Fix websocket pattern + improve beacon override logic to prevent false positives/negatives

c2sentinel.py

@@ -278,15 +278,15 @@ LEGITIMATE_PATTERNS = [
         description="Database connection with variable query responses"
     ),
     LegitimatePattern(
-        name="websocket_ping",
+        name="websocket_stream",
         service_type=ServiceType.API,
         ports=[80, 443, 8080],
-        min_packet_size=10,
+        min_packet_size=100,  # WebSocket frames are typically larger
         max_packet_size=100000,
-        symmetric_ratio=(0.001, 100.0),  # Can receive large data pushes
-        max_interval_cv=0.5,
-        max_size_cv=5.0,  # Large variance in push data
-        description="WebSocket connection with ping/pong and data pushes"
+        symmetric_ratio=(0.001, 0.3),  # Receives much more than sends (streaming)
+        max_interval_cv=1.5,  # Irregular timing (event-driven)
+        max_size_cv=2.0,  # High variance in response sizes (required)
+        description="WebSocket streaming connection with variable push data"
     ),
 ]
 
@@ -1712,14 +1712,29 @@ class C2Sentinel:
 
         # ================================================================
         # PHASE 5: Apply legitimate pattern discount
-        # High-confidence legitimate patterns should NOT be overridden by beacon indicators
+        # Balance between legitimate patterns and beacon indicators
         # ================================================================
 
+        # Check if we have a very strong beacon signal that should override patterns
+        very_strong_beacon = False
+        if beacon_indicators >= 5:
+            very_strong_beacon = True
+        elif beacon_indicators >= 4:
+            # Check if timing and size CVs are extremely low (strong C2 signature)
+            if len(connections) >= 5:
+                timestamps = sorted([c.get('timestamp', 0) for c in connections])
+                if len(timestamps) > 1:
+                    intervals = np.diff(timestamps)
+                    interval_cv = np.std(intervals) / (np.mean(intervals) + 1e-6)
+                    if interval_cv < 0.1 and recv_cv < 0.1:
+                        very_strong_beacon = True
+
         if matched_pattern and pattern_confidence > 0.5:
-            # High-confidence legitimate patterns (> 0.75) always get full discount
-            # This prevents false positives on known good traffic
-            if pattern_confidence >= 0.75:
-                # Strong legitimate pattern match - apply full discount regardless of beacon indicators
+            # Very strong beacon signals override legitimate patterns (except SSH on port 22)
+            if very_strong_beacon and matched_pattern.name != 'ssh_keepalive':
+                result.mitigating_factors.append(f"{matched_pattern.name} pattern overridden by very strong beacon signal")
+            elif pattern_confidence >= 0.75 and not very_strong_beacon:
+                # Strong legitimate pattern without strong beacon - apply full discount
                 discount = 1.0 - (pattern_confidence * 0.8)  # Up to 80% reduction
                 c2_prob *= discount
                 result.mitigating_factors.append(f"Strong {matched_pattern.name} pattern match (conf: {pattern_confidence:.0%})")