Upload folder using huggingface_hub

app.py

@@ -21,6 +21,7 @@ sentinel = C2Sentinel.load('c2_sentinel')
 
 # Example connection data
 EXAMPLES = {
+    "-- Select Example --": "",
     "C2 Beacon (60s intervals)": json.dumps([
         {"timestamp": 1705600000, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
         {"timestamp": 1705600060, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
@@ -31,15 +32,13 @@ EXAMPLES = {
         {"timestamp": 1705600360, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
         {"timestamp": 1705600420, "dst_ip": "45.33.32.156", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
     ], indent=2),
-
-    "Metasploit Default Port": json.dumps([
+    "Metasploit Port 4444": json.dumps([
         {"timestamp": 1705600000, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
         {"timestamp": 1705600030, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
         {"timestamp": 1705600060, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
         {"timestamp": 1705600090, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
         {"timestamp": 1705600120, "dst_ip": "10.10.10.10", "dst_port": 4444, "bytes_sent": 150, "bytes_recv": 300},
     ], indent=2),
-
     "SSH Keepalive (Legitimate)": json.dumps([
         {"timestamp": 1705600000, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
         {"timestamp": 1705600030, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
@@ -48,7 +47,6 @@ EXAMPLES = {
         {"timestamp": 1705600120, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
         {"timestamp": 1705600150, "dst_ip": "192.168.1.10", "dst_port": 22, "bytes_sent": 48, "bytes_recv": 48},
     ], indent=2),
-
     "Web Browsing (Legitimate)": json.dumps([
         {"timestamp": 1705600000, "dst_ip": "93.184.216.34", "dst_port": 443, "bytes_sent": 500, "bytes_recv": 15000},
         {"timestamp": 1705600002, "dst_ip": "93.184.216.34", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 8000},
@@ -56,23 +54,13 @@ EXAMPLES = {
         {"timestamp": 1705600015, "dst_ip": "172.217.14.206", "dst_port": 443, "bytes_sent": 300, "bytes_recv": 12000},
         {"timestamp": 1705600025, "dst_ip": "151.101.1.140", "dst_port": 443, "bytes_sent": 150, "bytes_recv": 5000},
     ], indent=2),
-
-    "Slow Beacon (5 min intervals)": json.dumps([
+    "Slow Beacon (5 min)": json.dumps([
         {"timestamp": 1705600000, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
         {"timestamp": 1705600300, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
         {"timestamp": 1705600600, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
         {"timestamp": 1705600900, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
         {"timestamp": 1705601200, "dst_ip": "203.0.113.50", "dst_port": 8080, "bytes_sent": 256, "bytes_recv": 512},
     ], indent=2),
-
-    "DNS Tunnel C2": json.dumps([
-        {"timestamp": 1705600000, "dst_ip": "198.51.100.53", "dst_port": 53, "bytes_sent": 64, "bytes_recv": 512},
-        {"timestamp": 1705600005, "dst_ip": "198.51.100.53", "dst_port": 53, "bytes_sent": 64, "bytes_recv": 512},
-        {"timestamp": 1705600010, "dst_ip": "198.51.100.53", "dst_port": 53, "bytes_sent": 64, "bytes_recv": 512},
-        {"timestamp": 1705600015, "dst_ip": "198.51.100.53", "dst_port": 53, "bytes_sent": 64, "bytes_recv": 512},
-        {"timestamp": 1705600020, "dst_ip": "198.51.100.53", "dst_port": 53, "bytes_sent": 64, "bytes_recv": 512},
-        {"timestamp": 1705600025, "dst_ip": "198.51.100.53", "dst_port": 53, "bytes_sent": 64, "bytes_recv": 512},
-    ], indent=2),
 }
 
 
@@ -86,7 +74,6 @@ def parse_log_file(file_content: str) -> list:
         if not line or line.startswith('#'):
             continue
 
-        # Try JSON format
         try:
             record = json.loads(line)
             if 'dst_ip' in record or 'id.resp_h' in record:
@@ -103,7 +90,6 @@ def parse_log_file(file_content: str) -> list:
         except (json.JSONDecodeError, ValueError):
             pass
 
-        # Try Zeek tab-separated format
         parts = line.split('\t')
         if len(parts) >= 10:
             try:
@@ -115,7 +101,6 @@ def parse_log_file(file_content: str) -> list:
                     'bytes_recv': int(parts[10] if len(parts) > 10 and parts[10] != '-' else 0),
                 }
                 connections.append(conn)
-                continue
             except (ValueError, IndexError):
                 pass
 
