True)
+```
+Supported formats: JSON, Zeek conn.log, syslog
+---
+## Reconnaissance
+### IP Analysis
+```python
+info = sentinel.recon.analyze_ip('104.16.132.229')
+# Returns: is_valid, is_private, is_cdn, cdn_provider, reverse_dns
+```
+### Pattern Analysis
+```python
+patterns = sentinel.recon.analyze_connection_patterns(connections)
+# Returns: timing stats, volume stats, behavioral indicators
+```
+### IOC Generation
+```python
+if result.is_c2:
+    iocs = sentinel.recon.generate_iocs(connections, result.to_dict())
+    # Returns: ips, ports, timing_signatures, behavioral_indicators
+```
+---
+## Detection Methodology
+### C2 Indicators
+- Consistent beacon intervals (low timing variance)
+- Consistent packet sizes (low size variance)
+- Single persistent destination
+- Balanced request/response ratio
+### Signature Detection
+Immediate detection for high-confidence C2 ports with matching behavioral patterns:
+- Port 4444 (Metasploit default)
+- Port 5555 (Metasploit alternative)
+- Port 31337 (Sliver)
+- Port 40056 (Havoc)
+### Legitimate Traffic Indicators
+- High response size variance
+- Asymmetric traffic patterns (small requests, large responses)
+- Multiple destinations
+- SSH keepalive patterns (small symmetric packets on port 22)
+- Health check patterns (regular intervals, variable response sizes)
+---
+## Model Specifications
+| Specification | Value |
+|---------------|-------|
+| Architecture | LogBERT Transformer |
+| Parameters | 4.9 million |
+| Feature Dimensions | 40 |
+| Encoder Layers | 6 |
+| Attention Heads | 8 |
+| Hidden Dimension | 256 |
+| Format | Safetensors |
+| Size | 20 MB |
+---
+## Files
+```
+c2sentinel/
+    c2sentinel.py              # Main module
+    c2_sentinel.safetensors    # Model weights
+    c2_sentinel.json           # Model configuration
+    README.md                  # Documentation
+    API_REFERENCE.md           # API reference
+    examples/
+        basic_usage.py
+        advanced_usage.py
+```
+---
+## License
+MIT License
+Copyright (c) 2026 Daniel Ostrow
+Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:
+The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

c2_sentinel.json ADDED Viewed

	@@ -0,0 +1,11 @@

+{
+  "num_features": 40,
+  "d_model": 256,
+  "nhead": 8,
+  "num_encoder_layers": 6,
+  "dim_feedforward": 1024,
+  "dropout": 0.1,
+  "max_seq_length": 512,
+  "num_c2_types": 35,
+  "version": "1.0.0"
+}

c2_sentinel.safetensors ADDED Viewed

	@@ -0,0 +1,3 @@

+version https://git-lfs.github.com/spec/v1
+oid sha256:1d3eda8bedb0445bf7ab877f2156013ba81722702c6e5436ffa7bffce29a35b4
+size 20144868

