bhumeshtiruveedhula1/AEGIS

GitHub: bhumeshtiruveedhula1/AEGIS

面向关键国家基础设施的 AI 驱动网络弹性平台,结合无监督异常检测、攻击图谱推理与 LLM 研判,实现实时威胁发现与人工审核的自主事件响应。

Stars: 0 | Forks: 0

# CyberShield — AI 驱动的网络弹性平台 ## 关键国家基础设施保护 [![CI](https://github.com/your-org/cybershield/actions/workflows/ci.yml/badge.svg)](https://github.com/your-org/cybershield/actions) [![Python](https://img.shields.io/badge/python-3.11%2B-blue)](https://python.org) [![代码风格: ruff](https://img.shields.io/badge/code%20style-ruff-000000.svg)](https://github.com/astral-sh/ruff) [![Mypy](https://img.shields.io/badge/mypy-strict-blue)](https://mypy.readthedocs.io) ## 概述 **CyberShield Autonomous Response (CAR)** 是一个用于关键国家基础设施(CNI)保护的实时异常检测与自主事件响应平台。 它结合了: - **无监督 ML**(Isolation Forest)—— 无需标注数据即可检测零日攻击 - **攻击图谱推理**(NetworkX + MITRE ATT&CK)—— 映射威胁链 - **LLM 分析**(Anthropic Claude)—— 用通俗易懂的语言解释威胁 - **人工审核的响应** —— SOC 分析师批准所有自主操作 ## 架构 ``` Log Collection → Normalisation → Feature Engineering → Isolation Forest → SHAP Explainability → MITRE ATT&CK Mapping → Attack Graph → LLM Reasoning (Claude) → Response Orchestrator → Human Approval Gate → Action Execution → Audit Log → Dashboard ``` 有关完整的技术图表,请参阅 [docs/architecture.md](docs/architecture.md)。 ## 快速开始 ### 前置条件 - Python 3.11+ - Docker & Docker Compose - Git ### 1. 克隆与设置 ``` git clone https://github.com/your-org/cybershield.git cd cybershield chmod +x scripts/setup_dev.sh ./scripts/setup_dev.sh ``` ### 2. 配置环境 ``` # 使用你的设置编辑 .env nano .env # 至少设置: # SECRET_KEY= # ANTHROPIC_API_KEY= (Week 3+ 需要) ``` ### 3. 运行开发服务器 ``` # 激活虚拟环境 source .venv/bin/activate # 启动 server(hot-reload) make run ``` API 现已可在以下地址访问: - **API:** http://localhost:8000 - **健康检查:** http://localhost:8000/health - **文档:** http://localhost:8000/docs ### 4. 运行测试 ``` make test # full suite with coverage make test-fast # fast, no coverage make test-unit # unit tests only ``` ### 5. 运行 Linting ``` make lint # ruff + mypy ``` ## 项目结构 ``` cybershield/ ├── backend/ │ ├── core/ # Config, logging, exceptions, health checks │ ├── shared/ # Types, base models, utilities │ ├── ingestion/ # [Week 1] Log collection │ ├── normalization/ # [Week 1] Log parsing & normalisation │ ├── features/ # [Week 1] Feature engineering │ ├── detection/ # [Week 2] Isolation Forest │ ├── explainability/ # [Week 2] SHAP explanations │ ├── mitre/ # [Week 2] MITRE ATT&CK mapping │ ├── graph/ # [Week 2] Attack graph reasoning │ ├── llm/ # [Week 3] Claude enrichment │ ├── response/ # [Week 3] Response orchestration │ ├── audit/ # [Week 3] Audit logging │ ├── dashboard/ # [Week 4] Metrics API │ └── api/ # FastAPI application layer ├── tests/ │ ├── unit/ # Fast, isolated unit tests │ └── integration/ # End-to-end HTTP tests ├── data/ # Data artifacts (gitignored) ├── models/ # Trained model files (gitignored) ├── docker/ # Dockerfiles and compose ├── scripts/ # Developer tooling ├── docs/ # Architecture and developer docs └── reports/ # Generated reports (gitignored) ``` ## 开发工作流 | 命令 | 描述 | |---------|-------------| | `make install` | 设置开发环境 | | `make run` | 启动带有热重载的开发服务器 | | `make test` | 运行完整测试套件 | | `make test-fast` | 运行测试(不包含覆盖率) | | `make lint` | 运行 ruff + mypy | | `make docker-up` | 通过 Docker 启动服务 | | `make clean` | 删除生成的构建产物 | | `make help` | 显示所有可用目标 | ## 技术栈 | 层级 | 技术 | |-------|-----------| | 语言 | Python 3.11+ | | Web 框架 | FastAPI | | ML | scikit-learn (Isolation Forest) | | 可解释性 | SHAP | | 图谱 | NetworkX | | LLM | Anthropic Claude | | 日志 | structlog (JSON) | | 配置 | Pydantic Settings | | 数据库 | SQLite (开发) → PostgreSQL (生产) | | 容器 | Docker | | 测试 | pytest + pytest-cov | | Linting | ruff + mypy | ## 文档 | 文档 | 描述 | |----------|-------------| | [docs/architecture.md](docs/architecture.md) | 完整的系统架构 | | [docs/developer_guide.md](docs/developer_guide.md) | 贡献指南 | | [docs/module_contracts.md](docs/module_contracts.md) | 模块接口 | | [docs/adr/](docs/adr/) | 架构决策记录 | ## 实施时间表 | 周 | 模块 | 状态 | |------|--------|--------| | 0 | 学习 + 研究 | ✅ 已完成 | | **1** | **1.1 代码仓库基础** | ✅ **本 PR** | | 1 | 1.2–1.4 日志流水线 + 特征 | ⏳ 下一步 | | 2 | 2.x ML + 图谱引擎 | ⏳ 已规划 | | 3 | 3.x LLM + 响应 | ⏳ 已规划 | | 4 | 4.x 完善与演示 | ⏳ 已规划 | ## 许可证 专有软件 —— CyberShield 团队。保留所有权利。
标签:Cloudflare, DLL 劫持, IP 地址批量处理, MITRE ATT&CK, 图人工智能, 大语言模型, 安全规则引擎, 安全防护, 异常检测, 无监督学习, 特权检测, 自主事件响应, 请求拦截, 逆向工具