stage-20: defanging pipeline for IOC-extraction augmentation

Real CTI prose defangs IOCs (1[.]2[.]3[.]4, hxxp://, evil[dot]com) so they don't auto-link in email/chat. A model trained only on canonical inputs will fail to extract them. New lines/defang.py: defang_ip, defang_domain, defang_url, defang_text — four dot-styles ([.], (.), [dot], {.}) plus protocol defanging (http→hxxp, https→hxxps). Each occurrence picks its style independently since real advisories don't keep one style across paragraphs. train.BuildOptions adds defang_frac (default 0.0) and seed; build() threads options + a seeded Random through the example builders so the augmentation is reproducible. Only _ex_ioc_extraction reads it today — output stays canonical so the model learns messy→canonical. CLI: train-build and train-build-all gain --defang-frac and --seed. 8 new tests including a frac=1.0 / output-canonical integration check. The pipeline runs but is dormant at defang_frac=0.0 — psyc-v5 dataset build will set 0.5 once OTX cases land. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-20 22:33:52 +02:00
parent 85830be9fa
commit f6fa52839f
4 changed files with 197 additions and 11 deletions
--- a/src/psyc/cli.py
+++ b/src/psyc/cli.py
@@ -2,7 +2,7 @@
 from __future__ import annotations
-from typing import List
+from typing import List, Optional
 import typer
 import uvicorn
@@ -366,12 +366,15 @@ def mock_cert_serve(host: str = "127.0.0.1", port: int = 8770) -> None:
 def train_build(
    task: str = typer.Option(..., "--task", "-t", help=f"one of: {', '.join(train.TASKS)}"),
    limit: int = typer.Option(10_000, help="max cases to process"),
    defang_frac: float = typer.Option(0.0, "--defang-frac", help="fraction of ioc_extraction inputs to defang ([0.0, 1.0])"),
    seed: Optional[int] = typer.Option(None, "--seed", help="rng seed for reproducible defanging"),
 ) -> None:
    if task not in train.TASKS:
        typer.echo(f"unknown task: {task}; choices: {', '.join(train.TASKS)}", err=True)
        raise typer.Exit(1)
    cases = db.list_cases(limit=limit)
-    report = train.build(task, cases)
+    options = train.BuildOptions(defang_frac=defang_frac, seed=seed)
    report = train.build(task, cases, options=options)
    typer.echo(f"task: {report.task}")
    typer.echo(f"path: {report.path}")
    typer.echo(f"  written:           {report.written}")
@@ -382,10 +385,15 @@ def train_build(
@app.command("train-build-all")
-def train_build_all(limit: int = typer.Option(10_000, help="max cases per task")) -> None:
+def train_build_all(
    limit: int = typer.Option(10_000, help="max cases per task"),
    defang_frac: float = typer.Option(0.0, "--defang-frac", help="fraction of ioc_extraction inputs to defang ([0.0, 1.0])"),
    seed: Optional[int] = typer.Option(None, "--seed", help="rng seed for reproducible defanging"),
 ) -> None:
    cases = db.list_cases(limit=limit)
    options = train.BuildOptions(defang_frac=defang_frac, seed=seed)
    for task in train.TASKS:
-        report = train.build(task, cases)
+        report = train.build(task, cases, options=options)
        typer.echo(f"  {task}: wrote {report.written} → {report.path.name}")
--- a/src/psyc/lines/defang.py
+++ b/src/psyc/lines/defang.py
@@ -0,0 +1,73 @@
 """Defanging — IOC obfuscation styles common in real CTI prose.
 Real advisories don't write `1.2.3.4` and `http://evil.com` verbatim; they
 defang IOCs into bracket/paren/word forms (`1[.]2[.]3[.]4`, `hxxp://evil[.]com`)
 so indicators don't auto-link in email/chat clients. Training the IOC extractor
 purely on canonical inputs leaves it brittle. This module corrupts canonical
 IOCs into common defanged forms for use as training-time data augmentation.
 """
 from __future__ import annotations
 import random
 from typing import List, Optional
 # Dot replacement styles seen in the wild, in rough frequency order.
 _DOT_FORMS = ("[.]", "(.)", "[dot]", "{.}")
 _PROTOCOL_FORMS = {
    "http://": "hxxp://",
    "https://": "hxxps://",
 }
 def _rng(r: Optional[random.Random]) -> random.Random:
    return r if r is not None else random.Random()
 def defang_ip(ip: str, rng: Optional[random.Random] = None) -> str:
    """`1.2.3.4` → `1[.]2[.]3[.]4` (one randomly chosen dot style)."""
    return ip.replace(".", _rng(rng).choice(_DOT_FORMS))
 def defang_domain(domain: str, rng: Optional[random.Random] = None) -> str:
    """`evil.com` → `evil[.]com`."""