c2sentinel.py ADDED Viewed

	@@ -0,0 +1,1855 @@

+#!/usr/bin/env python3
+"""
+C2Sentinel - Network Traffic C2 Beacon Detection Model
+A machine learning model for detecting Command and Control (C2) beacon
+communications in network traffic. Built on a fine-tuned LogBERT transformer
+architecture.
+Author: Daniel Ostrow
+Website: https://neuralintellect.com
+Features:
+- Detection of 34+ C2 framework behavioral patterns across all ports
+- Smart context inference for additional metadata (process, DNS, reputation)
+- Legitimate service pattern recognition (SSH keepalive, health checks)
+- Reconnaissance support (IP enrichment, IOC generation)
+- Comprehensive scripting API for automation
+Uses safetensors format for secure model serialization.
+"""
+import torch
+import torch.nn as nn
+import torch.nn.functional as F
+import numpy as np
+import json
+import math
+import socket
+import struct
+import hashlib
+from pathlib import Path
+from typing import Dict, List, Tuple, Optional, Union, Any, Callable
+from dataclasses import dataclass, asdict, field
+from collections import defaultdict
+from enum import Enum
+import re
+from datetime import datetime
+import ipaddress
+# Safetensors for safe model serialization
+from safetensors.torch import save_file, load_file
+# ============================================================================
+# ENUMS AND CONSTANTS
+# ============================================================================
+class DetectionMethod(Enum):
+    """Detection method used for classification."""
+    SIGNATURE = "signature"
+    BEHAVIORAL = "behavioral"
+    ML = "ml"
+    CONTEXT = "context"
+    HEURISTIC = "heuristic"
+    WHITELIST = "whitelist"
+class TrafficType(Enum):
+    """Classification of traffic type."""
+    C2_BEACON = "c2_beacon"
+    C2_EXFIL = "c2_exfiltration"
+    C2_LATERAL = "c2_lateral_movement"
+    LEGITIMATE = "legitimate"
+    SUSPICIOUS = "suspicious"
+    UNKNOWN = "unknown"
+class ServiceType(Enum):
+    """Known service types for context."""
+    SSH = "ssh"
+    HTTP = "http"
+    HTTPS = "https"
+    DNS = "dns"
+    DATABASE = "database"
+    API = "api"
+    STREAMING = "streaming"
+    GAMING = "gaming"
+    VPN = "vpn"
+    MONITORING = "monitoring"
+    UNKNOWN = "unknown"
+@dataclass
+class C2SentinelConfig:
+    """Configuration for LogBERT-C2Sentinel model."""
+    num_features: int = 40
+    d_model: int = 256
+    nhead: int = 8
+    num_encoder_layers: int = 6
+    dim_feedforward: int = 1024
+    dropout: float = 0.1
+    max_seq_length: int = 512
+    num_c2_types: int = 35
+    version: str = "2.0.0"
+    def to_dict(self) -> dict:
+        return asdict(self)
+    @classmethod
+    def from_dict(cls, d: dict) -> 'C2SentinelConfig':
+        return cls(**{k: v for k, v in d.items() if k in cls.__dataclass_fields__})
+# High-confidence C2 ports - these are VERY rarely used legitimately
+C2_INDICATOR_PORTS = {
+    4444,   # Metasploit default
+    4445,   # Metasploit alternative
+    5555,   # Metasploit (Note: Android debug uses this too)
+    31337,  # Elite/Sliver
+    40056,  # Havoc default
+}
+# Ports commonly used by C2 (but also legitimate traffic)
+C2_COMMON_PORTS = {
+    80,     # HTTP
+    443,    # HTTPS
+    53,     # DNS
+    8080,   # HTTP alt
+    8443,   # HTTPS alt
+    8888,   # Sliver default
+}
+# Known legitimate service ports with expected behaviors
+LEGITIMATE_SERVICE_PORTS = {
+    22: ServiceType.SSH,
+    80: ServiceType.HTTP,
+    443: ServiceType.HTTPS,
+    53: ServiceType.DNS,
+    3306: ServiceType.DATABASE,  # MySQL
+    5432: ServiceType.DATABASE,  # PostgreSQL
+    6379: ServiceType.DATABASE,  # Redis
+    27017: ServiceType.DATABASE, # MongoDB
+    5000: ServiceType.API,       # Flask default
+    3000: ServiceType.API,       # Node.js default
+    8080: ServiceType.API,       # Common API port
+    9090: ServiceType.MONITORING,# Prometheus
+    3100: ServiceType.MONITORING,# Grafana Loki
+}
+# C2 Framework Signatures
+C2_SIGNATURES = {
+    'metasploit': {
+        'ports': [4444, 4445, 5555],
+        'interval_range': (1, 30),
+        'packet_sizes': [(50, 200), (500, 2000)],
+        'jitter_range': (0.0, 0.3),
+    },
+    'cobalt_strike': {
+        'ports': [50050],
+        'interval_range': (30, 300),
+        'packet_sizes': [(68, 200), (200, 1000)],
+        'jitter_range': (0.0, 0.5),
+    },
+    'sliver': {
+        'ports': [8888, 31337],
+        'interval_range': (5, 60),
+        'packet_sizes': [(100, 500)],
+        'jitter_range': (0.0, 0.3),
+    },
+    'havoc': {
+        'ports': [40056],
+        'interval_range': (2, 30),
+        'packet_sizes': [(64, 256)],
+        'jitter_range': (0.0, 0.2),
+    },
+}
+# ============================================================================
+# LEGITIMATE SERVICE PATTERNS - Key to reducing false positives
+# ============================================================================
+@dataclass
+class LegitimatePattern:
+    """Defines a known legitimate traffic pattern."""
+    name: str
+    service_type: ServiceType
+    port: Optional[int] = None
+    ports: Optional[List[int]] = None
+    min_packet_size: int = 0
+    max_packet_size: int = 100000
+    symmetric_ratio: Tuple[float, float] = (0.0, 10.0)  # sent/recv ratio range
+    max_interval_cv: float = 1.0  # coefficient of variation for intervals
+    max_size_cv: float = 1.0  # coefficient of variation for sizes
+    description: str = ""
+    def matches(self, connections: List[Dict], stats: Dict) -> Tuple[bool, float]:
+        """Check if connections match this legitimate pattern. Returns (matches, confidence)."""
+        if not connections:
+            return False, 0.0
+        ports = set(conn.get('dst_port', 0) for conn in connections)
+        # Check port match
+        if self.port and self.port not in ports:
+            return False, 0.0
+        if self.ports and not any(p in ports for p in self.ports):
+            return False, 0.0
+        # Check packet sizes
+        bytes_sent = [conn.get('bytes_sent', 0) for conn in connections]
+        bytes_recv = [conn.get('bytes_recv', 0) for conn in connections]
+        if bytes_sent:
+            if max(bytes_sent) > self.max_packet_size or min(bytes_sent) < self.min_packet_size:
+                return False, 0.0
+        # Check ratio
+        total_sent = sum(bytes_sent)
+        total_recv = sum(bytes_recv)
+        if total_recv > 0:
+            ratio = total_sent / total_recv
+            if not (self.symmetric_ratio[0] <= ratio <= self.symmetric_ratio[1]):
+                return False, 0.0
+        # CRITICAL: Check size variance - legitimate traffic has HIGH variance
+        # C2 traffic has LOW variance (consistent beacon sizes)
+        recv_cv = stats.get('recv_cv', 0)
+        sent_cv = stats.get('sent_cv', 0)
+        # If BOTH sent and recv are very consistent (CV < 0.3), this is likely C2
+        # Legitimate patterns should have at least some variance
+        if recv_cv < 0.3 and sent_cv < 0.3:
+            # Exception: SSH keepalive is intentionally consistent but tiny
+            if self.name == "ssh_keepalive":
+                pass  # Allow SSH keepalive to match
+            else:
+                # Too consistent for legitimate traffic - likely C2
+                return False, 0.0
+        return True, 0.8
+# Pre-defined legitimate patterns
+LEGITIMATE_PATTERNS = [
+    LegitimatePattern(
+        name="ssh_keepalive",
+        service_type=ServiceType.SSH,
+        port=22,
+        min_packet_size=20,
+        max_packet_size=100,  # Keepalive packets are very small
+        symmetric_ratio=(0.8, 1.2),  # Nearly symmetric
+        max_interval_cv=0.3,
+        max_size_cv=0.15,  # Very consistent sizes
+        description="SSH keepalive probes - small symmetric packets at regular intervals"
+    ),
+    LegitimatePattern(
+        name="ssh_interactive",
+        service_type=ServiceType.SSH,
+        port=22,
+        min_packet_size=20,
+        max_packet_size=50000,
+        symmetric_ratio=(0.01, 100.0),  # Can be asymmetric
+        max_interval_cv=2.0,  # Very variable timing (human typing)
+        max_size_cv=2.0,  # Very variable sizes
+        description="Interactive SSH session with variable human-driven timing"
+    ),
+    LegitimatePattern(
+        name="health_check",
+        service_type=ServiceType.MONITORING,
+        ports=[80, 443, 8080, 8443, 9090],
+        min_packet_size=50,
+        max_packet_size=10000,
+        symmetric_ratio=(0.01, 0.5),  # Small requests, larger responses
+        max_interval_cv=0.3,  # Regular intervals
+        max_size_cv=1.0,  # Response sizes can vary (status data)
+        description="Health check endpoint with variable response sizes"
+    ),
+    LegitimatePattern(
+        name="database_heartbeat",
+        service_type=ServiceType.DATABASE,
+        ports=[3306, 5432, 6379, 27017],
+        min_packet_size=20,
+        max_packet_size=100000,
+        symmetric_ratio=(0.01, 100.0),
+        max_interval_cv=0.3,
+        max_size_cv=5.0,  # Query results vary dramatically
+        description="Database connection with variable query responses"
+    ),
+    LegitimatePattern(
+        name="websocket_ping",
+        service_type=ServiceType.API,
+        ports=[80, 443, 8080],
+        min_packet_size=10,
+        max_packet_size=100000,
+        symmetric_ratio=(0.001, 100.0),  # Can receive large data pushes
+        max_interval_cv=0.5,
+        max_size_cv=5.0,  # Large variance in push data
+        description="WebSocket connection with ping/pong and data pushes"
+    ),
+]
+# ============================================================================
+# CONTEXT INFERENCE SYSTEM
+# ============================================================================
+@dataclass
+class ConnectionContext:
+    """
+    Additional context for connection analysis.
+    Provide any available context to improve detection accuracy.
+    All fields are optional - more context = better analysis.
+    """
+    # Process information
+    process_name: Optional[str] = None
+    process_path: Optional[str] = None
+    process_pid: Optional[int] = None
+    parent_process: Optional[str] = None
+    command_line: Optional[str] = None
+    # Network metadata
+    dns_queries: Optional[List[str]] = None  # Associated DNS lookups
+    resolved_hostname: Optional[str] = None
+    tls_sni: Optional[str] = None  # TLS Server Name Indication
+    tls_ja3: Optional[str] = None  # JA3 fingerprint
+    tls_ja3s: Optional[str] = None  # JA3S fingerprint
+    certificate_issuer: Optional[str] = None
+    certificate_subject: Optional[str] = None
+    certificate_valid: Optional[bool] = None
+    http_user_agent: Optional[str] = None
+    http_host: Optional[str] = None
+    # Reputation and intelligence
+    ip_reputation: Optional[float] = None  # 0.0 (bad) to 1.0 (good)
+    domain_reputation: Optional[float] = None
+    known_good: Optional[bool] = None  # Explicitly whitelisted
+    known_bad: Optional[bool] = None  # Explicitly blacklisted
+    threat_intel_match: Optional[str] = None  # Matched threat intel indicator
+    # Host context
+    source_hostname: Optional[str] = None
+    source_user: Optional[str] = None
+    source_is_server: Optional[bool] = None
+    source_is_workstation: Optional[bool] = None
+    # Additional metadata
+    geo_country: Optional[str] = None
+    geo_asn: Optional[str] = None
+    tags: Optional[List[str]] = None
+    def to_dict(self) -> Dict[str, Any]:
+        return {k: v for k, v in asdict(self).items() if v is not None}
+class ContextInference:
+    """
+    Smart context inference engine.
+    Uses additional context to refine detection decisions and reduce false positives.
+    """
+    # Known legitimate process names
+    KNOWN_LEGITIMATE_PROCESSES = {
+        'sshd', 'ssh', 'openssh', 'dropbear',  # SSH
+        'chrome', 'firefox', 'safari', 'edge', 'brave',  # Browsers
