Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated Beacon Scoring #742

Merged
merged 5 commits into from
Jul 28, 2022
Merged

Updated Beacon Scoring #742

merged 5 commits into from
Jul 28, 2022

Conversation

lisaSW
Copy link
Contributor

@lisaSW lisaSW commented Jul 19, 2022

Updates to beacon scoring metrics per testing against simulated c2 data and gathered false positives.
Closes #736

@lisaSW lisaSW requested review from Zalgo2462 and ethack July 19, 2022 19:43
@joelillo
Copy link
Contributor

Approved

Zalgo2462
Zalgo2462 suggested changes Jul 19, 2022
View reviewed changes
Copy link
Contributor

@Zalgo2462 Zalgo2462 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In this first review, I'm just looking over the code and documentation.
Everything looks solid 🎉. I'm really excited to see the new results.

Once we go through this first round of changes, we'll want to copy the changes into the other beaconing packages.

I have a few small change requests:

Bug fix changes:

  • Add 1 to total in the createBuckets function to fix an off-by-one error where we end up with one less bucket than we'd like

Code maintenance changes:

  • Move the rounding code into its own function in the util package
  • Split the freqCount calculation out of createHistogram and into its own function
  • Avoid calculating total in createHistogram by calling len(tsList)

Documentation Changes:

  • Add documentation to getTsHistogramScore
  • Change/ remove the comment in getTsHistogramScore which references a 24 hour observation period
  • Add comments to freqList and freqCount

Personal request:

  • Add Top Intvl back into the show-beacons and report-beacons code

commands/show-beacons.go Outdated Show resolved Hide resolved
pkg/beacon/analyzer.go Show resolved Hide resolved
pkg/beacon/analyzer.go Show resolved Hide resolved
pkg/beacon/analyzer.go Show resolved Hide resolved
pkg/beacon/analyzer.go Show resolved Hide resolved
pkg/beacon/analyzer.go Show resolved Hide resolved
pkg/beacon/analyzer.go Outdated Show resolved Hide resolved
pkg/beacon/analyzer.go Show resolved Hide resolved
pkg/beacon/analyzer.go
}
}

freqMean := float64(total) / float64(len(freqList))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I believe we can avoid calculating total by calling len(tsList).

pkg/beacon/analyzer.go Outdated Show resolved Hide resolved
Zalgo2462
Zalgo2462 approved these changes Jul 28, 2022
View reviewed changes
Copy link
Contributor

@Zalgo2462 Zalgo2462 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM and tested well.

@lisaSW lisaSW merged commit cfd9a7e into master Jul 28, 2022
@lisaSW lisaSW deleted the 736-beacon-detection-scoring branch July 28, 2022 18:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Zalgo2462 Zalgo2462 Zalgo2462 approved these changes

@ethack ethack Awaiting requested review from ethack

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Beacon detection accuracy
3 participants
@lisaSW @joelillo @Zalgo2462