aaryanchaturvedi1906-cmyk/CerberusBox

# 🐺 CerberusBox — 智能恶意软件分析沙箱 一个混合恶意软件分析平台，将**静态分析**、**沙箱执行**和**AI驱动的威胁分类**结合到统一的流水线中，并提供现代化的 Web 界面。 ## 架构 ``` ┌─────────────────────────────────────────────────────────────────┐ │ NGINX (Port 80) │ │ Reverse Proxy + Rate Limiting + SSL │ └──────────────────────────┬──────────────────────────────────────┘ │ ┌────────────────┴─────────────────┐ │ │ ┌─────────▼──────────┐ ┌──────────▼──────────┐ │ React Frontend │ │ FastAPI Backend │ │ (Vite + TS) │◄──WS/REST──► (Port 8000) │ │ Port 3000 (dev) │ │ │ └────────────────────┘ └──────────┬──────────┘ │ ┌────────────────────────┼────────────────────────┐ │ │ │ ┌────────▼──────┐ ┌──────────▼──────┐ ┌─────────▼──────┐ │ PostgreSQL │ │ Redis │ │ MinIO │ │ (Database) │ │ (Celery Broker) │ │ (File Store) │ └───────────────┘ └──────────┬───────┘ └────────────────┘ │ ┌────────▼────────┐ │ Celery Workers │ │ │ │ ┌─────────────┐ │ │ │Static Anal. │ │ ← YARA, pefile, ssdeep │ ├─────────────┤ │ │ │Dynamic Anal.│ │ ← Docker sandbox │ ├─────────────┤ │ │ │ML Inference │ │ ← RandomForest/GBT │ └─────────────┘ │ └─────────────────┘ ``` ## 技术栈 | 层级 | 技术 | |---|---| | **Frontend** | React 18 + TypeScript + Vite + TailwindCSS + Framer Motion | | **Visualization** | D3.js + Recharts | | **Backend API** | Python 3.11 + FastAPI + WebSockets | | **Task Queue** | Celery + Redis | | **Database** | PostgreSQL 15 + SQLAlchemy (async) | | **File Storage** | MinIO (S3-compatible) | | **Static Analysis** | YARA + pefile + python-magic + ssdeep + capstone | | **Sandbox** | Docker + gVisor (dynamic analysis) | | **ML/AI** | scikit-learn + PyTorch (planned) + ONNX | | **Infrastructure** | Docker Compose / Kubernetes + NGINX | | **Monitoring** | Prometheus + Grafana (planned) | ## 快速开始 ### 前置条件 - Docker & Docker Compose - Git ### 1. 克隆并配置 ``` git clone https://github.com/yourorg/cerberusbox.git cd cerberusbox cp .env.example .env # Edit .env with your secrets ``` ### 2. 启动所有服务 ``` docker-compose up -d ``` ### 3. 验证服务运行状态 ``` docker-compose ps # All services should show "healthy" or "Up" ``` ### 4. 访问平台 | 服务 | URL | |---|---| | Web UI | http://localhost | | API docs | http://localhost/docs | | MinIO Console | http://localhost:9001 | | Flower (Celery) | http://localhost:5555 | ## 开发环境设置 ### Backend ``` cd backend python -m venv venv source venv/bin/activate # Windows: venv\Scripts\activate pip install -r requirements.txt # Start supporting services only docker-compose up -d db redis minio # Run API in dev mode uvicorn app.main:app --reload --port 8000 # Run Celery worker celery -A app.tasks.celery_app worker --loglevel=info # Run database migrations alembic upgrade head ``` ### Frontend ``` cd frontend npm install npm run dev # starts on http://localhost:3000 ``` ### ML Model Training ``` cd ml/training python train.py --output ../models # Uses synthetic data by default # For real data: python train.py --data ./samples.jsonl ``` ## API 参考 ### 文件上传 ``` POST /api/v1/files/upload Content-Type: multipart/form-data file=@suspicious.exe tags=ransomware,test ``` ### 触发分析 ``` POST /api/v1/analysis/start/{file_id} ``` ### 实时进度 (WebSocket) ``` const ws = new WebSocket('ws://localhost/api/v1/ws/{analysis_id}') ws.onmessage = (e) => console.log(JSON.parse(e.data)) // { step: "static", progress: 40, message: "Running YARA..." } ``` ### 获取完整报告 ``` GET /api/v1/analysis/{analysis_id}/report ``` ### Dashboard Stats ``` GET /api/v1/dashboard/stats ``` ## 项目结构 ``` cerberusbox/ ├── backend/ │ ├── app/ │ │ ├── api/v1/endpoints/ # Route handlers │ │ │ ├── files.py # Upload, list, hash lookup │ │ │ ├── analysis.py # Trigger, status, report │ │ │ ├── websocket.py # Real-time