+        'curl', 'wget', 'httpd', 'nginx', 'apache2',  # HTTP tools/servers
+        'python', 'python3', 'node', 'java', 'ruby',  # Interpreters
+        'postgres', 'mysql', 'mongod', 'redis-server',  # Databases
+        'docker', 'containerd', 'kubelet',  # Container tools
+        'systemd', 'init', 'launchd',  # System processes
+        'prometheus', 'grafana', 'telegraf',  # Monitoring
+        'code', 'code-server', 'vim', 'emacs',  # Editors
+        'git', 'git-remote-https',  # Version control
+        'apt', 'yum', 'dnf', 'brew', 'pip',  # Package managers
+        'zoom', 'slack', 'teams', 'discord',  # Communication
+        'spotify', 'vlc', 'mpv',  # Media
+    }
+    # Suspicious process names (often used by malware or C2)
+    SUSPICIOUS_PROCESSES = {
+        'powershell', 'cmd', 'wscript', 'cscript', 'mshta',  # Windows scripting
+        'rundll32', 'regsvr32', 'msiexec',  # Windows LOLBins
+        'nc', 'netcat', 'ncat', 'socat',  # Network utilities (legit but suspicious)
+        'mimikatz', 'procdump', 'psexec',  # Known attack tools
+        'beacon', 'payload', 'implant', 'agent',  # Common C2 names
+    }
+    # Known C2 JA3 fingerprints (example - would be populated from threat intel)
+    KNOWN_C2_JA3 = {
+        '72a589da586844d7f0818ce684948eea',  # Cobalt Strike (example)
+        '51c64c77e60f3980eea90869b68c58a8',  # Metasploit (example)
+    }
+    # Suspicious TLS certificate patterns
+    SUSPICIOUS_CERT_PATTERNS = [
+        r'localhost',
+        r'test\.',
+        r'example\.',
+        r'\.local$',
+        r'^C2',
+        r'beacon',
+    ]
+    def __init__(self):
+        self.whitelist_ips: set = set()
+        self.whitelist_domains: set = set()
+        self.blacklist_ips: set = set()
+        self.blacklist_domains: set = set()
+        self.custom_rules: List[Callable] = []
+    def add_whitelist_ip(self, ip: str):
+        """Add IP to whitelist."""
+        self.whitelist_ips.add(ip)
+    def add_whitelist_domain(self, domain: str):
+        """Add domain to whitelist."""
+        self.whitelist_domains.add(domain.lower())
+    def add_blacklist_ip(self, ip: str):
+        """Add IP to blacklist."""
+        self.blacklist_ips.add(ip)
+    def add_blacklist_domain(self, domain: str):
+        """Add domain to blacklist."""
+        self.blacklist_domains.add(domain.lower())
+    def add_custom_rule(self, rule: Callable[[List[Dict], ConnectionContext], Tuple[Optional[float], str]]):
+        """
+        Add custom inference rule.
+        Rule should return (probability_modifier, reason) or (None, "") to skip.
+        """
+        self.custom_rules.append(rule)
+    def infer(self, connections: List[Dict], context: Optional[ConnectionContext] = None) -> Dict[str, Any]:
+        """
+        Perform context-based inference.
+        Returns inference results that can modify detection probability.
+        """
+        result = {
+            'probability_modifier': 1.0,
+            'confidence_boost': 0.0,
+            'is_whitelisted': False,
+            'is_blacklisted': False,
+            'matched_patterns': [],
+            'risk_factors': [],
+            'mitigating_factors': [],
+            'service_type': ServiceType.UNKNOWN,
+            'recommendations': [],
+        }
+        if not connections:
+            return result
+        dst_ips = set(conn.get('dst_ip', '') for conn in connections)
+        ports = set(conn.get('dst_port', 0) for conn in connections)
+        # Check whitelists
+        for ip in dst_ips:
+            if ip in self.whitelist_ips:
+                result['is_whitelisted'] = True
+                result['probability_modifier'] *= 0.1
+                result['mitigating_factors'].append(f"Destination IP {ip} is whitelisted")
+        # Check blacklists
+        for ip in dst_ips:
+            if ip in self.blacklist_ips:
+                result['is_blacklisted'] = True
+                result['probability_modifier'] *= 3.0
+                result['risk_factors'].append(f"Destination IP {ip} is blacklisted")
+        if context:
+            result = self._apply_context(result, connections, context, ports)
+        # Apply custom rules
+        for rule in self.custom_rules:
+            try:
+                modifier, reason = rule(connections, context)
+                if modifier is not None:
+                    result['probability_modifier'] *= modifier
+                    if modifier < 1.0:
+                        result['mitigating_factors'].append(reason)
+                    elif modifier > 1.0:
+                        result['risk_factors'].append(reason)
+            except Exception:
+                pass
+        return result
+    def _apply_context(self, result: Dict, connections: List[Dict],
+                       context: ConnectionContext, ports: set) -> Dict:
+        """Apply context-based inference rules."""
+        # Process name analysis
+        if context.process_name:
+            proc_lower = context.process_name.lower()
+            if proc_lower in self.KNOWN_LEGITIMATE_PROCESSES:
+                result['mitigating_factors'].append(f"Known legitimate process: {context.process_name}")
+                result['probability_modifier'] *= 0.5
+            if proc_lower in self.SUSPICIOUS_PROCESSES:
+                result['risk_factors'].append(f"Suspicious process: {context.process_name}")
+                result['probability_modifier'] *= 1.5
+            # SSH-specific checks
+            if proc_lower in ('sshd', 'ssh', 'openssh') and 22 in ports:
+                result['mitigating_factors'].append("SSH process on SSH port - expected behavior")
+                result['probability_modifier'] *= 0.3
+                result['service_type'] = ServiceType.SSH
+        # Explicit known_good/known_bad flags
+        if context.known_good:
+            result['is_whitelisted'] = True
+            result['probability_modifier'] *= 0.1
+            result['mitigating_factors'].append("Explicitly marked as known good")
+        if context.known_bad:
+            result['is_blacklisted'] = True
+            result['probability_modifier'] *= 5.0
+            result['risk_factors'].append("Explicitly marked as known bad")
+        # Reputation scores
+        if context.ip_reputation is not None:
+            if context.ip_reputation > 0.8:
+                result['mitigating_factors'].append(f"Good IP reputation: {context.ip_reputation:.2f}")
+                result['probability_modifier'] *= 0.6
+            elif context.ip_reputation < 0.3:
+                result['risk_factors'].append(f"Poor IP reputation: {context.ip_reputation:.2f}")
+                result['probability_modifier'] *= 1.5
+        if context.domain_reputation is not None:
+            if context.domain_reputation > 0.8:
+                result['mitigating_factors'].append(f"Good domain reputation: {context.domain_reputation:.2f}")
+                result['probability_modifier'] *= 0.6
+            elif context.domain_reputation < 0.3:
+                result['risk_factors'].append(f"Poor domain reputation: {context.domain_reputation:.2f}")
+                result['probability_modifier'] *= 1.5
+        # TLS/JA3 analysis
+        if context.tls_ja3:
+            if context.tls_ja3 in self.KNOWN_C2_JA3:
+                result['risk_factors'].append(f"Known C2 JA3 fingerprint: {context.tls_ja3}")
+                result['probability_modifier'] *= 3.0
+        # Certificate analysis
+        if context.certificate_subject:
+            for pattern in self.SUSPICIOUS_CERT_PATTERNS:
+                if re.search(pattern, context.certificate_subject, re.IGNORECASE):
+                    result['risk_factors'].append(f"Suspicious certificate subject: {context.certificate_subject}")
+                    result['probability_modifier'] *= 1.3
+                    break
+        if context.certificate_valid is False:
+            result['risk_factors'].append("Invalid TLS certificate")
+            result['probability_modifier'] *= 1.4
+        # Threat intel match
+        if context.threat_intel_match:
+            result['is_blacklisted'] = True
+            result['risk_factors'].append(f"Threat intel match: {context.threat_intel_match}")
+            result['probability_modifier'] *= 5.0
+        # DNS analysis
+        if context.dns_queries:
+            # Check for suspicious DNS patterns
+            for query in context.dns_queries:
+                query_lower = query.lower()
+                # Check against domain blacklist
+                if query_lower in self.blacklist_domains:
+                    result['risk_factors'].append(f"Blacklisted domain: {query}")
+                    result['probability_modifier'] *= 2.0
+                # Check against whitelist
+                if query_lower in self.whitelist_domains:
+                    result['mitigating_factors'].append(f"Whitelisted domain: {query}")
+                    result['probability_modifier'] *= 0.5
+                # DGA-like patterns (high entropy)
+                if len(query) > 20 and self._calculate_entropy(query) > 3.5:
+                    result['risk_factors'].append(f"Possible DGA domain: {query}")
+                    result['probability_modifier'] *= 1.3
+        # Geo analysis
+        if context.geo_country:
+            # Could integrate with threat intel for high-risk countries
+            pass
+        return result
+    def _calculate_entropy(self, s: str) -> float:
+        """Calculate Shannon entropy of a string."""
+        if not s:
+            return 0.0
+        prob = [s.count(c) / len(s) for c in set(s)]
+        return -sum(p * math.log2(p) for p in prob if p > 0)
+# ============================================================================
+# NEURAL NETWORK COMPONENTS
+# ============================================================================
+class PositionalEncoding(nn.Module):
+    """Positional encoding for transformer."""
+    def __init__(self, d_model: int, max_len: int = 5000, dropout: float = 0.1):
+        super().__init__()
+        self.dropout = nn.Dropout(p=dropout)
+        pe = torch.zeros(max_len, d_model)
+        position = torch.arange(0, max_len, dtype=torch.float).unsqueeze(1)
+        div_term = torch.exp(torch.arange(0, d_model, 2).float() * (-math.log(10000.0) / d_model))
+        pe[:, 0::2] = torch.sin(position * div_term)
+        pe[:, 1::2] = torch.cos(position * div_term)
+        pe = pe.unsqueeze(0)
+        self.register_buffer('pe', pe)
+    def forward(self, x: torch.Tensor) -> torch.Tensor:
+        x = x + self.pe[:, :x.size(1)]
+        return self.dropout(x)
+class LogBERTC2Sentinel(nn.Module):
+    """LogBERT-based model for C2 beacon detection."""
+    def __init__(self, config: C2SentinelConfig):
+        super().__init__()
+        self.config = config
+        # Feature projection
+        self.feature_projection = nn.Sequential(
+            nn.Linear(config.num_features, config.d_model),
+            nn.LayerNorm(config.d_model),
+            nn.GELU(),
+            nn.Dropout(config.dropout)
+        )
+        # Positional encoding
+        self.pos_encoder = PositionalEncoding(config.d_model, config.max_seq_length, config.dropout)
+        # Transformer encoder
+        encoder_layer = nn.TransformerEncoderLayer(
+            d_model=config.d_model,
+            nhead=config.nhead,
+            dim_feedforward=config.dim_feedforward,
+            dropout=config.dropout,
+            activation='gelu',
+            batch_first=True
+        )
+        self.transformer_encoder = nn.TransformerEncoder(encoder_layer, config.num_encoder_layers)
+        # Multi-task heads
+        self.c2_head = nn.Sequential(
+            nn.Linear(config.d_model, config.d_model // 2),
+            nn.GELU(),
+            nn.Dropout(config.dropout),
+            nn.Linear(config.d_model // 2, 1)
+        )
+        self.anomaly_head = nn.Sequential(
