Update analyze_email_main.py

analyze_email_main.py

@@ -1,6 +1,6 @@
 # analyze_email_main.py
 
-import time  # ⏱️ NEW
+import time
 
 from parse_email import parse_email
 from header_analyzer import analyze_headers
@@ -8,14 +8,15 @@ from body_analyzer import analyze_body
 from url_analyzer import analyze_urls
 from attachment_analyzer import analyze_attachments
 from scoring_engine import compute_final_score
-from attack_classifier import classify_attack
+from behavioral_analyzer import analyze_behavior, behavioral_summary
 
 
+# =========================
+# MAIN ANALYSIS FUNCTION
+# =========================
+
 def analyze(file_path):
-    # =========================
-    # ⏱️ START TIMER
-    # =========================
-    start_time = time.perf_counter()
+    start_time = time.time()
 
     # =========================
     # 📥 PARSE EMAIL
@@ -26,43 +27,46 @@ def analyze(file_path):
     # 🧠 ANALYZERS
     # =========================
 
-    header_findings, header_score, auth_summary = analyze_headers(headers, body)
+    # Header analysis (auth, spoofing, BEC signals)
+    header_findings, header_score, auth_summary = analyze_headers(headers)
 
+    # Body heuristic / NLP analysis
     body_findings, body_score, highlighted_body, body_verdict = analyze_body(
         subject, body, urls, images
     )
 
+    # URL analysis
     url_findings, url_score = analyze_urls(urls)
 
+    # Attachment analysis
     attachment_findings, attachment_score, attachment_hashes = analyze_attachments(
         attachments
     )
 
     # =========================
-    # 🧮 CORRELATION-BASED SCORING
+    # 🧠 BEHAVIORAL ANALYSIS (PHASE 4.3 – CORE FIX)
     # =========================
-    final_score, verdict, scoring_reasoning = compute_final_score(
+    behavior_result = analyze_behavior(body)
+    behavior_score = behavior_result["confidence_score"]
+    behavior_attack = behavior_result["dominant_attack"]
+    behavior_verdict = behavior_result["verdict"]
+    behavior_text = behavioral_summary(behavior_result)
+
+    # =========================
+    # 🧮 FINAL CORRELATION SCORING
+    # =========================
+    final_score, verdict, reasoning = compute_final_score(
         header_score=header_score,
         body_score=body_score,
         url_score=url_score,
         attachment_score=attachment_score,
+        behavior_score=behavior_score,  # 🔥 NEW
         header_findings=header_findings,
         body_findings=body_findings,
         url_findings=url_findings,
         attachment_findings=attachment_findings,
         auth_results=auth_summary,
-    )
-
-    # =========================
-    # 🎯 ATTACK CLASSIFICATION
-    # =========================
-    attack_type, attack_confidence, attack_reasoning = classify_attack(
-        final_score=final_score,
-        header_findings=header_findings,
-        body_findings=body_findings,
-        url_findings=url_findings,
-        attachment_findings=attachment_findings,
-        auth_results=auth_summary,
+        behavior_result=behavior_result,  # 🔥 NEW
     )
 
     # =========================
@@ -75,13 +79,13 @@ def analyze(file_path):
     ):
         fl = finding.lower()
 
-        if "attachment" in fl or "macro" in fl or "html attachment" in fl:
+        if "attachment" in fl or "macro" in fl or "html" in fl:
             tags.add("Malicious Attachment")
 
-        if "reply-to" in fl or "business email compromise" in fl or "bec" in fl:
+        if "reply-to" in fl or "bec" in fl:
             tags.add("BEC Indicator")
 
-        if "url" in fl or "phishing" in fl or "urlhaus" in fl:
+        if "url" in fl or "phishing" in fl:
             tags.add("Malicious / Phishing URL")
 
         if "spf" in fl or "dkim" in fl or "dmarc" in fl:
@@ -90,27 +94,28 @@ def analyze(file_path):
         if "brand" in fl or "look-alike" in fl:
             tags.add("Brand Spoofing")
 
-        if "urgent" in fl or "immediately" in fl or "action required" in fl:
+        if "urgent" in fl or "immediately" in fl:
             tags.add("Urgency / Social Engineering")
 
-        if "spam" in fl or "marketing" in fl or "unsubscribe" in fl:
-            tags.add("Spam Content")
+    # Behavioral tags (VERY IMPORTANT)
+    if behavior_attack != "None":
+        tags.add(behavior_attack.upper())
+        tags.add("Behavioral Threat")
 
     # =========================
-    # ⏱️ STOP TIMER
+    # ⏱ PROCESSING TIME
     # =========================
-    end_time = time.perf_counter()
-    processing_time = round(end_time - start_time, 3)  # seconds
+    processing_time = round(time.time() - start_time, 2)
 
     # =========================
     # 📊 SUMMARY OUTPUT
     # =========================
     summary = {
         "Final Verdict": verdict,
-        "Attack Type": attack_type,
-        "Attack Confidence": attack_confidence,
-        "Attack Score": final_score,
-        "Processing Time": f"{processing_time} seconds",  # ⏱️ NEW
+        "Attack Type": behavior_attack if behavior_attack != "None" else "Undetermined",
+        "Attack Score": f"{final_score}/100",
+        "Behavior Confidence": f"{behavior_score}/100",
+        "Processing Time": f"{processing_time} seconds",
         "Main Tags": ", ".join(sorted(tags)) if tags else "No special tags",
     }
 
@@ -125,8 +130,9 @@ def analyze(file_path):
         "Attachment Hashes": attachment_hashes,
         "Highlighted Body": highlighted_body,
         "Auth Results": auth_summary,
-        "Scoring Reasoning": scoring_reasoning,
-        "Attack Classification Reasoning": attack_reasoning,
+        "Behavioral Analysis": behavior_result,
+        "Behavioral Summary": behavior_text,
+        "Scoring Reasoning": reasoning,
     }
 
     return summary, details
@@ -149,4 +155,4 @@ if __name__ == "__main__":
             for item in v:
                 print(f"  - {item}")
         else:
-            print(f"  {v}")
+            print(v)