progress │ │ │ └── dashboard.py # Stats & overview │ │ ├── core/ │ │ │ ├── config.py # Settings (env-based) │ │ │ ├── database.py # Async SQLAlchemy │ │ │ └── security.py # JWT auth, password hashing │ │ ├── models/ │ │ │ └── models.py # All DB models (ORM) │ │ ├── schemas/ │ │ │ └── schemas.py # Pydantic request/response │ │ ├── services/ │ │ │ ├── static_analyzer.py # Core analysis engine │ │ │ └── storage.py # MinIO integration │ │ ├── tasks/ │ │ │ ├── celery_app.py # Celery configuration │ │ │ └── tasks.py # Analysis task pipeline │ │ └── main.py # FastAPI app entry │ ├── tests/ │ │ └── test_cerberusbox.py # Test suite │ ├── Dockerfile │ └── requirements.txt │ ├── frontend/ │ └── src/ │ ├── api/ # Axios API client + WebSocket │ ├── components/ # Reusable UI components │ ├── pages/ # Dashboard, Upload, Report, Files │ ├── store/ # Zustand global state │ └── types/ # TypeScript type definitions │ ├── ml/ │ └── training/ │ └── train.py # ML training pipeline │ ├── yara_rules/ │ └── general_malware.yar # YARA detection rules │ ├── nginx/ │ └── nginx.conf # Reverse proxy config │ ├── docker-compose.yml └── .env.example ``` ## 分析流水线 ``` 1. FILE UPLOAD └── Validate size/type → Compute hashes → Store in MinIO → Create DB record 2. STATIC ANALYSIS (Celery Worker) ├── File type detection (magic bytes) ├── Entropy calculation (packing indicator) ├── PE parsing (imports, exports, sections, timestamps) ├── YARA rule matching (30+ malware signatures) ├── String extraction (URLs, IPs, registry keys, crypto refs) └── Results → PostgreSQL 3. ML INFERENCE ├── Build 22-feature vector from static results ├── RandomForest classifier (benign/suspicious/malware) ├── Confidence score + class probabilities ├── Feature importance (explainability) └── Results → PostgreSQL 4. IOC EXTRACTION ├── URLs → IOC table ├── IPs → IOC table ├── YARA rule hashes → IOC table └── File hash → IOC table 5. REPORT ASSEMBLY └── Full JSON report → WebSocket notification → Frontend ``` ## 包含的 YARA 规则 | Rule | Category | Severity | |---|---|---| | UPX_Packed | Packer | Medium | | MPRESS_Packed | Packer | Medium | | Ransomware_Strings | Ransomware | Critical | | Ransomware_API_Pattern | Ransomware | High | | RAT_Indicators | RAT/Backdoor | High | | Process_Injection | Injection | High | | Anti_Analysis | Evasion | Medium | | Persistence_Registry | Persistence | High | | Suspicious_Network | C2 | Medium | | Dropper_Pattern | Dropper | High | | Credential_Theft | Infostealer | Critical | | Shellcode_GetPC | Shellcode | High | ## 运行测试 ``` cd backend pytest tests/ -v --tb=short # With coverage pytest tests/ --cov=app --cov-report=html ``` ## 路线图 - [x] 静态分析流水线 (YARA, PE, hashes, strings) - [x] 异步任务队列 (Celery + Redis) - [x] WebSocket 实时进度 - [x] ML 分类 (heuristic + RandomForest) - [x] IOC 提取与存储 - [x] React 前端 (Dashboard, Upload, Report, Files) - [ ] Docker 沙箱 (gVisor + Cuckoo agent) - [ ] 动态分析 (network capture, process tree) - [ ] PyTorch 深度学习模型 (CNN on byte sequences) - [ ] VirusTotal API 集成 - [ ] 用户认证 (JWT) - [ ] IOC Explorer (D3.js network graph) - [ ] 威胁情报源摄取 - [ ] Kubernetes 部署清单 - [ ] Prometheus + Grafana 监控 - [ ] MITRE ATT&CK 技术映射 ## 安全说明 - 所有上传的文件均使用基于 UUID 的名称存储（无路径遍历风险） - 文件引爆在隔离的 Docker 容器中进行，默认无网络连接 - 在 NGINX 层面实施速率限制（API 30次/分钟，上传 10次/分钟） - Celery 任务以严格的超时时间运行（默认 5 分钟） - 密钥通过环境变量管理（绝不硬编码） ## 许可证 MIT License — 详情请参阅 LICENSE 文件。 为网络安全社区用 ❤️ 构建。

标签：ATT&CK映射, AV绕过, Cuckoo替代, DAST, FastAPI, IOC提取, IP 地址批量处理, Linux安全工具, Python安全工具, React, Syscalls, 二进制分析, 云安全监控, 云安全运维, 威胁情报, 安全沙箱, 密钥泄露防护, 开发者工具, 异常检测, 快速恶意软件分析, 恶意软件分析, 搜索引擎查询, 机器学习安全, 沙箱, 测试用例, 混合分析, 网络信息收集, 网络安全, 网络安全实验平台, 网络安全审计, 网络流量分析, 虚拟化, 行为检测, 请求拦截, 负责任AI, 逆向工具, 速率限制处理, 隐私保护, 静态分析