@@ -128,127 +113,86 @@ def analyze_connections(
     threshold: float,
     strict_mode: bool,
     whitelist_ips: str,
-    whitelist_domains: str,
-    blacklist_ips: str,
-    blacklist_domains: str
-) -> tuple:
+    blacklist_ips: str
+) -> str:
     """Analyze connection data and return results."""
     try:
-        # Reset whitelist/blacklist for this analysis
+        # Reset whitelist/blacklist
         sentinel.whitelist_ips = set()
         sentinel.whitelist_domains = set()
         sentinel.blacklist_ips = set()
         sentinel.blacklist_domains = set()
 
         # Apply whitelist
-        if whitelist_ips.strip():
+        if whitelist_ips and whitelist_ips.strip():
             ips = [ip.strip() for ip in whitelist_ips.split(',') if ip.strip()]
             sentinel.add_whitelist(ips=ips)
-        if whitelist_domains.strip():
-            domains = [d.strip() for d in whitelist_domains.split(',') if d.strip()]
-            sentinel.add_whitelist(domains=domains)
 
         # Apply blacklist
-        if blacklist_ips.strip():
+        if blacklist_ips and blacklist_ips.strip():
             ips = [ip.strip() for ip in blacklist_ips.split(',') if ip.strip()]
             sentinel.add_blacklist(ips=ips)
-        if blacklist_domains.strip():
-            domains = [d.strip() for d in blacklist_domains.split(',') if d.strip()]
-            sentinel.add_blacklist(domains=domains)
 
-        # Get connections from file upload or text input
+        # Get connections
         connections = []
 
         if uploaded_file is not None:
             file_content = uploaded_file.decode('utf-8') if isinstance(uploaded_file, bytes) else open(uploaded_file, 'r').read()
             connections = parse_log_file(file_content)
             if not connections:
-                # Try as JSON array
                 try:
                     connections = json.loads(file_content)
                 except:
                     pass
 
-        if not connections and connection_json.strip():
+        if not connections and connection_json and connection_json.strip():
             connections = json.loads(connection_json)
 
         if not isinstance(connections, list):
-            return "Error: Input must be a JSON array of connection objects", "", "", ""
+            return "## Error\nInput must be a JSON array of connection objects"
 
         if len(connections) < 3:
-            return "Error: Need at least 3 connections for analysis", "", "", ""
+            return "## Error\nNeed at least 3 connections for analysis"
 
         # Run analysis
         result = sentinel.analyze(connections, threshold=threshold, strict_mode=strict_mode)
 
-        # Format primary result
+        # Format result
         if result.is_c2:
-            verdict = f"**C2 DETECTED:** {result.c2_type}"
+            output = f"## 🚨 C2 DETECTED: {result.c2_type}\n\n"
         else:
-            verdict = "**No C2 Detected**"
+            output = "## ✅ No C2 Detected\n\n"
 
-        primary = f"""## {verdict}
-
-| Metric | Value |
-|--------|-------|
-| Probability | {result.c2_probability:.1%} |
-| Confidence | {result.confidence:.1%} |
-| Detection Method | {result.detection_method} |
-| Connections Analyzed | {len(connections)} |
-"""
+        output += f"| Metric | Value |\n|--------|-------|\n"
+        output += f"| Probability | {result.c2_probability:.1%} |\n"
+        output += f"| Confidence | {result.confidence:.1%} |\n"
+        output += f"| Detection Method | {result.detection_method} |\n"
+        output += f"| Connections | {len(connections)} |\n"
 
         if result.matched_legitimate_pattern:
-            primary += f"| Matched Pattern | {result.matched_legitimate_pattern} |\n"
-        if result.service_type:
-            primary += f"| Service Type | {result.service_type} |\n"
-        if result.immediate_detection:
-            primary += "| Immediate Detection | Yes (signature match) |\n"
-
-        # Format risk factors
-        risk_text = ""
+            output += f"| Matched Pattern | {result.matched_legitimate_pattern} |\n"
+
         if result.risk_factors:
-            risk_text = "### Risk Factors\n\n"
-            for factor in result.risk_factors:
-                risk_text += f"- {factor}\n"
+            output += "\n### Risk Factors\n"
+            for f in result.risk_factors[:5]:
+                output += f"- {f}\n"
 
         if result.mitigating_factors:
-            risk_text += "\n### Mitigating Factors\n\n"
-            for factor in result.mitigating_factors:
-                risk_text += f"- {factor}\n"
+            output += "\n### Mitigating Factors\n"
+            for f in result.mitigating_factors[:5]:
+                output += f"- {f}\n"
 
