CIS490

bolyai/CIS490

Fork 0

Commit graph

Author	SHA1	Message	Date
Maximus Gorog	970698af83	Synthetic envelope demo: phase-driven load mimic + plotter End-to-end pipeline now produces a labeled envelope from a single command. Drives the orchestrator through an 8-phase XMRig-shaped schedule and renders a 3-panel envelope (CPU%, RSS, IO write rate) with phase bands sourced from labels.jsonl. Real telemetry, simulated load — validates the collection + labeling shape before a real VM is involved. Components: - tools/load_mimic.py phase-driven load generator. Reads phase commands on stdin; CPU/IO behavior matches the named phase (clean=idle, armed=light burst, infecting=disk burst+CPU, infected_running= CPU saturation+stratum-shaped writes, dormant=quieter than clean). - tools/run_envelope_demo.py spawns load_mimic, drives EpisodeRunner with a default 85s schedule that includes the classic infected_running → dormant → re-entry pattern. - tools/plot_envelope.py reads telemetry + labels from an episode dir, writes envelope.png with colored phase bands. orchestrator: EpisodeRunner now takes an optional phase_schedule and an on_phase callback. Walks the schedule emitting one label per transition. Backwards-compatible — existing single-phase tests still green. Doc fix (user pushback): README + architecture + threat-model no longer imply the Pi5 is the deployment target. Pi5's actual role here is the WireGuard-side collector for episode tarballs. Deployment target is generic ("constrained Linux device"). The "gateway observer" concept remains a deployment pattern, decoupled from the Pi5's collector role. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-28 23:53:20 -06:00
Maximus Gorog	fa1574a0a6	Scaffold project: docs, repo skeleton, transport + deploy design Lays down the design surface for the CIS490 behavioral-malware-detection dataset and model. No code yet — schema and topology are decided first so collection can start without rework. Docs: - README: project goal, navigation - architecture: lab topology, KVM choice, episode state machine, deployment-mirror reasoning - threat-model: train/serve parity rule, oracle-vs-deployable feature split, two-model evaluation strategy - data-model: per-episode JSONL layout, row schemas, phase enum - transport: WG-native shipper/receiver design, idempotent uploads - deploy: one-command install for lab-host and receiver roles - lab-setup: KVM prereqs, VM build, snapshot, virtio-serial wiring Skeleton: orchestrator/, collectors/, vm/, exploits/, samples/, training/ (each with a short README explaining purpose). Extended .gitignore to exclude qcow2 images, pcaps, sample binaries, secrets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-28 23:21:00 -06:00

Author

SHA1

Message

Date

Maximus Gorog

970698af83

Synthetic envelope demo: phase-driven load mimic + plotter

End-to-end pipeline now produces a labeled envelope from a single command.
Drives the orchestrator through an 8-phase XMRig-shaped schedule and
renders a 3-panel envelope (CPU%, RSS, IO write rate) with phase bands
sourced from labels.jsonl. Real telemetry, simulated load — validates the
collection + labeling shape before a real VM is involved.

Components:
- tools/load_mimic.py        phase-driven load generator. Reads phase
                             commands on stdin; CPU/IO behavior matches
                             the named phase (clean=idle, armed=light burst,
                             infecting=disk burst+CPU, infected_running=
                             CPU saturation+stratum-shaped writes,
                             dormant=quieter than clean).
- tools/run_envelope_demo.py spawns load_mimic, drives EpisodeRunner with
                             a default 85s schedule that includes the
                             classic infected_running → dormant → re-entry
                             pattern.
- tools/plot_envelope.py     reads telemetry + labels from an episode dir,
                             writes envelope.png with colored phase bands.

orchestrator: EpisodeRunner now takes an optional phase_schedule and an
on_phase callback. Walks the schedule emitting one label per transition.
Backwards-compatible — existing single-phase tests still green.

Doc fix (user pushback): README + architecture + threat-model no longer
imply the Pi5 is the deployment target. Pi5's actual role here is the
WireGuard-side collector for episode tarballs. Deployment target is
generic ("constrained Linux device"). The "gateway observer" concept
remains a deployment pattern, decoupled from the Pi5's collector role.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-28 23:53:20 -06:00

Maximus Gorog

fa1574a0a6

Scaffold project: docs, repo skeleton, transport + deploy design

Lays down the design surface for the CIS490 behavioral-malware-detection
dataset and model. No code yet — schema and topology are decided first so
collection can start without rework.

Docs:
- README: project goal, navigation
- architecture: lab topology, KVM choice, episode state machine,
  deployment-mirror reasoning
- threat-model: train/serve parity rule, oracle-vs-deployable feature
  split, two-model evaluation strategy
- data-model: per-episode JSONL layout, row schemas, phase enum
- transport: WG-native shipper/receiver design, idempotent uploads
- deploy: one-command install for lab-host and receiver roles
- lab-setup: KVM prereqs, VM build, snapshot, virtio-serial wiring

Skeleton: orchestrator/, collectors/, vm/, exploits/, samples/,
training/ (each with a short README explaining purpose).
Extended .gitignore to exclude qcow2 images, pcaps, sample binaries,
secrets.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-04-28 23:21:00 -06:00

2 commits