mohittchoudhary/Cyber-Incident-Response

## title: Cyber Incident Response Agent emoji: 🛡️ colorFrom: red colorTo: blue sdk: docker app_port: 7860 pinned: true # 🛡️ Cyber Incident Response — SOC Agent RL Environment **Team: Dominex** An AI agent acts as a SOC Analyst, processing security alerts from the Sentinel Risk Engine and deciding the most effective response to mitigate threats while maintaining operational business continuity. | Action | Meaning | |---------------|--------------------------------------------------------| | `ignore` | False positive — noise correctly identified and suppressed. | | `monitor` | Minor risk — continue tracking without active intervention. | | `investigate` | Medium risk — anomaly requiring deeper technical triage. | | `block` | High severity — active defense measures to halt the threat. | | `escalate` | Critical threat — immediate handover to IR expert team. | Rewards are based on a **3D Grader Matrix** (Severity, False Positive Status, and Action). The environment penalizes over-reaction (blocking innocent admins), neglect (ignoring critical breaches), and operational downtime. ## 📁 项目结构 ``` Cyber-Incident-Response/ ├── Dockerfile # Containerized environment for hackathon submission ├── README.md # This file ├── pyproject.toml # Project metadata & dependencies ├── uv.lock # Pinned dependencies (uv) ├── openenv.yaml # OpenEnv environment specification (8Gi RAM) ├── models.py # Pydantic models: CIRObservation, CIRReward, etc. ├── inference.py # Local LLM-powered SOC Inference loop ├── client.py # Typed Python client for environment interaction ├── server/ │ ├── app.py # FastAPI Server + Interactive Sentinel Dashboard │ ├── environment.py # Core SOC RL Logic & 3D Reward Engine │ └── requirements.txt # Pinned production dependencies └── tasks/ ├── easy.json # 3 scenarios: Basic threat triage ├── medium.json # 5 scenarios: Nuanced role-based alerts └── hard.json # 7 scenarios: Advanced breaches & False Positives ``` ## ⚡ 快速开始 ### Prerequisites - Python ≥ 3.10 - [uv](https://docs.astral.sh/uv/) (recommended) - OpenAI / OpenRouter API Key (exported as `HF_TOKEN` for inference) ### 1. Clone & Install ``` git clone && cd Cyber-Incident-Response # Install dependencies using uv uv venv && uv pip install -e ".[dev]" ``` ### 2. Set Environment Variables ``` export HF_TOKEN="your_api_key_here" # Optional: Configure model infrastructure export API_BASE_URL="https://openrouter.ai/api/v1" export MODEL_NAME="google/gemini-2.0-flash-lite-001" ``` ### 3. Launch Interactive Dashboard ``` uv run python server/app.py ``` Visit `http://localhost:7860` to access the **Interactive Sentinel Dashboard** with real-time Mission Progress tracking. ### 4. Run Inference Benchmark ``` # Run the local evaluation suite uv run python inference.py ``` ## 🧩 环境详情 ### Observation Schema (Sentinel Telemetry) | Field | Type | Description | |------------------|--------|-------------------------------------------------| | `alert_type` | string | The nature of the threat (e.g. data_exfiltration)| | `risk_score` | float | Normalized severity from `0.0` to `1.0` | | `user_role` | string | Role of actor: `admin`, `system`, `user`, etc. | | `location` | string | Origin of activity: `local` or `foreign` | | `previous_flags` | int | Historical hygiene penalty count | | `time_of_day` | string | Time window of activity (e.g. `midnight`) | ### Reward & Impact The environment tracks **Operational Damage** and **Cumulative Downtime**. Blocking a high-value `System` or `Admin` user without critical justification results in severe operational penalties, modeling real-world business constraints. ### Task Tiers | Tier | Scenarios | Max Steps | Description | |--------|-----------|-----------|---------------------------------------| | easy | 3 | 5 | Unambiguous triage cases | | medium | 5 | 7 | Mixed alerts with operational sensitivity| | hard | 7 | 10 | Complex breaches and noise patterns | ## 📡 Advanced Sentinel Tracking Every `step()` includes an `info` packet containing **Sentinel Insights**: - **Location Risk Factor**: 1.5x multiplier for foreign origins. - **Role Impact level**: 1.4x scaling for critical accounts. - **Downtime Counter**: Cumulative minutes of infrastructure disruption. ## 📄 License Developed by **Team Dminex** for the Meta OpenEnv Hackathon 2026.

标签：AI代理, AMSI绕过, Apex, AV绕过, DLL 劫持, Docker, FastAPI, LLM, NIDS, OpenEnv, Pydantic, Python, Sentinel, Unmanaged PE, 人工智能, 大语言模型, 威胁情报, 威胁检测, 安全运营中心, 安全防御评估, 容器化, 开发者工具, 强化学习, 无后门, 机器学习, 模拟环境, 用户模式Hook绕过, 网络安全, 网络安全防御, 网络映射, 自动化响应, 警报处理, 误报识别, 请求拦截, 逆向工具, 隐私保护, 黑客马拉松