-        # Format recommendations
-        rec_text = ""
         if result.recommendations:
-            rec_text = "### Recommendations\n\n"
-            for rec in result.recommendations:
-                rec_text += f"- {rec}\n"
-
-        # Connection stats
-        stats_text = "### Connection Statistics\n\n"
-        if connections:
-            dst_ips = set(c.get('dst_ip', '') for c in connections)
-            dst_ports = set(c.get('dst_port', 0) for c in connections)
-            total_sent = sum(c.get('bytes_sent', 0) for c in connections)
-            total_recv = sum(c.get('bytes_recv', 0) for c in connections)
-
-            stats_text += f"| Stat | Value |\n|------|-------|\n"
-            stats_text += f"| Unique Destinations | {len(dst_ips)} |\n"
-            stats_text += f"| Unique Ports | {len(dst_ports)} |\n"
-            stats_text += f"| Total Bytes Sent | {total_sent:,} |\n"
-            stats_text += f"| Total Bytes Received | {total_recv:,} |\n"
-
-            if len(connections) > 1:
-                timestamps = sorted(c.get('timestamp', 0) for c in connections)
-                intervals = [timestamps[i+1] - timestamps[i] for i in range(len(timestamps)-1)]
-                avg_interval = sum(intervals) / len(intervals)
-                stats_text += f"| Avg Interval | {avg_interval:.1f}s |\n"
-
-        return primary, risk_text, rec_text, stats_text
+            output += "\n### Recommendations\n"
+            for r in result.recommendations[:3]:
+                output += f"- {r}\n"
+
+        return output
 
     except json.JSONDecodeError as e:
-        return f"Error: Invalid JSON - {str(e)}", "", "", ""
+        return f"## Error\nInvalid JSON: {str(e)}"
     except Exception as e:
-        return f"Error: {str(e)}", "", "", ""
+        return f"## Error\n{str(e)}"
 
 
 def load_example(example_name: str) -> str:
@@ -256,141 +200,57 @@ def load_example(example_name: str) -> str:
     return EXAMPLES.get(example_name, "")
 
 
-# Build the interface
+# Build interface
 with gr.Blocks(title="C2Sentinel", theme=gr.themes.Soft()) as demo:
     gr.Markdown("""
-# C2Sentinel
+# C2Sentinel - C2 Beacon Detection
 
-**Command and Control Beacon Detection**
+Analyze network connections for Command and Control beacon activity.
 
-Analyze network connection patterns to detect C2 beacon activity using behavioral analysis.
-The model identifies C2 communications on any port by analyzing timing patterns, packet sizes, and traffic symmetry.
-
-[Model Repository](https://huggingface.co/danielostrow/c2sentinel) | [API Documentation](https://huggingface.co/danielostrow/c2sentinel/blob/main/API_REFERENCE.md) | [neuralintellect.com](https://neuralintellect.com)
+[Model](https://huggingface.co/danielostrow/c2sentinel) | [Docs](https://huggingface.co/danielostrow/c2sentinel/blob/main/API_REFERENCE.md) | [neuralintellect.com](https://neuralintellect.com)
     """)
 
-    with gr.Tabs():
-        with gr.TabItem("Analyze"):
-            with gr.Row():
-                with gr.Column(scale=1):
-                    gr.Markdown("### Input")
-
-                    example_dropdown = gr.Dropdown(
-                        choices=list(EXAMPLES.keys()),
-                        label="Load Example",
-                        value=None
-                    )
-
-                    connection_input = gr.Textbox(
-                        label="Connection Data (JSON)",
-                        placeholder='[\n  {"timestamp": 1000000, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},\n  ...\n]',
-                        lines=12
-                    )
-
-                    file_upload = gr.File(
-                        label="Or Upload Log File (JSON, Zeek conn.log)",
-                        file_types=[".json", ".log", ".txt"],
-                        type="binary"
-                    )
-
-                    gr.Markdown("### Detection Settings")
-
-                    threshold = gr.Slider(
-                        minimum=0.1,
-                        maximum=0.9,
-                        value=0.5,
-                        step=0.05,
-                        label="Detection Threshold",
-                        info="Lower = more sensitive, Higher = fewer false positives"
-                    )
-
-                    strict_mode = gr.Checkbox(
-                        label="Strict Mode",
-                        value=False,
-                        info="Enforce minimum 0.7 threshold for high-confidence detections only"
-                    )
-
-                    analyze_btn = gr.Button("Analyze", variant="primary", size="lg")
-
-                with gr.Column(scale=1):
-                    gr.Markdown("### Results")
-                    result_primary = gr.Markdown()
-                    result_stats = gr.Markdown()
-                    result_risks = gr.Markdown()
-                    result_recommendations = gr.Markdown()
-
-        with gr.TabItem("Whitelist / Blacklist"):
-            gr.Markdown("""
-### Configure Trusted and Blocked Indicators
-
-Add IPs and domains to customize detection behavior. Separate multiple entries with commas.
-            """)
+    with gr.Row():
+        with gr.Column():
+            example_dropdown = gr.Dropdown(
+                choices=list(EXAMPLES.keys()),
+                value="-- Select Example --",
+                label="Load Example"
+            )
+
+            connection_input = gr.Textbox(
+                label="Connection Data (JSON)",
+                placeholder='[{"timestamp": 1000000, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}, ...]',
+                lines=10
+            )
+
+            file_upload = gr.File(
+                label="Or Upload Log File",
+                file_types=[".json", ".log", ".txt"],
+                type="binary"
+            )
 