+            nn.Linear(config.d_model, config.d_model // 2),
+            nn.GELU(),
+            nn.Dropout(config.dropout),
+            nn.Linear(config.d_model // 2, 1),
+            nn.Sigmoid()
+        )
+        self.evasion_head = nn.Sequential(
+            nn.Linear(config.d_model, config.d_model // 2),
+            nn.GELU(),
+            nn.Dropout(config.dropout),
+            nn.Linear(config.d_model // 2, 1),
+            nn.Sigmoid()
+        )
+        self.c2_type_head = nn.Sequential(
+            nn.Linear(config.d_model, config.d_model // 2),
+            nn.GELU(),
+            nn.Dropout(config.dropout),
+            nn.Linear(config.d_model // 2, config.num_c2_types)
+        )
+        self.confidence_head = nn.Sequential(
+            nn.Linear(config.d_model, config.d_model // 4),
+            nn.GELU(),
+            nn.Linear(config.d_model // 4, 1),
+            nn.Sigmoid()
+        )
+    def forward(self, x: torch.Tensor, mask: Optional[torch.Tensor] = None) -> Dict[str, torch.Tensor]:
+        if x.dim() == 2:
+            x = x.unsqueeze(1)
+        x = self.feature_projection(x)
+        x = self.pos_encoder(x)
+        encoded = self.transformer_encoder(x, src_key_padding_mask=mask)
+        if mask is not None:
+            mask_expanded = (~mask).unsqueeze(-1).float()
+            pooled = (encoded * mask_expanded).sum(dim=1) / mask_expanded.sum(dim=1).clamp(min=1)
+        else:
+            pooled = encoded.mean(dim=1)
+        return {
+            'c2_logits': self.c2_head(pooled),
+            'anomaly_score': self.anomaly_head(pooled),
+            'evasion_score': self.evasion_head(pooled),
+            'c2_type_logits': self.c2_type_head(pooled),
+            'confidence': self.confidence_head(pooled)
+        }
+# ============================================================================
+# FEATURE EXTRACTION
+# ============================================================================
+class FeatureExtractor:
+    """Extracts 40-dimensional feature vectors from network traffic."""
+    C2_TYPES = [
+        'unknown', 'metasploit', 'cobalt_strike', 'sliver', 'havoc',
+        'mythic', 'poshc2', 'merlin', 'empire', 'covenant',
+        'brute_ratel', 'koadic', 'pupy', 'silenttrinity', 'faction',
+        'ibombshell', 'godoh', 'dnscat2', 'iodine', 'dns_generic',
+        'http_custom', 'https_custom', 'websocket', 'domain_fronting',
+        'cloud_fronting', 'cdn_abuse', 'apt_generic', 'apt28', 'apt29',
+        'apt41', 'lazarus', 'fin7', 'turla', 'winnti', 'custom'
+    ]
+    METASPLOIT_PORTS = {4444, 4445, 5555}
+    def __init__(self):
+        self.connection_cache = defaultdict(list)
+        self.destination_history = defaultdict(set)
+    def check_metasploit_signature(self, connections: List[Dict]) -> Tuple[bool, float]:
+        """Check for Metasploit-specific signatures."""
+        if not connections:
+            return False, 0.0
+        confidence = 0.0
+        indicators = 0
+        ports = set(conn.get('dst_port', 0) for conn in connections)
+        metasploit_port_match = ports & self.METASPLOIT_PORTS
+        if not metasploit_port_match:
+            return False, 0.0
+        if 4444 in metasploit_port_match:
+            confidence += 0.6
+            indicators += 2
+        elif 4445 in metasploit_port_match or 5555 in metasploit_port_match:
+            confidence += 0.4
+            indicators += 1
+        if len(connections) > 1:
+            timestamps = sorted([conn.get('timestamp', 0) for conn in connections])
+            intervals = np.diff(timestamps)
+            if len(intervals) > 0:
+                mean_interval = np.mean(intervals)
+                if 1 <= mean_interval <= 30:
+                    confidence += 0.15
+                    indicators += 1
+        bytes_sent = [conn.get('bytes_sent', 0) for conn in connections]
+        if bytes_sent:
+            mean_size = np.mean(bytes_sent)
+            if 50 <= mean_size <= 200:
+                confidence += 0.1
+                indicators += 1
+        dst_ips = [conn.get('dst_ip', '') for conn in connections]
+        if dst_ips:
+            unique_dsts = len(set(dst_ips))
+            if unique_dsts == 1 and len(dst_ips) >= 3:
+                confidence += 0.1
+                indicators += 1
+        is_metasploit = indicators >= 2 and confidence >= 0.5
+        return is_metasploit, min(confidence, 1.0)
+    def check_ssh_keepalive(self, connections: List[Dict]) -> Tuple[bool, float]:
+        """
+        Check for SSH keepalive pattern to prevent false positives.
+        SSH keepalive characteristics:
+        - Port 22
+        - Very small packets (typically 48-64 bytes)
+        - Nearly symmetric (sent ≈ recv)
+        - Regular intervals (typically 30s, 60s, 120s)
+        - Very consistent sizes
+        Returns (is_ssh_keepalive, confidence)
+        """
+        if not connections or len(connections) < 3:
+            return False, 0.0
+        ports = set(conn.get('dst_port', 0) for conn in connections)
+        # Must be on SSH port
+        if 22 not in ports:
+            return False, 0.0
+        bytes_sent = [conn.get('bytes_sent', 0) for conn in connections]
+        bytes_recv = [conn.get('bytes_recv', 0) for conn in connections]
+        if not bytes_sent or not bytes_recv:
+            return False, 0.0
+        mean_sent = np.mean(bytes_sent)
+        mean_recv = np.mean(bytes_recv)
+        # Check for small packets (keepalive probes are tiny)
+        if mean_sent > 100 or mean_recv > 100:
+            # Larger packets = actual SSH traffic, not just keepalive
+            return False, 0.0
+        # Check for symmetric traffic (keepalive is bidirectional probe)
+        if mean_recv > 0:
+            ratio = mean_sent / mean_recv
+            if not (0.5 <= ratio <= 2.0):
+                # Asymmetric = data transfer, not keepalive
+                return False, 0.0
+        # Check for consistent sizes (keepalive is always same size)
+        sent_cv = np.std(bytes_sent) / (mean_sent + 1e-6)
+        recv_cv = np.std(bytes_recv) / (mean_recv + 1e-6)
+        if sent_cv > 0.2 or recv_cv > 0.2:
+            # Variable sizes = not keepalive
+            return False, 0.0
+        # Check for regular intervals (keepalive is very regular)
+        timestamps = sorted([conn.get('timestamp', 0) for conn in connections])
+        if len(timestamps) > 1:
+            intervals = np.diff(timestamps)
+            if len(intervals) > 0:
+                mean_interval = np.mean(intervals)
+                interval_cv = np.std(intervals) / (mean_interval + 1e-6)
+                # Check if intervals match common keepalive values (15, 30, 60, 120 seconds)
+                common_keepalive_intervals = [15, 30, 60, 120, 180, 300]
+                closest_match = min(common_keepalive_intervals, key=lambda x: abs(x - mean_interval))
+                interval_match = abs(mean_interval - closest_match) / closest_match < 0.2
+                if interval_cv < 0.15 and interval_match:
+                    # Very regular intervals matching keepalive pattern
+                    confidence = 0.95
+                elif interval_cv < 0.2:
+                    confidence = 0.85
+                else:
+                    return False, 0.0
+                return True, confidence
+        return False, 0.0
+    def check_legitimate_patterns(self, connections: List[Dict]) -> Tuple[Optional[LegitimatePattern], float]:
+        """
+        Check if connections match any known legitimate patterns.
+        Returns (matched_pattern, confidence) or (None, 0.0)
+        """
+        if not connections:
+            return None, 0.0
+        # Calculate stats once
+        bytes_sent = [conn.get('bytes_sent', 0) for conn in connections]
+        bytes_recv = [conn.get('bytes_recv', 0) for conn in connections]
+        stats = {
+            'mean_sent': np.mean(bytes_sent) if bytes_sent else 0,
+            'mean_recv': np.mean(bytes_recv) if bytes_recv else 0,
+            'sent_cv': np.std(bytes_sent) / (np.mean(bytes_sent) + 1e-6) if bytes_sent else 0,
+            'recv_cv': np.std(bytes_recv) / (np.mean(bytes_recv) + 1e-6) if bytes_recv else 0,
+        }
+        for pattern in LEGITIMATE_PATTERNS:
+            matches, confidence = pattern.matches(connections, stats)
+            if matches:
+                return pattern, confidence
+        return None, 0.0
+    def extract_features(self, connections: List[Dict]) -> np.ndarray:
+        """Extract 40 features from connection records."""
+        if not connections:
+            return np.zeros(40)
+        features = np.zeros(40)
+        # Parse timestamps
+        timestamps = []
+        for conn in connections:
+            ts = conn.get('timestamp', 0)
+            if isinstance(ts, str):
+                try:
+                    ts = datetime.fromisoformat(ts.replace('Z', '+00:00')).timestamp()
+                except:
+                    ts = 0
+            timestamps.append(float(ts))
+        timestamps = np.array(sorted(timestamps))
+        # === TIMING FEATURES (0-9) ===
+        if len(timestamps) > 1:
+            intervals = np.diff(timestamps)
+            intervals = intervals[intervals > 0]
+            if len(intervals) > 0:
+                features[0] = np.mean(intervals)
+                features[1] = np.std(intervals)
+                features[2] = np.std(intervals) / (np.mean(intervals) + 1e-6)
+                features[3] = np.median(intervals)
+                features[4] = np.min(intervals)
+                features[5] = np.max(intervals)
+                if len(intervals) > 2:
+                    sorted_intervals = np.sort(intervals)
+                    mode_estimate = sorted_intervals[len(sorted_intervals)//2]
+                    regularity = 1.0 - np.mean(np.abs(intervals - mode_estimate) / (mode_estimate + 1e-6))
+                    features[6] = max(0, min(1, regularity))
+                if len(intervals) >= 8:
+                    fft = np.fft.fft(intervals - np.mean(intervals))
+                    power = np.abs(fft[:len(fft)//2])**2
+                    features[7] = np.max(power) / (np.sum(power) + 1e-6)
+                hours = [(ts % 86400) / 3600 for ts in timestamps]
+                features[8] = np.std(hours) / 12.0
+                business_hours = sum(1 for h in hours if 9 <= h <= 17) / len(hours)
+                features[9] = business_hours
+        # === DESTINATION FEATURES (10-17) ===
+        dst_ips = [conn.get('dst_ip', '') for conn in connections]
+        dst_ports = [conn.get('dst_port', 0) for conn in connections]
+        unique_dsts = len(set(dst_ips))
+        features[10] = unique_dsts
+        features[11] = unique_dsts / len(connections) if connections else 0
+        if dst_ips:
+            dst_counts = defaultdict(int)
+            for ip in dst_ips:
+                dst_counts[ip] += 1
+            max_persistence = max(dst_counts.values())
+            features[12] = max_persistence / len(connections)
+            features[13] = len([c for c in dst_counts.values() if c > 1]) / len(dst_counts) if dst_counts else 0
+        unique_ports = len(set(dst_ports))
+        features[14] = unique_ports
+        features[15] = 1.0 if 443 in dst_ports or 80 in dst_ports else 0.0
+        high_port_ratio = sum(1 for p in dst_ports if p > 10000) / len(dst_ports) if dst_ports else 0
+        features[16] = high_port_ratio
+        msf_port_hit = any(p in self.METASPLOIT_PORTS for p in dst_ports)
+        features[17] = 1.0 if msf_port_hit else 0.0
+        # === PAYLOAD FEATURES (18-27) ===
+        bytes_sent = [conn.get('bytes_sent', 0) for conn in connections]
+        bytes_recv = [conn.get('bytes_recv', 0) for conn in connections]
+        if bytes_sent:
+            features[18] = np.mean(bytes_sent)
+            features[19] = np.std(bytes_sent)
+            features[20] = np.std(bytes_sent) / (np.mean(bytes_sent) + 1e-6)
