1fabd4a246
The model layer of the project, built honestly:
- tools/dataset_validate.py — full-sweep validator over the receiver
store (sha256, schema, monotonic labels, telemetry-row gate). On the
current corpus: 64,798 accepted + 8,154 degraded + 3,701 rejected +
7 errored across 76,660 shipped episodes. data/processed/validation_v1.parquet
is committed as the per-episode acceptance index.
- training/_features.py — channel registry (46 channels across
proc/guest/qmp/netflow), summary-stat windowing AND channel×time
tensor extraction at 10s/5s windowing. Time alignment uses t_wall_ns
(Unix ns) — tested fix for a real netflow-vs-host clock-base
inconsistency that was silently dropping every netflow channel.
- training/_split.py — three held-out recipes (host / sample / time)
with profile-stratification assertions. held_out_host carries
untested_profiles for cases like scan-and-dial absent from the test
host (5 of 6 profiles tested cross-device, never silently averaged).
- training/models/ — 6 architectures behind a common BaseModel
interface: gbt (XGBoost), mlp, cnn, gru, lstm, transformer. Each
trained twice (realistic / oracle) per the deployment threat model.
Schema-hashed checkpoints refuse to load if _features.py changed
since training (silent-input-drift protection, tested).
- training/trainer/ — unified training loop: class-weighted CE, LR
warmup + cosine, gradient clipping, mixed precision when CUDA,
early stopping on val macro F1, best-on-val checkpoint. Same loop
runs MLP/CNN/GRU/LSTM/Transformer; GBT uses XGBoost
early_stopping_rounds on val mlogloss.
- training/eval_/ — bootstrap 95% CIs on macro F1, per-class F1,
per-profile and per-host breakdown, paired-bootstrap significance
for model-vs-model gap. Confusion matrix uses union of seen labels.
- training/dashboard/producers/ — replay/metrics/perf/profiles
emitting the six event types the dashboard's awaiting scenes
consume; on-demand tensor extraction so the Pi can run live
inference without 65 GB of shards.
- 17 unit tests (split coverage, features round-trip, schema mismatch,
determinism, time-base alignment regression).
End-to-end smoke-trained all six on a 567-episode subset; held-out
test macro F1 reported with paired-bootstrap significance. The
methodology now reports honest cross-device generalization, not
in-distribution validation.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
39 lines
936 B
TOML
39 lines
936 B
TOML
[project]
|
|
name = "cis490"
|
|
version = "0.0.1"
|
|
description = "CIS490 behavioral malware detection — dataset, transport, training"
|
|
requires-python = ">=3.11"
|
|
dependencies = [
|
|
"starlette>=0.36",
|
|
"uvicorn[standard]>=0.27",
|
|
"msgpack>=1.0", # MSF RPC wire format for the Tier-3 exploit driver
|
|
"pycdlib>=1.14", # build NoCloud cidata ISOs in pure Python
|
|
]
|
|
|
|
[dependency-groups]
|
|
dev = [
|
|
"pytest>=8",
|
|
"pytest-asyncio>=0.23",
|
|
"httpx>=0.27",
|
|
"matplotlib>=3.8",
|
|
"tornado>=6", # required by matplotlib's WebAgg interactive backend
|
|
"paramiko>=3", # SSH client for in-guest control on images that support it
|
|
]
|
|
training = [
|
|
"pyarrow>=15",
|
|
"polars>=1.0",
|
|
"numpy>=1.26",
|
|
"scipy>=1.11",
|
|
"scikit-learn>=1.4",
|
|
"matplotlib>=3.8",
|
|
"zstandard>=0.22",
|
|
"xgboost>=2.0",
|
|
"torch>=2.2",
|
|
]
|
|
|
|
[tool.uv]
|
|
package = false
|
|
|
|
[tool.pytest.ini_options]
|
|
asyncio_mode = "auto"
|
|
testpaths = ["tests"]
|