Hugging Face's logo

danielostrow
/
c2sentinel

Other
PyTorch
Safetensors
English
security
cybersecurity
network-security
c2-detection
beacon-detection
threat-detection
malware-detection
logbert
transformer
Model card Files
xet
Community
danielostrow commited on
Commit
9cb214b
·
verified ·
1 Parent(s): 22db0ff

Remove examples folder

Browse files
Files changed (1) hide show
  1. examples/advanced_usage.py +0 -236
examples/advanced_usage.py DELETED
@@ -1,236 +0,0 @@
1
- #!/usr/bin/env python3
2
- """
3
- C2Sentinel Advanced Usage Example
4
-
5
- Demonstrates context enrichment, whitelist/blacklist management,
6
- batch analysis, log parsing, and reconnaissance features.
7
- """
8
-
9
- from c2sentinel import C2Sentinel, ConnectionContext
10
-
11
- def main():
12
- # Load the model
13
- sentinel = C2Sentinel.load('c2_sentinel')
14
-
15
- # =========================================================================
16
- # Context Enrichment
17
- # =========================================================================
18
-
19
- print("=" * 60)
20
- print("Context Enrichment")
21
- print("=" * 60)
22
-
23
- # Create connections that might look suspicious
24
- connections = []
25
- timestamp = 1705600000
26
-
27
- for i in range(10):
28
- connections.append({
29
- 'timestamp': timestamp + (i * 60),
30
- 'dst_ip': '10.0.0.50',
31
- 'dst_port': 443,
32
- 'bytes_sent': 200,
33
- 'bytes_recv': 500,
34
- })
35
-
36
- # Analyze without context
37
- result_no_ctx = sentinel.analyze(connections)
38
- print(f"Without context: is_c2={result_no_ctx.is_c2}, prob={result_no_ctx.c2_probability:.2f}")
39
-
40
- # Analyze with context indicating this is a known monitoring agent
41
- context = ConnectionContext(
42
- process_name='prometheus',
43
- known_good=True,
44
- ip_reputation=0.95,
45
- dns_queries=['metrics.internal.company.com']
46
- )
47
-
48
- result_with_ctx = sentinel.analyze(connections, context=context)
49
- print(f"With context: is_c2={result_with_ctx.is_c2}, prob={result_with_ctx.c2_probability:.2f}")
50
- print(f"Context applied: {result_with_ctx.context_applied}")
51
- print()
52
-
53
- # =========================================================================
54
- # Whitelist and Blacklist Management
55
- # =========================================================================
56
-
57
- print("=" * 60)
58
- print("Whitelist and Blacklist")
59
- print("=" * 60)
60
-
61
- # Add trusted infrastructure to whitelist
62
- sentinel.add_whitelist(
63
- ips=['8.8.8.8', '1.1.1.1'],
64
- domains=['google.com', 'cloudflare.com']
65
- )
66
-
67
- # Add known malicious indicators to blacklist
68
- sentinel.add_blacklist(
69
- ips=['10.10.10.10'],
70
- domains=['malware.example.com']
71
- )
72
-
73
- # Test whitelisted IP
74
- dns_connections = []
75
- for i in range(10):
76
- dns_connections.append({
77
- 'timestamp': timestamp + (i * 5),
78
- 'dst_ip': '8.8.8.8',
79
- 'dst_port': 53,
80
- 'bytes_sent': 50,
81
- 'bytes_recv': 200,
82
- })
83
-
84
- result = sentinel.analyze(dns_connections)
85
- print(f"Whitelisted DNS (8.8.8.8): is_c2={result.is_c2}")
86
-
87
- # Test blacklisted IP
88
- blacklist_connections = []
89
- for i in range(10):
90
- blacklist_connections.append({
91
- 'timestamp': timestamp + (i * 60),
92
- 'dst_ip': '10.10.10.10',
93
- 'dst_port': 443,
94
- 'bytes_sent': 200,
95
- 'bytes_recv': 500,
96
- })
97
-
98
- result = sentinel.analyze(blacklist_connections)
99
- print(f"Blacklisted IP (10.10.10.10): is_c2={result.is_c2}, prob={result.c2_probability:.2f}")
100
- print()
101
-
102
- # =========================================================================
103
- # Batch Analysis
104
- # =========================================================================
105
-
106
- print("=" * 60)
107
- print("Batch Analysis")
108
- print("=" * 60)
109
-
110
- # Create multiple connection groups for batch processing
111
- connection_groups = []
112
-
113
- # Group 1: Normal web browsing (variable sizes, multiple destinations)
114
- web_group = []
115
- for i, dest in enumerate(['93.184.216.34', '151.101.1.140', '172.217.14.206']):
116
- for j in range(3):
117
- web_group.append({
118
- 'timestamp': timestamp + (i * 10) + j,
119
- 'dst_ip': dest,
120
- 'dst_port': 443,
121
- 'bytes_sent': 100 + (j * 50),
122