    return domain.replace(".", _rng(rng).choice(_DOT_FORMS))
 def defang_url(url: str, rng: Optional[random.Random] = None) -> str:
    """`http://evil.com/x` → `hxxp://evil[.]com/x` — protocol + dot defanging."""
    r = _rng(rng)
    out = url
    for proto, replacement in _PROTOCOL_FORMS.items():
        if out.startswith(proto):
            out = replacement + out[len(proto):]
            break
    out = out.replace(".", r.choice(_DOT_FORMS))
    return out
 def defang_text(
    text: str,
    ips: List[str],
    domains: List[str],
    urls: List[str],
    rng: Optional[random.Random] = None,
 ) -> str:
    """Defang every occurrence of the given IOCs inside a free-text body.
    URLs are replaced before domains (URLs contain domain substrings, so
    domain-first would corrupt the URL match). Likewise IPs last. Each
    occurrence picks its own dot-style independently — real advisories don't
    keep one style consistent across paragraphs.
    """
    r = _rng(rng)
    out = text
    for u in sorted(set(urls), key=len, reverse=True):
        out = out.replace(u, defang_url(u, r))
    for d in sorted(set(domains), key=len, reverse=True):
        out = out.replace(d, defang_domain(d, r))
    for i in sorted(set(ips), key=len, reverse=True):
        out = out.replace(i, defang_ip(i, r))
    return out
--- a/src/psyc/lines/train.py
+++ b/src/psyc/lines/train.py
@@ -15,6 +15,7 @@ restricted source types, never empty input/output.
 from __future__ import annotations
 import json
 import random
 import re
 from datetime import datetime, timezone
 from pathlib import Path
@@ -24,10 +25,18 @@ from pydantic import BaseModel, Field
 from psyc import DATA_DIR, log
 from psyc.lines import classify as classify_line
 from psyc.lines import defang as defang_line
 from psyc.lines import route as route_line
 from psyc.models import Case, TLP
 class BuildOptions(BaseModel):
    """Per-build configuration. Currently only ioc_extraction reads any field."""
    defang_frac: float = 0.0  # in [0.0, 1.0] — fraction of ioc_extraction inputs to defang
    seed: Optional[int] = None  # reproducible RNG when set
 _log = log.get(__name__)
 DATASETS_DIR = DATA_DIR / "datasets"
@@ -60,7 +69,11 @@ class DatasetReport(BaseModel):
 # ---------- ExampleBuilder per task ---------------------------------------
-def _ex_ioc_extraction(case: Case) -> Optional[Example]:
+def _ex_ioc_extraction(
    case: Case,
    options: Optional["BuildOptions"] = None,
    rng: Optional[random.Random] = None,
 ) -> Optional[Example]:
    obs = case.observables
    if not (obs.urls or obs.domains or obs.ips or obs.hashes or obs.cves):
        return None
@@ -81,6 +94,13 @@ def _ex_ioc_extraction(case: Case) -> Optional[Example]:
        body.append("Related CVEs: " + ", ".join(obs.cves) + ".")
    if tags:
        body.append(f"Tags: {tags}.")
    body_text = " ".join(body)
    # Defanging augmentation: with probability options.defang_frac, replace IOCs
    # in the input with common real-world defanged forms (1[.]2[.]3[.]4,
    # hxxp://, etc.). Output stays canonical so the model learns the mapping.
    if options is not None and rng is not None and options.defang_frac > 0.0:
        if rng.random() < options.defang_frac:
            body_text = defang_line.defang_text(body_text, obs.ips, obs.domains, obs.urls, rng)
    output_obj = {
        "urls": obs.urls,
        "domains": obs.domains,
@@ -90,7 +110,7 @@ def _ex_ioc_extraction(case: Case) -> Optional[Example]:
    }
    return Example(
        instruction="Extract all indicators of compromise from the advisory and return JSON with keys: urls, domains, ips, hashes, cves.",
-        input=" ".join(body),
+        input=body_text,
        output=json.dumps(output_obj, ensure_ascii=False),
        task="ioc_extraction",
        case_id=case.case_id,
@@ -119,7 +139,11 @@ def severity_features(case: Case) -> Dict[str, object]:
    }
-def _ex_severity_classification(case: Case) -> Optional[Example]:
+def _ex_severity_classification(
    case: Case,
    options: Optional["BuildOptions"] = None,
    rng: Optional[random.Random] = None,
 ) -> Optional[Example]:
    if case.classification.severity is None:
        return None
    return Example(
@@ -132,7 +156,11 @@ def _ex_severity_classification(case: Case) -> Optional[Example]:
    )
-def _ex_routing_decision(case: Case) -> Optional[Example]:
+def _ex_routing_decision(
    case: Case,
    options: Optional["BuildOptions"] = None,
