Spaces:

princemaxp
/

CySecGuardians

Running

App Files Files Community

princemaxp commited on Jan 8

Commit

734dc8c

verified ·

1 Parent(s): a09e64c

Update scoring_engine.py

Browse files

Files changed (1) hide show

scoring_engine.py +68 -101

scoring_engine.py CHANGED Viewed

@@ -1,115 +1,82 @@
 # scoring_engine.py
 def compute_final_score(
-    header_score,
-    body_score,
-    url_score,
-    attachment_score,
-    header_findings,
-    body_findings,
-    url_findings,
-    attachment_findings,
-    auth_results
 ):
     """
-    Returns:
-        final_score (0–100),
-        verdict (string),
-        reasoning (list of strings)
     """
     reasoning = []
-    score = 0
-    hf = " ".join(header_findings).lower()
-    bf = " ".join(body_findings).lower()
-    uf = " ".join(url_findings).lower()
-    af = " ".join(attachment_findings).lower()
-    auth = str(auth_results).lower()
-    # =========================
-    # 🚨 CRITICAL CORRELATIONS
-    # =========================
-    # 1️⃣ Malware attachment
-    if attachment_score >= 40:
-        score = max(score, 90)
-        reasoning.append("High-risk attachment detected")
-    # 2️⃣ Brand spoof + auth failure
-    if "brand" in hf and ("spf fail" in auth or "dkim fail" in auth):
-        score = max(score, 85)
-        reasoning.append("Brand spoofing combined with authentication failure")
-    # 3️⃣ URL phishing + credential language
-    if url_score >= 30 and any(k in bf for k in ["password", "login", "verify"]):
-        score = max(score, 80)
-        reasoning.append("Credential harvesting attempt detected")
-    # 4️⃣ BEC pattern
-    if (
-        "reply-to domain mismatch" in hf
-        and url_score == 0
-        and attachment_score == 0
-    ):
-        score = max(score, 75)
-        reasoning.append("Business Email Compromise pattern detected")
-    # =========================
-    # ⚠️ MEDIUM RISK CORRELATIONS
-    # =========================
-    # 5️⃣ New domain + urgency
-    if "very new" in hf and "urgent" in bf:
-        score = max(score, 65)
-        reasoning.append("New sender domain combined with urgency")
-    # 6️⃣ Auth soft fail + suspicious wording
-    if any(x in auth for x in ["softfail", "neutral"]) and body_score >= 30:
-        score = max(score, 60)
-        reasoning.append("Authentication weakness combined with suspicious content")
-    # =========================
-    # 🟢 LOW RISK / BENIGN
-    # =========================
-    if (
-        score == 0
-        and header_score < 10
-        and body_score < 20
-        and url_score == 0
-        and attachment_score == 0
-    ):
-        score = 5
-        reasoning.append("No meaningful threat signals detected")
-    # =========================
-    # 🎚 FALLBACK SCORE
-    # =========================
-    if score == 0:
-        score = min(
-            int(
-                header_score * 0.8
-                + body_score * 0.9
-                + url_score * 1.1
-                + attachment_score * 1.2
-            ),
-            100,
-        )
-        reasoning.append("Score derived from weighted indicators")
-    # =========================
-    # 🧾 VERDICT
-    # =========================
-    if score >= 80:
         verdict = "🚨 Malicious"
-    elif score >= 60:
         verdict = "⚠️ Suspicious"
-    elif score >= 30:
-        verdict = "📩 Spam"
     else:
         verdict = "✅ Safe"
-    return score, verdict, reasoning

 # scoring_engine.py
 def compute_final_score(
+    *,
+    header_score: int,
+    body_score: int,
+    url_score: int,
+    attachment_score: int,
+    behavior_score: int,
+    header_findings: list,
+    body_findings: list,
+    url_findings: list,
+    attachment_findings: list,
+    behavior_findings: list,
+    auth_results: dict,
 ):
     """
+    Correlation-based scoring engine (Phase 4.2)
+    Returns: final_score, verdict, reasoning[]
     """
     reasoning = []
+    # -------------------------
+    # BASE SCORE
+    # -------------------------
+    final_score = (
+        header_score * 0.20 +
+        body_score * 0.25 +
+        behavior_score * 0.30 +   # 🔥 highest weight
+        url_score * 0.15 +
+        attachment_score * 0.10
+    )
+    reasoning.append(f"Header score contribution: {header_score * 0.20:.1f}")
+    reasoning.append(f"Body score contribution: {body_score * 0.25:.1f}")
+    reasoning.append(f"Behavior score contribution: {behavior_score * 0.30:.1f}")
+    reasoning.append(f"URL score contribution: {url_score * 0.15:.1f}")
+    reasoning.append(f"Attachment score contribution: {attachment_score * 0.10:.1f}")
+    # -------------------------
+    # AUTH OVERRIDES
+    # -------------------------
+    if auth_results.get("dmarc") == "fail":
+        final_score += 10
+        reasoning.append("DMARC failed → +10 risk")
+    if auth_results.get("spf") == "fail":
+        final_score += 5
+        reasoning.append("SPF failed → +5 risk")
+    # -------------------------
+    # CORRELATION RULES
+    # -------------------------
+    if behavior_score >= 40 and header_score >= 20:
+        final_score += 10
+        reasoning.append("Behavior + Header correlation → +10")
+    if behavior_score >= 40 and url_score > 0:
+        final_score += 10
+        reasoning.append("Behavior + URL correlation → +10")
+    if behavior_score >= 50:
+        final_score += 15
+        reasoning.append("High-confidence behavioral attack → +15")
+    # -------------------------
+    # CLAMP SCORE
+    # -------------------------
+    final_score = min(int(final_score), 100)
+    # -------------------------
+    # VERDICT
+    # -------------------------
+    if final_score >= 70:
         verdict = "🚨 Malicious"
+    elif final_score >= 40:
         verdict = "⚠️ Suspicious"
     else:
         verdict = "✅ Safe"
+    return final_score, verdict, reasoning