Varunpv2005/ai-threat-hunting-platform

# AI 威胁狩猎与事件响应平台 全栈网络安全平台：IsolationForest 异常检测 → 威胁分类 → SOAR 自动化响应，由 FastAPI 后端和 React SOC 仪表盘提供服务，全部通过 Docker Compose 容器化。 ## 架构 ``` Browser │ ▼ :3000 frontend (nginx) │ static assets cached │ /api/* ──proxy──► backend:8000 (FastAPI + uvicorn) │ │ │ IsolationForest │ ThreatClassifier │ SOAR RuleEngine │ │ │ postgres:5432 (logs · threats · alerts) │ redis:6379 (model cache · cooldowns) │ [elasticsearch:9200 --profile elk] │ [kibana:5601 --profile elk] ``` | Service | Image | Default port | |-----------------|------------------------|--------------| | `frontend` | nginx:1.25-alpine | **3000** | | `backend` | python:3.11-slim | **8000** | | `postgres` | postgres:16-alpine | 5432 | | `redis` | redis:7-alpine | 6379 | | `elasticsearch` | elasticsearch:8.12 | 9200 (elk) | | `kibana` | kibana:8.12 | 5601 (elk) | ## 前置条件 | Tool | Minimum version | |------|----------------| | Docker | 24.0 | | Docker Compose v2 | bundled with Docker Desktop | | RAM | 4 GB (8 GB with ELK) | 验证：`docker compose version` ## 快速开始 ``` # 克隆 git clone https://github.com/your-org/soc-platform.git cd soc-platform # 配置（默认配置即可直接使用） cp .env.example .env # 构建并启动 docker compose up -d --build # 查看启动日志（模型训练大约需要 30 秒） docker compose logs -f backend # 等待：INFO API ready. # 打开 open http://localhost:3000 # SOC Dashboard open http://localhost:8000/docs # Swagger UI ``` ## 所有命令 ### 使用 Make (推荐) ``` make up # build + start full stack make dev # hot-reload backend + local Vite frontend make elk # add Elasticsearch + Kibana make down # stop all containers make logs # tail all logs make logs-api # tail backend only make ps # container status make build # (re)build images make rebuild # build with --no-cache make clean # remove containers + images make clean-vols # ⚠ remove all data volumes make test # run test suite in container make shell-api # bash shell in backend make shell-db # psql in postgres make simulate # fire a test brute-force attack make health # ping all services ``` ### 直接使用 docker compose ``` # 启动默认 stack docker compose up -d --build # 启动 Elasticsearch + Kibana docker compose --profile elk up -d --build # 热重载开发模式 docker compose --profile dev up -d # 查看日志 docker compose logs -f docker compose logs -f backend # 停止 docker compose down # 停止 + 删除 volumes ⚠ 具有破坏性 docker compose down -v # 重建一个 service docker compose up -d --build backend # 扩展 backend workers docker compose up -d --scale backend=3 # 打开一个 shell docker compose exec backend bash docker compose exec postgres psql -U socuser -d socdb docker compose exec redis redis-cli -a redispass # 运行测试 docker compose exec backend python backend/tests/test_api.py ``` ## API 快速参考 ``` # 健康检查 curl http://localhost:8000/ # 模拟攻击（brute force，高强度） curl -X POST http://localhost:8000/api/v1/simulate_attack \ -H "Content-Type: application/json" \ -d '{"attack_type":"brute_force","geo_country":"RU","intensity":"high"}' # 所有攻击类型： # brute_force | privilege_escalation | data_exfiltration # suspicious_login | password_spray | automated_scanner # 获取威胁 curl "http://localhost:8000/api/v1/threats?severity=CRITICAL&limit=10" # 获取 open alerts curl "http://localhost:8000/api/v1/alerts?status=open" # 确认 alert curl -X POST