    rng: Optional[random.Random] = None,
 ) -> Optional[Example]:
    if case.classification.incident_type is None:
        return None
    routes, blocked = route_line.plan(case)
@@ -158,7 +186,11 @@ def _ex_routing_decision(case: Case) -> Optional[Example]:
    )
-def _ex_tlp_assignment(case: Case) -> Optional[Example]:
+def _ex_tlp_assignment(
    case: Case,
    options: Optional["BuildOptions"] = None,
    rng: Optional[random.Random] = None,
 ) -> Optional[Example]:
    input_obj = {
        "source_type": case.source_type,
        "incident_type": case.classification.incident_type.value if case.classification.incident_type else None,
@@ -217,10 +249,12 @@ def _next_version(task: str) -> int:
    return (max(used) + 1) if used else 1
-def build(task: str, cases: Iterable[Case]) -> DatasetReport:
+def build(task: str, cases: Iterable[Case], options: Optional[BuildOptions] = None) -> DatasetReport:
    if task not in _BUILDERS:
        raise ValueError(f"unknown task: {task}; choices: {sorted(_BUILDERS)}")
    builder = _BUILDERS[task]
    options = options or BuildOptions()
    rng = random.Random(options.seed)
    version = _next_version(task)
    path = DATASETS_DIR / f"{task}-v{version}.jsonl"
    written = 0
@@ -230,7 +264,7 @@ def build(task: str, cases: Iterable[Case]) -> DatasetReport:
    skipped_empty = 0
    with path.open("w", encoding="utf-8") as fh:
        for case in cases:
-            example = builder(case)
+            example = builder(case, options, rng)
            if example is None:
                skipped_empty += 1
                continue
--- a/tests/test_defang.py
+++ b/tests/test_defang.py
@@ -0,0 +1,71 @@
 """Defanging — IOC obfuscation styles for training-data augmentation."""
 from __future__ import annotations
 import json
 import random
 from psyc.lines.defang import defang_domain, defang_ip, defang_text, defang_url
 from psyc.lines.train import BuildOptions, _ex_ioc_extraction
 from conftest import make_case
 def test_defang_ip_breaks_canonical_form():
    out = defang_ip("1.2.3.4", random.Random(0))
    assert "1.2.3.4" not in out  # canonical IP substring no longer appears
    assert "1" in out and "4" in out  # digits preserved
    assert any(form in out for form in ("[.]", "(.)", "[dot]", "{.}"))
 def test_defang_domain_preserves_label_text():
    out = defang_domain("evil.example.com", random.Random(1))
    assert "evil" in out and "example" in out and "com" in out
    assert "evil.example.com" not in out  # canonical domain broken
 def test_defang_url_defangs_protocol_and_breaks_canonical_form():
    out = defang_url("http://evil.example.com/payload.bin", random.Random(2))
    assert out.startswith("hxxp://")  # protocol defanged
    assert "http://" not in out
    assert "evil.example.com" not in out  # host part defanged
 def test_defang_url_handles_https():
    assert defang_url("https://evil.com/x", random.Random(0)).startswith("hxxps://")
 def test_defang_text_substitutes_every_listed_ioc():
    text = "See URL http://1.2.3.4/x and IP 1.2.3.4 and domain evil.com please."
    out = defang_text(text, ips=["1.2.3.4"], domains=["evil.com"], urls=["http://1.2.3.4/x"], rng=random.Random(3))
    # No canonical IOC string should remain anywhere in the corrupted body.
    assert "http://" not in out
    assert "1.2.3.4" not in out
    assert "evil.com" not in out
    # Surrounding prose is preserved.
    assert "See URL" in out and "please" in out
 def test_ioc_extraction_with_defang_frac_1_corrupts_input_only():
    case = make_case(feed="urlhaus", urls=["http://1.2.3.4/x"], domains=["1.2.3.4"], ips=["1.2.3.4"])
    options = BuildOptions(defang_frac=1.0, seed=42)
    rng = random.Random(options.seed)
    ex = _ex_ioc_extraction(case, options, rng)
    assert ex is not None
    # Input has been defanged.
    assert "1.2.3.4" not in ex.input
    assert "http://" not in ex.input
    # Output stays canonical so the model learns the inverse mapping.
    output = json.loads(ex.output)
    assert "1.2.3.4" in output["ips"]
    assert "http://1.2.3.4/x" in output["urls"]
 def test_ioc_extraction_with_defang_frac_0_is_canonical():
    case = make_case(feed="urlhaus", urls=["http://1.2.3.4/x"], ips=["1.2.3.4"])
    options = BuildOptions(defang_frac=0.0, seed=0)
    rng = random.Random(0)
    ex = _ex_ioc_extraction(case, options, rng)
    assert ex is not None
    # No defanging → input keeps the canonical IOCs.
    assert "http://1.2.3.4/x" in ex.input
    assert "1.2.3.4" in ex.input