             with gr.Row():
-                with gr.Column():
-                    gr.Markdown("#### Whitelist (Trusted)")
-                    whitelist_ips = gr.Textbox(
-                        label="Trusted IPs",
-                        placeholder="8.8.8.8, 1.1.1.1, 192.168.1.0/24",
-                        lines=2
-                    )
-                    whitelist_domains = gr.Textbox(
-                        label="Trusted Domains",
-                        placeholder="google.com, microsoft.com, github.com",
-                        lines=2
-                    )
-
-                with gr.Column():
-                    gr.Markdown("#### Blacklist (Suspicious)")
-                    blacklist_ips = gr.Textbox(
-                        label="Blocked IPs",
-                        placeholder="10.10.10.10, 45.33.32.156",
-                        lines=2
-                    )
-                    blacklist_domains = gr.Textbox(
-                        label="Blocked Domains",
-                        placeholder="malware.example.com, c2server.bad",
-                        lines=2
-                    )
-
-            gr.Markdown("""
-**Note:** Whitelist/blacklist settings apply to the current analysis only.
-- Whitelisted IPs will reduce C2 probability
-- Blacklisted IPs will increase C2 probability
-            """)
-
-        with gr.TabItem("Log Format"):
-            gr.Markdown("""
-### Supported Log Formats
-
-#### JSON Array
-```json
-[
-  {"timestamp": 1705600000, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500},
-  {"timestamp": 1705600060, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}
-]
-```
-
-#### JSON Lines (NDJSON)
-```
-{"timestamp": 1705600000, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}
-{"timestamp": 1705600060, "dst_ip": "10.0.0.1", "dst_port": 443, "bytes_sent": 200, "bytes_recv": 500}
-```
-
-#### Zeek conn.log Format
-The parser also supports Zeek/Bro conn.log tab-separated format with fields:
-`ts, uid, id.orig_h, id.orig_p, id.resp_h, id.resp_p, proto, service, duration, orig_bytes, resp_bytes, ...`
-
-### Required Fields
-
-| Field | Type | Description |
-|-------|------|-------------|
-| `timestamp` | float | Unix timestamp |
-| `dst_ip` | string | Destination IP address |
-| `dst_port` | int | Destination port |
-| `bytes_sent` | int | Bytes sent |
-| `bytes_recv` | int | Bytes received |
-            """)
+                threshold = gr.Slider(
+                    minimum=0.1, maximum=0.9, value=0.5, step=0.1,
+                    label="Threshold (lower=sensitive)"
+                )
+                strict_mode = gr.Checkbox(label="Strict Mode", value=False)
+
+            with gr.Accordion("Whitelist / Blacklist", open=False):
+                whitelist_ips = gr.Textbox(
+                    label="Whitelist IPs (comma-separated)",
+                    placeholder="8.8.8.8, 1.1.1.1"
+                )
+                blacklist_ips = gr.Textbox(
+                    label="Blacklist IPs (comma-separated)",
+                    placeholder="10.10.10.10"
+                )
+
+            analyze_btn = gr.Button("Analyze", variant="primary")
+
+        with gr.Column():
+            result_output = gr.Markdown(label="Results")
 
     # Event handlers
     example_dropdown.change(
@@ -401,24 +261,17 @@ The parser also supports Zeek/Bro conn.log tab-separated format with fields:
 
     analyze_btn.click(
         fn=analyze_connections,
-        inputs=[
-            connection_input,
-            file_upload,
-            threshold,
-            strict_mode,
-            whitelist_ips,
-            whitelist_domains,
-            blacklist_ips,
-            blacklist_domains
-        ],
-        outputs=[result_primary, result_risks, result_recommendations, result_stats]
+        inputs=[connection_input, file_upload, threshold, strict_mode, whitelist_ips, blacklist_ips],
+        outputs=[result_output]
     )
 
     gr.Markdown("""
 ---
-**Author:** Daniel Ostrow | [neuralintellect.com](https://neuralintellect.com) | Built on [LogBERT](https://arxiv.org/abs/2103.04475)
+**Format:** `[{"timestamp": float, "dst_ip": "x.x.x.x", "dst_port": int, "bytes_sent": int, "bytes_recv": int}, ...]`
+
+Built on [LogBERT](https://arxiv.org/abs/2103.04475) | Author: Daniel Ostrow
     """)
 
 
 if __name__ == "__main__":
-    demo.launch()
+    demo.launch(server_name="0.0.0.0", server_port=7860)