- 'bytes_recv': 5000 + (j * 1000),
123
- })
124
- connection_groups.append(web_group)
125
-
126
- # Group 2: Potential C2 beacon
127
- beacon_group = []
128
- for i in range(10):
129
- beacon_group.append({
130
- 'timestamp': timestamp + (i * 60),
131
- 'dst_ip': '45.33.32.156',
132
- 'dst_port': 8080,
133
- 'bytes_sent': 200,
134
- 'bytes_recv': 500,
135
- })
136
- connection_groups.append(beacon_group)
137
-
138
- # Group 3: Database connection pool
139
- db_group = []
140
- for i in range(15):
141
- db_group.append({
142
- 'timestamp': timestamp + (i * 0.5),
143
- 'dst_ip': '10.0.1.100',
144
- 'dst_port': 5432,
145
- 'bytes_sent': 100 + (i * 10),
146
- 'bytes_recv': 2000 + (i * 500),
147
- })
148
- connection_groups.append(db_group)
149
-
150
- # Analyze all groups at once
151
- results = sentinel.analyze_batch(connection_groups)
152
-
153
- for i, result in enumerate(results):
154
- print(f"Group {i+1}: is_c2={result.is_c2}, prob={result.c2_probability:.2f}, "
155
- f"pattern={result.matched_legitimate_pattern or 'None'}")
156
- print()
157
-
158
- # =========================================================================
159
- # Reconnaissance Features
160
- # =========================================================================
161
-
162
- print("=" * 60)
163
- print("Reconnaissance Features")
164
- print("=" * 60)
165
-
166
- # IP Analysis
167
- print("\nIP Analysis:")
168
- ip_info = sentinel.recon.analyze_ip('104.16.132.229')
169
- print(f" IP: 104.16.132.229")
170
- print(f" Valid: {ip_info['is_valid']}")
171
- print(f" Private: {ip_info['is_private']}")
172
- print(f" CDN: {ip_info['is_cdn']}")
173
- if ip_info['cdn_provider']:
174
- print(f" CDN Provider: {ip_info['cdn_provider']}")
175
-
176
- # Connection Pattern Analysis
177
- print("\nConnection Pattern Analysis:")
178
- patterns = sentinel.recon.analyze_connection_patterns(beacon_group)
179
- print(f" Mean Interval: {patterns['timing']['mean_interval']:.2f}s")
180
- print(f" Interval CV: {patterns['timing']['interval_cv']:.4f}")
181
- print(f" Mean Bytes Sent: {patterns['volume']['mean_bytes_sent']:.0f}")
182
- print(f" Single Destination: {patterns['behavioral']['single_destination']}")
183
-
184
- # IOC Generation (only if C2 detected)
185
- print("\nIOC Generation:")
186
- beacon_result = sentinel.analyze(beacon_group)
187
- if beacon_result.is_c2:
188
- iocs = sentinel.recon.generate_iocs(beacon_group, beacon_result.to_dict())
189
- print(f" IPs: {iocs['ips']}")
190
- print(f" Ports: {iocs['ports']}")
191
- print(f" Timing Signature: {iocs['timing_signatures']}")
192
- print()
193
-
194
- # =========================================================================
195
- # Log File Parsing
196
- # =========================================================================
197
-
198
- print("=" * 60)
199
- print("Log File Parsing")
200
- print("=" * 60)
201
-
202
- # Example with JSON log format
203
- json_logs = [
204
- '{"timestamp": 1705600000, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
205
- '{"timestamp": 1705600060, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
206
- '{"timestamp": 1705600120, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
207
- '{"timestamp": 1705600180, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
208
- '{"timestamp": 1705600240, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}',
209
- ]
210
-
211
- results = sentinel.analyze_logs(json_logs, group_by_dst=True)
212
- print(f"Analyzed {len(json_logs)} log lines")
213
- for dst, result in results.items():
214
- print(f" {dst}: is_c2={result.is_c2}, prob={result.c2_probability:.2f}")
215
- print()
216
-
217
- # =========================================================================
218
- # Result Object Details
219
- # =========================================================================
220
-
221
- print("=" * 60)
222
- print("Full Result Object")
223
- print("=" * 60)
224
-
225
- result = sentinel.analyze(beacon_group)
226
- result_dict = result.to_dict()
227
-
228
- for key, value in result_dict.items():
229
- if isinstance(value, list) and len(value) > 3:
230
- print(f" {key}: [{value[0]}, {value[1]}, ... ({len(value)} items)]")
231
- else:
232
- print(f" {key}: {value}")
233
-
234
-
235
- if __name__ == '__main__':
236
- main()