+        if bytes_recv:
+            features[21] = np.mean(bytes_recv)
+            features[22] = np.std(bytes_recv)
+        total_sent = sum(bytes_sent)
+        total_recv = sum(bytes_recv)
+        features[23] = total_sent / (total_recv + 1e-6) if total_recv else 0
+        if len(bytes_sent) > 1:
+            unique_sizes = len(set(bytes_sent))
+            features[24] = 1.0 - (unique_sizes / len(bytes_sent))
+        features[25] = sum(1 for b in bytes_sent if b < 500) / len(bytes_sent) if bytes_sent else 0
+        if bytes_sent:
+            size_hist, _ = np.histogram(bytes_sent, bins=10)
+            size_hist = size_hist / (sum(size_hist) + 1e-6)
+            entropy = -np.sum(size_hist * np.log2(size_hist + 1e-6))
+            features[26] = entropy / 3.32
+        features[27] = len(connections)
+        # === EVASION DETECTION FEATURES (28-35) ===
+        if len(timestamps) > 5:
+            intervals = np.diff(timestamps)
+            if len(intervals) > 0:
+                jitter_pattern = np.abs(np.diff(intervals))
+                if len(jitter_pattern) > 0:
+                    features[28] = np.mean(jitter_pattern) / (np.mean(intervals) + 1e-6)
+                    autocorr = np.correlate(intervals - np.mean(intervals), intervals - np.mean(intervals), mode='full')
+                    autocorr = autocorr[len(autocorr)//2:]
+                    if len(autocorr) > 1:
+                        features[29] = autocorr[1] / (autocorr[0] + 1e-6)
+        if len(timestamps) > 3:
+            intervals = np.diff(timestamps)
+            burst_threshold = np.mean(intervals) * 0.1
+            bursts = sum(1 for i in intervals if i < burst_threshold)
+            features[30] = bursts / len(intervals) if intervals.size > 0 else 0
+        if timestamps.size > 0:
+            session_length = timestamps[-1] - timestamps[0]
+            features[31] = min(session_length / 86400, 1.0)
+        if len(timestamps) > 10:
+            window_size = len(timestamps) // 5
+            window_counts = []
+            for i in range(5):
+                start_idx = i * window_size
+                end_idx = start_idx + window_size
+                window_counts.append(end_idx - start_idx)
+            features[32] = 1.0 - (np.std(window_counts) / (np.mean(window_counts) + 1e-6))
+        protocols = [conn.get('protocol', 'tcp').lower() for conn in connections]
+        unique_protocols = len(set(protocols))
+        features[33] = 1.0 if unique_protocols == 1 else 1.0 / unique_protocols
+        features[34] = sum(1 for p in dst_ports if p in [80, 443, 8080, 8443]) / len(dst_ports) if dst_ports else 0
+        features[35] = sum(1 for p in dst_ports if p == 443) / len(dst_ports) if dst_ports else 0
+        # === ADVANCED PATTERN FEATURES (36-39) ===
+        if timestamps.size > 0:
+            night_hours = sum(1 for ts in timestamps if 0 <= (ts % 86400) / 3600 < 6)
+            features[36] = night_hours / len(timestamps)
+        if len(timestamps) > 1:
+            intervals = np.diff(timestamps)
+            fast_beacon_ratio = sum(1 for i in intervals if 1 <= i <= 5) / len(intervals) if len(intervals) > 0 else 0
+            features[37] = fast_beacon_ratio
+        durations = [conn.get('duration', 0) for conn in connections]
+        if durations:
+            features[38] = np.mean(durations)
+            features[39] = np.std(durations) / (np.mean(durations) + 1e-6) if np.mean(durations) > 0 else 0
+        return features.astype(np.float32)
+# ============================================================================
+# LOG PARSING
+# ============================================================================
+class LogParser:
+    """Parses various log formats into connection records."""
+    @staticmethod
+    def parse_zeek_conn(log_line: str) -> Optional[Dict]:
+        """Parse Zeek/Bro conn.log format."""
+        try:
+            parts = log_line.strip().split('\t')
+            if len(parts) >= 15:
+                return {
+                    'timestamp': float(parts[0]),
+                    'src_ip': parts[2],
+                    'src_port': int(parts[3]),
+                    'dst_ip': parts[4],
+                    'dst_port': int(parts[5]),
+                    'protocol': parts[6],
+                    'duration': float(parts[8]) if parts[8] != '-' else 0,
+                    'bytes_sent': int(parts[9]) if parts[9] != '-' else 0,
+                    'bytes_recv': int(parts[10]) if parts[10] != '-' else 0
+                }
+        except:
+            pass
+        return None
+    @staticmethod
+    def parse_syslog(log_line: str) -> Optional[Dict]:
+        """Parse common syslog/netflow formats."""
+        patterns = [
+            r'(\d{4}-\d{2}-\d{2}[T ]\d{2}:\d{2}:\d{2}).*?(\d+\.\d+\.\d+\.\d+):(\d+)\s*->\s*(\d+\.\d+\.\d+\.\d+):(\d+)',
+            r'src=(\d+\.\d+\.\d+\.\d+).*?dst=(\d+\.\d+\.\d+\.\d+).*?sport=(\d+).*?dport=(\d+)',
+        ]
+        for pattern in patterns:
+            match = re.search(pattern, log_line)
+            if match:
+                groups = match.groups()
+                try:
+                    if len(groups) == 5:
+                        return {
+                            'timestamp': groups[0],
+                            'src_ip': groups[1],
+                            'src_port': int(groups[2]),
+                            'dst_ip': groups[3],
+                            'dst_port': int(groups[4]),
+                            'protocol': 'tcp',
+                            'bytes_sent': 0,
+                            'bytes_recv': 0
+                        }
+                except:
+                    pass
+        return None
+    @staticmethod
+    def parse_json(log_line: str) -> Optional[Dict]:
+        """Parse JSON log format."""
+        try:
+            data = json.loads(log_line)
+            return {
+                'timestamp': data.get('timestamp', data.get('@timestamp', 0)),
+                'src_ip': data.get('src_ip', data.get('source_ip', data.get('src', ''))),
+                'dst_ip': data.get('dst_ip', data.get('dest_ip', data.get('dst', ''))),
+                'src_port': int(data.get('src_port', data.get('source_port', 0))),
+                'dst_port': int(data.get('dst_port', data.get('dest_port', 0))),
+                'protocol': data.get('protocol', 'tcp'),
+                'bytes_sent': int(data.get('bytes_sent', data.get('bytes_out', 0))),
+                'bytes_recv': int(data.get('bytes_recv', data.get('bytes_in', 0))),
+                'duration': float(data.get('duration', 0))
+            }
+        except:
+            return None
+# ============================================================================
+# RECONNAISSANCE SUPPORT
+# ============================================================================
+class ReconSupport:
+    """
+    Reconnaissance and enrichment support for scripting.
+    Provides IP analysis, network intelligence, and enrichment functions
+    useful for security automation and scripting.
+    """
+    # Known CDN/Cloud provider IP ranges (simplified - in production, use full lists)
+    KNOWN_CDNS = {
+        'cloudflare': ['104.16.0.0/12', '172.64.0.0/13', '131.0.72.0/22'],
+        'aws': ['52.0.0.0/6', '54.0.0.0/6'],
+        'google': ['35.190.0.0/16', '35.220.0.0/14', '142.250.0.0/15'],
+        'azure': ['13.64.0.0/11', '40.64.0.0/10'],
+        'akamai': ['23.0.0.0/12', '104.64.0.0/10'],
+    }
+    # Private IP ranges
+    PRIVATE_RANGES = [
+        ipaddress.ip_network('10.0.0.0/8'),
+        ipaddress.ip_network('172.16.0.0/12'),
+        ipaddress.ip_network('192.168.0.0/16'),
+        ipaddress.ip_network('127.0.0.0/8'),
+        ipaddress.ip_network('169.254.0.0/16'),
+    ]
+    @classmethod
+    def analyze_ip(cls, ip: str) -> Dict[str, Any]:
+        """
+        Analyze an IP address for reconnaissance purposes.
+        Returns enrichment data about the IP.
+        """
+        result = {
+            'ip': ip,
+            'is_valid': False,
+            'is_private': False,
+            'is_loopback': False,
+            'is_multicast': False,
+            'is_cdn': False,
+            'cdn_provider': None,
+            'ip_version': None,
+            'reverse_dns': None,
+            'numeric': None,
+        }
+        try:
+            ip_obj = ipaddress.ip_address(ip)
+            result['is_valid'] = True
+            result['ip_version'] = ip_obj.version
+            result['is_private'] = ip_obj.is_private
+            result['is_loopback'] = ip_obj.is_loopback
+            result['is_multicast'] = ip_obj.is_multicast
+            # Convert to numeric for range analysis
+            if isinstance(ip_obj, ipaddress.IPv4Address):
+                result['numeric'] = int(ip_obj)
+            # Check CDN ranges
+            for cdn, ranges in cls.KNOWN_CDNS.items():
+                for range_str in ranges:
+                    try:
+                        network = ipaddress.ip_network(range_str)
+                        if ip_obj in network:
+                            result['is_cdn'] = True
+                            result['cdn_provider'] = cdn
+                            break
+                    except:
+                        pass
+                if result['is_cdn']:
+                    break
+            # Try reverse DNS (optional, may fail)
+            try:
+                result['reverse_dns'] = socket.gethostbyaddr(ip)[0]
+            except:
+                pass
+        except ValueError:
+            pass
+        return result
+    @classmethod
+    def analyze_connection_patterns(cls, connections: List[Dict]) -> Dict[str, Any]:
+        """
+        Analyze connection patterns for reconnaissance.
+        Provides high-level pattern analysis useful for threat hunting.
+        """
+        if not connections:
+            return {'error': 'No connections provided'}
+        dst_ips = [conn.get('dst_ip', '') for conn in connections]
+        dst_ports = [conn.get('dst_port', 0) for conn in connections]
+        bytes_sent = [conn.get('bytes_sent', 0) for conn in connections]
+        bytes_recv = [conn.get('bytes_recv', 0) for conn in connections]
+        timestamps = sorted([conn.get('timestamp', 0) for conn in connections])
+        intervals = np.diff(timestamps) if len(timestamps) > 1 else []
+        # Destination analysis
+        unique_dsts = set(dst_ips)
+        dst_analysis = {}
+        for ip in unique_dsts:
+            if ip:
+                dst_analysis[ip] = cls.analyze_ip(ip)
+        # Port analysis
+        port_counts = defaultdict(int)
+        for port in dst_ports:
+            port_counts[port] += 1
+        # Calculate statistics
+        result = {
+            'connection_count': len(connections),
+            'unique_destinations': len(unique_dsts),
+            'unique_ports': len(set(dst_ports)),
+            # Timing analysis
+            'timing': {
+                'duration_seconds': timestamps[-1] - timestamps[0] if len(timestamps) > 1 else 0,
+                'mean_interval': float(np.mean(intervals)) if len(intervals) > 0 else 0,
+                'interval_stddev': float(np.std(intervals)) if len(intervals) > 0 else 0,
+                'interval_cv': float(np.std(intervals) / (np.mean(intervals) + 1e-6)) if len(intervals) > 0 else 0,
+            },
+            # Volume analysis
+            'volume': {
+                'total_sent': sum(bytes_sent),
+                'total_recv': sum(bytes_recv),
+                'mean_sent': float(np.mean(bytes_sent)) if bytes_sent else 0,
+                'mean_recv': float(np.mean(bytes_recv)) if bytes_recv else 0,
+                'sent_recv_ratio': sum(bytes_sent) / (sum(bytes_recv) + 1e-6) if bytes_recv else 0,
+            },
+            # Port distribution
+            'ports': dict(port_counts),
+            # Destination enrichment