http://localhost:8000/api/v1/alerts//acknowledge \ -H "Content-Type: application/json" \ -d '{"analyst":"alice"}' # Ingest 原始日志事件 curl -X POST http://localhost:8000/api/v1/ingest \ -H "Content-Type: application/json" \ -d '{"events":[{"event_type":"login_failed","user":"alice", "ip_address":"185.220.101.15","geo_country":"RU", "timestamp":"2024-01-15T03:22:00Z","bytes_read":0}]}' # Dashboard 统计 curl http://localhost:8000/api/v1/stats # 活跃响应规则 curl http://localhost:8000/api/v1/rules ``` ## 环境变量 | Variable | Default | Notes | |----------|---------|-------| | `APP_ENV` | `production` | `development` 启用调试 | | `SECRET_KEY` | *(change me)* | 运行 `openssl rand -hex 32` | | `POSTGRES_DB` | `socdb` | | | `POSTGRES_USER` | `socuser` | | | `POSTGRES_PASSWORD` | `socpassword` | **生产环境请修改** | | `REDIS_PASSWORD` | `redispass` | **生产环境请修改** | | `TRAIN_ON_STARTUP` | `true` | 启动时训练 IsolationForest | | `N_TRAIN_EVENTS` | `5000` | 训练集大小 | | `WORKERS` | `2` | Uvicorn worker 进程数 | | `BACKEND_PORT` | `8000` | 暴露的主机端口 | | `FRONTEND_PORT` | `3000` | 暴露的主机端口 | | `LOG_LEVEL` | `info` | `debug` / `info` / `warning` | ## 开发工作流 ``` # 仅启动基础设施 docker compose up -d postgres redis # 在本地以热重载模式运行 backend pip install -r backend/requirements.txt uvicorn backend.api.main:app --reload --port 8000 # 在本地以 HMR 模式运行 frontend cd dashboard && npm install && npm run dev # → http://localhost:5173 (Vite 代理 /api → localhost:8000) # 运行测试 python backend/tests/test_api.py ``` ## 项目布局 ``` . ├── backend/ │ ├── api/ │ │ ├── main.py FastAPI app + all routes │ │ ├── store.py In-memory + PostgreSQL data store │ │ └── schemas.py Request / response models │ ├── ml/ │ │ ├── anomaly/ IsolationForest detector │ │ └── classifier/ ThreatClassifier + feature pipeline │ ├── incident_response/ │ │ ├── actions.py SOAR action implementations │ │ └── rule_engine.py Declarative response rule engine │ ├── log_simulator/ Attack scenario event generator │ ├── tests/ Test suite (97 tests, all passing) │ └── requirements.txt ├── dashboard/ │ ├── src/ │ │ ├── main.jsx │ │ └── SOCDashboard.jsx Full React dashboard │ ├── index.html │ ├── package.json │ └── vite.config.js ├── docker/ │ ├── backend.Dockerfile Two-stage Python build │ ├── frontend.Dockerfile Node build + nginx serve │ ├── nginx.conf SPA routing + /api proxy │ └── postgres/ │ └── init.sql Schema + seed data ├── docker-compose.yml ├── .dockerignore ├── .env.example ├── Makefile └── README.md ``` ## 生产环境清单 ``` # 轮换所有 secrets SECRET_KEY=$(openssl rand -hex 32) POSTGRES_PASSWORD=$(openssl rand -hex 16) REDIS_PASSWORD=$(openssl rand -hex 16) # 编辑 .env，然后重新构建 docker compose up -d --build # 在每个 service 的 docker-compose.yml 中添加资源限制： # deploy: # resources: # limits: # cpus: '2' # memory: 2G # 启用 HTTPS：添加 certbot/Let's Encrypt sidecar 并更新 nginx.conf # 启用 ES 安全性：设置 xpack.security.enabled=true 并 provision certs ```

标签：AI安全, AMSI绕过, Apex, AV绕过, Beacon Object File, Chat Copilot, CISA项目, Docker, Docker Compose, Elasticsearch, FastAPI, IP 地址批量处理, IsolationForest, Nginx, NIDS, PE 加载器, PostgreSQL, Python, React, Redis, SOAR, SOC平台, Syscalls, TCP/UDP协议, Web安全, 仪表盘, 后端开发, 威胁检测, 安全运营中心, 安全防御评估, 容器化, 异常检测, 插件系统, 搜索引擎查询, 无后门, 机器学习, 测试用例, 网络安全, 网络安全审计, 网络映射, 自动化响应, 蓝队分析, 请求拦截, 越狱测试, 逆向工具, 隐私保护