+            'destinations': dst_analysis,
+            # Pattern indicators
+            'indicators': {
+                'single_destination': len(unique_dsts) == 1,
+                'consistent_timing': float(np.std(intervals) / (np.mean(intervals) + 1e-6)) < 0.3 if len(intervals) > 0 else False,
+                'consistent_sizes': float(np.std(bytes_sent) / (np.mean(bytes_sent) + 1e-6)) < 0.2 if bytes_sent and np.mean(bytes_sent) > 0 else False,
+                'uses_common_port': bool(set(dst_ports) & {80, 443, 53, 22}),
+                'uses_high_port': any(p > 10000 for p in dst_ports),
+                'has_cdn_destination': any(d.get('is_cdn', False) for d in dst_analysis.values()),
+                'all_private_destinations': all(d.get('is_private', False) for d in dst_analysis.values() if d.get('is_valid')),
+            },
+        }
+        return result
+    @classmethod
+    def generate_iocs(cls, connections: List[Dict], result: Dict) -> Dict[str, List[str]]:
+        """
+        Generate Indicators of Compromise (IOCs) from analysis.
+        Returns IOCs suitable for threat intelligence sharing.
+        """
+        iocs = {
+            'ips': [],
+            'ports': [],
+            'timing_signatures': [],
+            'behavioral_indicators': [],
+        }
+        if not result.get('is_c2', False):
+            return iocs
+        # Extract destination IPs
+        dst_ips = set(conn.get('dst_ip', '') for conn in connections if conn.get('dst_ip'))
+        iocs['ips'] = list(dst_ips)
+        # Extract ports
+        dst_ports = set(conn.get('dst_port', 0) for conn in connections if conn.get('dst_port'))
+        iocs['ports'] = [str(p) for p in dst_ports]
+        # Generate timing signature
+        timestamps = sorted([conn.get('timestamp', 0) for conn in connections])
+        if len(timestamps) > 1:
+            intervals = np.diff(timestamps)
+            mean_interval = np.mean(intervals)
+            iocs['timing_signatures'].append(f"beacon_interval:{mean_interval:.1f}s±{np.std(intervals):.1f}s")
+        # Behavioral indicators
+        if result.get('c2_type'):
+            iocs['behavioral_indicators'].append(f"c2_type:{result['c2_type']}")
+        if result.get('evasion_score', 0) > 0.5:
+            iocs['behavioral_indicators'].append("evasion_detected")
+        return iocs
+# ============================================================================
+# MAIN API CLASS
+# ============================================================================
+@dataclass
+class AnalysisResult:
+    """Structured result from C2 analysis."""
+    is_c2: bool
+    c2_probability: float
+    anomaly_score: float
+    evasion_score: float
+    confidence: float
+    c2_type: str
+    c2_type_confidence: float
+    detection_method: str
+    immediate_detection: bool
+    # Context-based adjustments
+    context_applied: bool = False
+    original_probability: float = 0.0
+    probability_modifier: float = 1.0
+    # Legitimate pattern matching
+    matched_legitimate_pattern: Optional[str] = None
+    legitimate_confidence: float = 0.0
+    # Risk analysis
+    risk_factors: List[str] = field(default_factory=list)
+    mitigating_factors: List[str] = field(default_factory=list)
+    # Service classification
+    service_type: str = "unknown"
+    # Recommendations
+    recommendations: List[str] = field(default_factory=list)
+    # Raw features
+    features: List[float] = field(default_factory=list)
+    def to_dict(self) -> Dict[str, Any]:
+        return asdict(self)
+    def __repr__(self) -> str:
+        status = "🚨 C2 DETECTED" if self.is_c2 else "✅ Clean"
+        return f"<AnalysisResult: {status} | prob={self.c2_probability:.3f} | type={self.c2_type}>"
+class C2Sentinel:
+    """
+    Main API for LogBERT-C2Sentinel.
+    Advanced C2 detection with context inference and reconnaissance support.
+    Usage:
+        # Load pre-trained model
+        sentinel = C2Sentinel.load('c2_sentinel')
+        # Basic analysis
+        result = sentinel.analyze(connections)
+        # With context
+        context = ConnectionContext(process_name='sshd', known_good=True)
+        result = sentinel.analyze(connections, context=context)
+        # Batch analysis
+        results = sentinel.analyze_batch([conn_list1, conn_list2, ...])
+        # With reconnaissance
+        recon = sentinel.recon.analyze_connection_patterns(connections)
+        iocs = sentinel.recon.generate_iocs(connections, result)
+    """
+    def __init__(self, model: LogBERTC2Sentinel, config: C2SentinelConfig, device: str = 'auto'):
+        self.model = model
+        self.config = config
+        self.feature_extractor = FeatureExtractor()
+        self.log_parser = LogParser()
+        self.context_engine = ContextInference()
+        self.recon = ReconSupport()
+        if device == 'auto':
+            self.device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
+        else:
+            self.device = torch.device(device)
+        self.model.to(self.device)
+        self.model.eval()
+    def analyze(
+        self,
+        connections: List[Dict],
+        threshold: float = 0.5,
+        context: Optional[ConnectionContext] = None,
+        include_features: bool = False,
+        strict_mode: bool = False
+    ) -> AnalysisResult:
+        """
+        Analyze connections for C2 activity.
+        Args:
+            connections: List of connection records
+            threshold: Detection threshold (default 0.5, use 0.7 for fewer false positives)
+            context: Optional ConnectionContext with additional metadata
+            include_features: Include raw feature vector in result
+            strict_mode: Require higher confidence for C2 detection
+        Returns:
+            AnalysisResult with comprehensive detection information
+        """
+        ports = set(conn.get('dst_port', 0) for conn in connections)
+        # Initialize result
+        result = AnalysisResult(
+            is_c2=False,
+            c2_probability=0.0,
+            anomaly_score=0.0,
+            evasion_score=0.0,
+            confidence=0.0,
+            c2_type='none',
+            c2_type_confidence=0.0,
+            detection_method='none',
+            immediate_detection=False,
+        )
+        if not connections:
+            return result
+        # ================================================================
+        # PHASE 1: Check for known legitimate patterns FIRST
+        # ================================================================
+        # Check SSH keepalive specifically (common false positive)
+        is_ssh_keepalive, ssh_ka_confidence = self.feature_extractor.check_ssh_keepalive(connections)
+        if is_ssh_keepalive:
+            result.matched_legitimate_pattern = "ssh_keepalive"
+            result.legitimate_confidence = ssh_ka_confidence
+            result.service_type = ServiceType.SSH.value
+            result.mitigating_factors.append(f"Matches SSH keepalive pattern (confidence: {ssh_ka_confidence:.2f})")
+            result.detection_method = DetectionMethod.WHITELIST.value
+            result.recommendations.append("SSH keepalive is normal system behavior")
+            # SSH keepalive should NOT be flagged as C2
+            result.is_c2 = False
+            result.c2_probability = 0.05  # Very low probability
+            result.confidence = ssh_ka_confidence
+            return result
+        # Check other legitimate patterns
+        matched_pattern, pattern_confidence = self.feature_extractor.check_legitimate_patterns(connections)
+        if matched_pattern and pattern_confidence > 0.7:
+            result.matched_legitimate_pattern = matched_pattern.name
+            result.legitimate_confidence = pattern_confidence
+            result.service_type = matched_pattern.service_type.value
+            result.mitigating_factors.append(f"Matches {matched_pattern.name} pattern: {matched_pattern.description}")
+        # ================================================================
+        # PHASE 2: Check for high-confidence C2 signatures
+        # ================================================================
+        is_msf, msf_confidence = self.feature_extractor.check_metasploit_signature(connections)
+        if is_msf:
+            result.is_c2 = True
+            result.c2_probability = msf_confidence
+            result.anomaly_score = 0.95
+            result.evasion_score = 0.1
+            result.confidence = msf_confidence
+            result.c2_type = 'metasploit'
+            result.c2_type_confidence = msf_confidence
+            result.immediate_detection = True
+            result.detection_method = DetectionMethod.SIGNATURE.value
+            result.risk_factors.append("Matches Metasploit signature (high-confidence C2 port + behavior)")
+            if include_features:
+                result.features = self.feature_extractor.extract_features(connections).tolist()
+            return result
+        # ================================================================
+        # PHASE 3: ML-based behavioral analysis
+        # ================================================================
+        features = self.feature_extractor.extract_features(connections)
+        features_tensor = torch.tensor(features, dtype=torch.float32).unsqueeze(0).to(self.device)
+        with torch.no_grad():
+            outputs = self.model(features_tensor)
+        c2_prob = torch.sigmoid(outputs['c2_logits']).item()
+        result.original_probability = c2_prob
+        result.anomaly_score = outputs['anomaly_score'].item()
+        result.evasion_score = outputs['evasion_score'].item()
+        result.confidence = outputs['confidence'].item()
+        # Get C2 type prediction
+        c2_type_probs = F.softmax(outputs['c2_type_logits'], dim=-1)
+        c2_type_idx = torch.argmax(c2_type_probs, dim=-1).item()
+        result.c2_type = FeatureExtractor.C2_TYPES[c2_type_idx]
+        result.c2_type_confidence = c2_type_probs[0, c2_type_idx].item()
+        # ================================================================
+        # PHASE 4: Behavioral refinement
+        # ================================================================
+        dst_ips = set(conn.get('dst_ip', '') for conn in connections)
+        bytes_recv = [conn.get('bytes_recv', 0) for conn in connections]
+        bytes_sent = [conn.get('bytes_sent', 0) for conn in connections]
+        recv_cv = np.std(bytes_recv) / (np.mean(bytes_recv) + 1e-6) if bytes_recv else 0
+        sent_cv = np.std(bytes_sent) / (np.mean(bytes_sent) + 1e-6) if bytes_sent else 0
+        total_sent = sum(bytes_sent)
+        total_recv = sum(bytes_recv)
+        req_resp_ratio = total_sent / (total_recv + 1e-6) if total_recv else float('inf')
+        # Multiple destinations with high variance = likely benign
+        if len(dst_ips) > 5 and bytes_recv and recv_cv > 2:
+            c2_prob *= 0.4
+            result.mitigating_factors.append("Multiple destinations with high response variance")
+        # Single destination analysis
+        if len(dst_ips) == 1 and len(connections) >= 5:
+            timestamps = sorted([c.get('timestamp', 0) for c in connections])
+            if len(timestamps) > 1:
+                intervals = np.diff(timestamps)
+                mean_interval = np.mean(intervals) if len(intervals) > 0 else 0
+                interval_cv = np.std(intervals) / (mean_interval + 1e-6) if mean_interval > 0 else 0
+                # Response variance analysis
+                if recv_cv > 0.5:
+                    c2_prob *= 0.5
+                    result.mitigating_factors.append("High response size variance (likely data retrieval)")
+                elif recv_cv < 0.2 and sent_cv < 0.2:
+                    c2_prob = min(1.0, c2_prob * 1.4)
+                    result.risk_factors.append("Very consistent request/response sizes")
+                # Request/response ratio
+                if req_resp_ratio < 0.1:
+                    c2_prob *= 0.4
+                    result.mitigating_factors.append("Asymmetric traffic (small requests, large responses)")
+                elif 0.2 < req_resp_ratio < 0.8:
+                    c2_prob = min(1.0, c2_prob * 1.2)
+                    result.risk_factors.append("Balanced request/response ratio (C2-like)")
+                # Beacon regularity
+                if interval_cv < 0.3 and mean_interval > 0 and recv_cv < 0.3:
+                    c2_prob = min(1.0, c2_prob * 1.3)
+                    result.risk_factors.append("Regular timing with consistent sizes")
+                # Slow beacon detection
+                if mean_interval > 60 and recv_cv < 0.15 and sent_cv < 0.15:
+                    c2_prob = min(1.0, c2_prob * 1.5)
+                    result.risk_factors.append("APT-style slow beacon pattern")
+        # ================================================================
+        # PHASE 5: Apply legitimate pattern discount
+        # ================================================================
+        if matched_pattern and pattern_confidence > 0.5:
+            # Reduce probability based on pattern match
+            discount = 1.0 - (pattern_confidence * 0.7)  # Up to 70% reduction
+            c2_prob *= discount
+            result.mitigating_factors.append(f"Legitimate pattern match reduces probability by {(1-discount)*100:.0f}%")
+        # ================================================================
+        # PHASE 6: Apply context inference (always check whitelist/blacklist)
+        # ================================================================
+        # Always run inference to check whitelist/blacklist
+        inference = self.context_engine.infer(connections, context)
+        if inference['probability_modifier'] != 1.0 or context:
+            result.context_applied = True
+            result.probability_modifier = inference['probability_modifier']
+            c2_prob *= inference['probability_modifier']
+        result.risk_factors.extend(inference['risk_factors'])
+        result.mitigating_factors.extend(inference['mitigating_factors'])
+        result.recommendations.extend(inference['recommendations'])
+        if inference['is_whitelisted']:
+            result.mitigating_factors.append("Destination is whitelisted")
+        if inference['is_blacklisted']:
+            result.risk_factors.append("Destination is blacklisted")
+        if inference['service_type'] != ServiceType.UNKNOWN:
+            result.service_type = inference['service_type'].value
+        # ================================================================
+        # PHASE 7: Final decision
+        # ================================================================
+        # Apply strict mode if requested
+        effective_threshold = threshold
+        if strict_mode:
+            effective_threshold = max(threshold, 0.7)
+        result.c2_probability = min(max(c2_prob, 0.0), 1.0)
+        result.is_c2 = result.c2_probability >= effective_threshold
+        result.detection_method = DetectionMethod.ML.value if not result.context_applied else DetectionMethod.CONTEXT.value
+        if result.is_c2:
+            result.c2_type = FeatureExtractor.C2_TYPES[c2_type_idx] if c2_type_idx > 0 else 'unknown'
+        else:
+            result.c2_type = 'none'
+        # Add recommendations based on analysis
+        if result.is_c2:
+            result.recommendations.append("Investigate destination IP for known C2 infrastructure")
+            result.recommendations.append("Check for associated process and user activity")
+            if result.evasion_score > 0.5:
+                result.recommendations.append("C2 may be using evasion techniques - correlate with other telemetry")
+        if include_features:
+            result.features = features.tolist()
+        return result
+    def analyze_batch(
+        self,
+        connection_groups: List[List[Dict]],
+        threshold: float = 0.5,
+        contexts: Optional[List[ConnectionContext]] = None,
+        parallel: bool = True
+    ) -> List[AnalysisResult]:
+        """
+        Analyze multiple connection groups efficiently.
+        Args:
+            connection_groups: List of connection lists to analyze
+            threshold: Detection threshold
+            contexts: Optional list of contexts (one per group)
+            parallel: Use batch processing for efficiency
+        Returns:
+            List of AnalysisResults
+        """
+        results = []
+        for i, connections in enumerate(connection_groups):
+            context = contexts[i] if contexts and i < len(contexts) else None
+            result = self.analyze(connections, threshold=threshold, context=context)
+            results.append(result)
+        return results
+    def analyze_logs(
+        self,
+        log_lines: List[str],
+        group_by_dst: bool = True,
+        threshold: float = 0.5
+    ) -> List[Dict]:
+        """Analyze raw log lines for C2 activity."""
+        connections = []
+        for line in log_lines:
+            conn = self.log_parser.parse_json(line)
+            if not conn:
+                conn = self.log_parser.parse_zeek_conn(line)
+            if not conn:
+                conn = self.log_parser.parse_syslog(line)
+            if conn:
+                connections.append(conn)
+        if not connections:
+            return []
+        results = []
+        if group_by_dst:
+            grouped = defaultdict(list)
+            for conn in connections:
+                grouped[conn.get('dst_ip', 'unknown')].append(conn)
+            for dst_ip, group_conns in grouped.items():
+                if len(group_conns) >= 3:
+                    result = self.analyze(group_conns, threshold)
+                    result_dict = result.to_dict()
+                    result_dict['dst_ip'] = dst_ip
+                    result_dict['connection_count'] = len(group_conns)
+                    results.append(result_dict)
+        else:
+            result = self.analyze(connections, threshold)
+            result_dict = result.to_dict()
+            result_dict['connection_count'] = len(connections)
+            results.append(result_dict)
+        return sorted(results, key=lambda x: x['c2_probability'], reverse=True)
+    def add_whitelist(self, ips: List[str] = None, domains: List[str] = None):
+        """Add IPs or domains to whitelist."""
+        if ips:
+            for ip in ips:
+                self.context_engine.add_whitelist_ip(ip)
+        if domains:
+            for domain in domains:
+                self.context_engine.add_whitelist_domain(domain)
+    def add_blacklist(self, ips: List[str] = None, domains: List[str] = None):
+        """Add IPs or domains to blacklist."""
+        if ips:
+            for ip in ips:
+                self.context_engine.add_blacklist_ip(ip)
+        if domains:
+            for domain in domains:
+                self.context_engine.add_blacklist_domain(domain)
+    def save(self, path: str):
+        """Save model to safetensors format."""
+        path = Path(path)
+        model_path = path.with_suffix('.safetensors')
+        save_file(self.model.state_dict(), str(model_path))
+        config_path = path.with_suffix('.json')
+        with open(config_path, 'w') as f:
+            json.dump(self.config.to_dict(), f, indent=2)
+        print(f"Model saved to {model_path}")
+        print(f"Config saved to {config_path}")
+    @classmethod
+    def load(cls, path: str, device: str = 'auto') -> 'C2Sentinel':
+        """Load model from safetensors format."""
+        path = Path(path)
+        if path.suffix == '.safetensors':
+            model_path = path
+            config_path = path.with_suffix('.json')
+        else:
+            model_path = path.with_suffix('.safetensors')
+            config_path = path.with_suffix('.json')
+        with open(config_path, 'r') as f:
+            config = C2SentinelConfig.from_dict(json.load(f))
+        model = LogBERTC2Sentinel(config)
+        state_dict = load_file(str(model_path))
+        model.load_state_dict(state_dict)
+        return cls(model, config, device)
+    @classmethod
+    def create_new(cls, device: str = 'auto') -> 'C2Sentinel':
+        """Create a new untrained model."""
+        config = C2SentinelConfig()
+        model = LogBERTC2Sentinel(config)
+        return cls(model, config, device)
+# ============================================================================
+# CONVENIENCE FUNCTIONS
+# ============================================================================
+def load_model(path: str, device: str = 'auto') -> C2Sentinel:
+    """Load a pre-trained C2Sentinel model."""
+    return C2Sentinel.load(path, device)
+def create_model(device: str = 'auto') -> C2Sentinel:
+    """Create a new untrained C2Sentinel model."""
+    return C2Sentinel.create_new(device)
+def quick_analyze(connections: List[Dict], model_path: str = 'c2_sentinel') -> AnalysisResult:
+    """Quick one-shot analysis without keeping model in memory."""
+    sentinel = C2Sentinel.load(model_path)
+    return sentinel.analyze(connections)
+# ============================================================================
+# CLI AND TESTING
+# ============================================================================
+if __name__ == '__main__':
+    print("LogBERT-C2Sentinel v2.0: Advanced C2 Detection with Context Inference")
+    print("=" * 70)
+    sentinel = C2Sentinel.create_new()
+    print(f"Model created with {sentinel.config.num_features} features")
+    print(f"Device: {sentinel.device}")
+    # Test 1: Metasploit signature detection
+    print("\n[TEST 1] Metasploit Meterpreter (port 4444)...")
+    msf_connections = [
+        {'timestamp': 1000 + i*5, 'dst_ip': '192.168.1.100', 'dst_port': 4444,
+         'bytes_sent': 150, 'bytes_recv': 400}
+        for i in range(8)
+    ]
+    result = sentinel.analyze(msf_connections)
+    print(f"  {result}")
+    # Test 2: SSH keepalive (should NOT be flagged)
+    print("\n[TEST 2] SSH Keepalive (should be clean)...")
+    ssh_keepalive = [
+        {'timestamp': 1000 + i*30, 'dst_ip': '192.168.1.10', 'dst_port': 22,
+         'bytes_sent': 48, 'bytes_recv': 48}
+        for i in range(15)
+    ]
+    result = sentinel.analyze(ssh_keepalive)
+    print(f"  {result}")
+    print(f"  Matched pattern: {result.matched_legitimate_pattern}")
+    print(f"  Mitigating factors: {result.mitigating_factors}")
+    # Test 3: SSH with context
+    print("\n[TEST 3] SSH Keepalive with process context...")
+    context = ConnectionContext(process_name='sshd', known_good=True)
+    result = sentinel.analyze(ssh_keepalive, context=context)
+    print(f"  {result}")
+    # Test 4: C2 beacon on 443
+    print("\n[TEST 4] C2 Beacon on port 443...")
+    c2_beacon = [
+        {'timestamp': 1000 + i*60, 'dst_ip': '10.10.10.10', 'dst_port': 443,
+         'bytes_sent': 200, 'bytes_recv': 500}
+        for i in range(10)
+    ]
+    result = sentinel.analyze(c2_beacon)
+    print(f"  {result}")
+    # Test 5: Benign browsing
+    print("\n[TEST 5] Benign web browsing...")
+    import random
+    browsing = [
+        {'timestamp': 1000 + i*random.uniform(5, 120),
+         'dst_ip': f"{random.randint(1,200)}.{random.randint(0,255)}.{random.randint(0,255)}.{random.randint(1,254)}",
+         'dst_port': 443,
+         'bytes_sent': random.randint(500, 3000),
+         'bytes_recv': random.randint(10000, 500000)}
+        for i in range(15)
+    ]
+    result = sentinel.analyze(browsing)
+    print(f"  {result}")
+    # Test reconnaissance support
+    print("\n[TEST 6] Reconnaissance support...")
+    ip_info = sentinel.recon.analyze_ip('104.16.132.229')
+    print(f"  IP Analysis: {ip_info}")
+    print("\n" + "=" * 70)
+    print("Model ready for deployment!")
+    print("=" * 70)

examples/advanced_usage.py ADDED Viewed

	@@ -0,0 +1,236 @@

+#!/usr/bin/env python3
+"""
+C2Sentinel Advanced Usage Example
+Demonstrates context enrichment, whitelist/blacklist management,
+batch analysis, log parsing, and reconnaissance features.
+"""
+from c2sentinel import C2Sentinel, ConnectionContext
+def main():
+    # Load the model
+    sentinel = C2Sentinel.load('c2_sentinel')
+    # =========================================================================
+    # Context Enrichment
+    # =========================================================================
+    print("=" * 60)
+    print("Context Enrichment")
+    print("=" * 60)
+    # Create connections that might look suspicious
+    connections = []
+    timestamp = 1705600000
+    for i in range(10):
+        connections.append({
+            'timestamp': timestamp + (i * 60),
+            'dst_ip': '10.0.0.50',
+            'dst_port': 443,
+            'bytes_sent': 200,
+            'bytes_recv': 500,
+        })
+    # Analyze without context
+    result_no_ctx = sentinel.analyze(connections)
+    print(f"Without context: is_c2={result_no_ctx.is_c2}, prob={result_no_ctx.c2_probability:.2f}")
+    # Analyze with context indicating this is a known monitoring agent
+    context = ConnectionContext(
+        process_name='prometheus',
+        known_good=True,
+        ip_reputation=0.95,
+        dns_queries=['metrics.internal.company.com']
+    )
+    result_with_ctx = sentinel.analyze(connections, context=context)
+    print(f"With context: is_c2={result_with_ctx.is_c2}, prob={result_with_ctx.c2_probability:.2f}")
+    print(f"Context applied: {result_with_ctx.context_applied}")
+    print()
+    # =========================================================================
+    # Whitelist and Blacklist Management
+    # =========================================================================
+    print("=" * 60)
+    print("Whitelist and Blacklist")
+    print("=" * 60)
+    # Add trusted infrastructure to whitelist
+    sentinel.add_whitelist(
+        ips=['8.8.8.8', '1.1.1.1'],
+        domains=['google.com', 'cloudflare.com']
+    )
+    # Add known malicious indicators to blacklist
+    sentinel.add_blacklist(
+        ips=['10.10.10.10'],
+        domains=['malware.example.com']
+    )
+    # Test whitelisted IP
+    dns_connections = []
+    for i in range(10):
+        dns_connections.append({
+            'timestamp': timestamp + (i * 5),
+            'dst_ip': '8.8.8.8',
+            'dst_port': 53,
+            'bytes_sent': 50,
+            'bytes_recv': 200,
+        })
+    result = sentinel.analyze(dns_connections)
+    print(f"Whitelisted DNS (8.8.8.8): is_c2={result.is_c2}")
+    # Test blacklisted IP
+    blacklist_connections = []
+    for i in range(10):
+        blacklist_connections.append({
+            'timestamp': timestamp + (i * 60),
+            'dst_ip': '10.10.10.10',
+            'dst_port': 443,
+            'bytes_sent': 200,
+            'bytes_recv': 500,
+        })
+    result = sentinel.analyze(blacklist_connections)
+    print(f"Blacklisted IP (10.10.10.10): is_c2={result.is_c2}, prob={result.c2_probability:.2f}")
+    print()
+    # =========================================================================
+    # Batch Analysis
+    # =========================================================================
+    print("=" * 60)
+    print("Batch Analysis")
+    print("=" * 60)
+    # Create multiple connection groups for batch processing
+    connection_groups = []
+    # Group 1: Normal web browsing (variable sizes, multiple destinations)
+    web_group = []
+    for i, dest in enumerate(['93.184.216.34', '151.101.1.140', '172.217.14.206']):
+        for j in range(3):
+            web_group.append({
+                'timestamp': timestamp + (i * 10) + j,
+                'dst_ip': dest,
+                'dst_port': 443,
+                'bytes_sent': 100 + (j * 50),
+                'bytes_recv': 5000 + (j * 1000),
+            })
+    connection_groups.append(web_group)
+    # Group 2: Potential C2 beacon
+    beacon_group = []
+    for i in range(10):
+        beacon_group.append({
+            'timestamp': timestamp + (i * 60),
+            'dst_ip': '45.33.32.156',
+            'dst_port': 8080,
+            'bytes_sent': 200,
+            'bytes_recv': 500,
+        })
+    connection_groups.append(beacon_group)
+    # Group 3: Database connection pool
+    db_group = []
+    for i in range(15):
+        db_group.append({
+            'timestamp': timestamp + (i * 0.5),
+            'dst_ip': '10.0.1.100',
+            'dst_port': 5432,
+            'bytes_sent': 100 + (i * 10),
+            'bytes_recv': 2000 + (i * 500),
+        })
+    connection_groups.append(db_group)
+    # Analyze all groups at once
+    results = sentinel.analyze_batch(connection_groups)
+    for i, result in enumerate(results):
+        print(f"Group {i+1}: is_c2={result.is_c2}, prob={result.c2_probability:.2f}, "
+              f"pattern={result.matched_legitimate_pattern or 'None'}")
+    print()
+    # =========================================================================
+    # Reconnaissance Features
+    # =========================================================================
+    print("=" * 60)
+    print("Reconnaissance Features")
+    print("=" * 60)
+    # IP Analysis
+    print("\nIP Analysis:")
+    ip_info = sentinel.recon.analyze_ip('104.16.132.229')
+    print(f"  IP: 104.16.132.229")
+    print(f"  Valid: {ip_info['is_valid']}")
+    print(f"  Private: {ip_info['is_private']}")
+    print(f"  CDN: {ip_info['is_cdn']}")
+    if ip_info['cdn_provider']:
+        print(f"  CDN Provider: {ip_info['cdn_provider']}")
+    # Connection Pattern Analysis
+    print("\nConnection Pattern Analysis:")
+    patterns = sentinel.recon.analyze_connection_patterns(beacon_group)
+    print(f"  Mean Interval: {patterns['timing']['mean_interval']:.2f}s")
+    print(f"  Interval CV: {patterns['timing']['interval_cv']:.4f}")
+    print(f"  Mean Bytes Sent: {patterns['volume']['mean_bytes_sent']:.0f}")
+    print(f"  Single Destination: {patterns['behavioral']['single_destination']}")
+    # IOC Generation (only if C2 detected)
+    print("\nIOC Generation:")
+    beacon_result = sentinel.analyze(beacon_group)
+    if beacon_result.is_c2:
+        iocs = sentinel.recon.generate_iocs(beacon_group, beacon_result.to_dict())
+        print(f"  IPs: {iocs['ips']}")
+        print(f"  Ports: {iocs['ports']}")
+        print(f"  Timing Signature: {iocs['timing_signatures']}")
+    print()
+    # =========================================================================
+    # Log File Parsing
+    # =========================================================================
+    print("=" * 60)
+    print("Log File Parsing")
+    print("=" * 60)
+    # Example with JSON log format
+    json_logs = [
+        '{"timestamp": 1705600000, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
+        '{"timestamp": 1705600060, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
+        '{"timestamp": 1705600120, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
+        '{"timestamp": 1705600180, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
+        '{"timestamp": 1705600240, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
+    ]
+    results = sentinel.analyze_logs(json_logs, group_by_dst=True)
+    print(f"Analyzed {len(json_logs)} log lines")
+    for dst, result in results.items():
+        print(f"  {dst}: is_c2={result.is_c2}, prob={result.c2_probability:.2f}")
+    print()
+    # =========================================================================
+    # Result Object Details
+    # =========================================================================
+    print("=" * 60)
+    print("Full Result Object")
+    print("=" * 60)
+    result = sentinel.analyze(beacon_group)
+    result_dict = result.to_dict()
+    for key, value in result_dict.items():
+        if isinstance(value, list) and len(value) > 3:
+            print(f"  {key}: [{value[0]}, {value[1]}, ... ({len(value)} items)]")
+        else:
+            print(f"  {key}: {value}")
+if __name__ == '__main__':
+    main()

examples/basic_usage.py ADDED Viewed

	@@ -0,0 +1,105 @@

+#!/usr/bin/env python3
+"""
+C2Sentinel Basic Usage Example
+Demonstrates loading the model and analyzing network connections
+for C2 beacon detection.
+"""
+from c2sentinel import C2Sentinel
+def main():
+    # Load the model
+    sentinel = C2Sentinel.load('c2_sentinel')
+    # Example 1: Analyze a series of connections to a single destination
+    # This pattern shows regular 60-second intervals with consistent packet sizes
+    # - a common C2 beacon signature
+    connections = []
+    timestamp = 1705600000  # Starting timestamp
+    for i in range(10):
+        connections.append({
+            'timestamp': timestamp + (i * 60),  # 60-second intervals
+            'dst_ip': '10.0.0.100',
+            'dst_port': 443,
+            'bytes_sent': 200,
+            'bytes_recv': 500,
+        })
+    result = sentinel.analyze(connections)
+    print("Example 1: Regular beacon pattern")
+    print(f"  Is C2: {result.is_c2}")
+    print(f"  Probability: {result.c2_probability:.2f}")
+    print(f"  C2 Type: {result.c2_type}")
+    print(f"  Detection Method: {result.detection_method}")
+    print()
+    # Example 2: Legitimate SSH keepalive traffic
+    # Small symmetric packets on port 22 at regular intervals
+    ssh_connections = []
+    timestamp = 1705600000
+    for i in range(10):
+        ssh_connections.append({
+            'timestamp': timestamp + (i * 30),  # 30-second keepalive
+            'dst_ip': '192.168.1.50',
+            'dst_port': 22,
+            'bytes_sent': 48,
+            'bytes_recv': 48,
+        })
+    result = sentinel.analyze(ssh_connections)
+    print("Example 2: SSH keepalive pattern")
+    print(f"  Is C2: {result.is_c2}")
+    print(f"  Matched Pattern: {result.matched_legitimate_pattern}")
+    print(f"  Service Type: {result.service_type}")
+    print()
+    # Example 3: High-confidence C2 on known malicious port
+    c2_connections = []
+    timestamp = 1705600000
+    for i in range(10):
+        c2_connections.append({
+            'timestamp': timestamp + (i * 30),
+            'dst_ip': '45.33.32.156',
+            'dst_port': 4444,  # Metasploit default
+            'bytes_sent': 150,
+            'bytes_recv': 300,
+        })
+    result = sentinel.analyze(c2_connections)
+    print("Example 3: High-confidence C2 port")
+    print(f"  Is C2: {result.is_c2}")
+    print(f"  C2 Type: {result.c2_type}")
+    print(f"  Probability: {result.c2_probability:.2f}")
+    print(f"  Immediate Detection: {result.immediate_detection}")
+    print(f"  Risk Factors: {result.risk_factors}")
+    print()
+    # Example 4: Using threshold adjustment
+    print("Example 4: Threshold adjustment")
+    # Lower threshold for higher sensitivity
+    result_low = sentinel.analyze(connections, threshold=0.3)
+    print(f"  Low threshold (0.3): is_c2={result_low.is_c2}, prob={result_low.c2_probability:.2f}")
+    # Higher threshold for higher precision
+    result_high = sentinel.analyze(connections, threshold=0.7)
+    print(f"  High threshold (0.7): is_c2={result_high.is_c2}, prob={result_high.c2_probability:.2f}")
+    # Strict mode (minimum 0.7 threshold)
+    result_strict = sentinel.analyze(connections, strict_mode=True)
+    print(f"  Strict mode: is_c2={result_strict.is_c2}, prob={result_strict.c2_probability:.2f}")
+if __name__ == '__main__':
+    main()