bhumeshtiruveedhula1/AEGIS
GitHub: bhumeshtiruveedhula1/AEGIS
面向关键国家基础设施的 AI 驱动网络弹性平台,结合无监督异常检测、攻击图谱推理与 LLM 研判,实现实时威胁发现与人工审核的自主事件响应。
Stars: 0 | Forks: 0
# CyberShield — AI 驱动的网络弹性平台
## 关键国家基础设施保护
[](https://github.com/your-org/cybershield/actions)
[](https://python.org)
[](https://github.com/astral-sh/ruff)
[](https://mypy.readthedocs.io)
## 概述
**CyberShield Autonomous Response (CAR)** 是一个用于关键国家基础设施(CNI)保护的实时异常检测与自主事件响应平台。
它结合了:
- **无监督 ML**(Isolation Forest)—— 无需标注数据即可检测零日攻击
- **攻击图谱推理**(NetworkX + MITRE ATT&CK)—— 映射威胁链
- **LLM 分析**(Anthropic Claude)—— 用通俗易懂的语言解释威胁
- **人工审核的响应** —— SOC 分析师批准所有自主操作
## 架构
```
Log Collection → Normalisation → Feature Engineering → Isolation Forest
→ SHAP Explainability → MITRE ATT&CK Mapping → Attack Graph
→ LLM Reasoning (Claude) → Response Orchestrator
→ Human Approval Gate → Action Execution → Audit Log → Dashboard
```
有关完整的技术图表,请参阅 [docs/architecture.md](docs/architecture.md)。
## 快速开始
### 前置条件
- Python 3.11+
- Docker & Docker Compose
- Git
### 1. 克隆与设置
```
git clone https://github.com/your-org/cybershield.git
cd cybershield
chmod +x scripts/setup_dev.sh
./scripts/setup_dev.sh
```
### 2. 配置环境
```
# 使用你的设置编辑 .env
nano .env
# 至少设置:
# SECRET_KEY=
# ANTHROPIC_API_KEY= (Week 3+ 需要)
```
### 3. 运行开发服务器
```
# 激活虚拟环境
source .venv/bin/activate
# 启动 server(hot-reload)
make run
```
API 现已可在以下地址访问:
- **API:** http://localhost:8000
- **健康检查:** http://localhost:8000/health
- **文档:** http://localhost:8000/docs
### 4. 运行测试
```
make test # full suite with coverage
make test-fast # fast, no coverage
make test-unit # unit tests only
```
### 5. 运行 Linting
```
make lint # ruff + mypy
```
## 项目结构
```
cybershield/
├── backend/
│ ├── core/ # Config, logging, exceptions, health checks
│ ├── shared/ # Types, base models, utilities
│ ├── ingestion/ # [Week 1] Log collection
│ ├── normalization/ # [Week 1] Log parsing & normalisation
│ ├── features/ # [Week 1] Feature engineering
│ ├── detection/ # [Week 2] Isolation Forest
│ ├── explainability/ # [Week 2] SHAP explanations
│ ├── mitre/ # [Week 2] MITRE ATT&CK mapping
│ ├── graph/ # [Week 2] Attack graph reasoning
│ ├── llm/ # [Week 3] Claude enrichment
│ ├── response/ # [Week 3] Response orchestration
│ ├── audit/ # [Week 3] Audit logging
│ ├── dashboard/ # [Week 4] Metrics API
│ └── api/ # FastAPI application layer
├── tests/
│ ├── unit/ # Fast, isolated unit tests
│ └── integration/ # End-to-end HTTP tests
├── data/ # Data artifacts (gitignored)
├── models/ # Trained model files (gitignored)
├── docker/ # Dockerfiles and compose
├── scripts/ # Developer tooling
├── docs/ # Architecture and developer docs
└── reports/ # Generated reports (gitignored)
```
## 开发工作流
| 命令 | 描述 |
|---------|-------------|
| `make install` | 设置开发环境 |
| `make run` | 启动带有热重载的开发服务器 |
| `make test` | 运行完整测试套件 |
| `make test-fast` | 运行测试(不包含覆盖率) |
| `make lint` | 运行 ruff + mypy |
| `make docker-up` | 通过 Docker 启动服务 |
| `make clean` | 删除生成的构建产物 |
| `make help` | 显示所有可用目标 |
## 技术栈
| 层级 | 技术 |
|-------|-----------|
| 语言 | Python 3.11+ |
| Web 框架 | FastAPI |
| ML | scikit-learn (Isolation Forest) |
| 可解释性 | SHAP |
| 图谱 | NetworkX |
| LLM | Anthropic Claude |
| 日志 | structlog (JSON) |
| 配置 | Pydantic Settings |
| 数据库 | SQLite (开发) → PostgreSQL (生产) |
| 容器 | Docker |
| 测试 | pytest + pytest-cov |
| Linting | ruff + mypy |
## 文档
| 文档 | 描述 |
|----------|-------------|
| [docs/architecture.md](docs/architecture.md) | 完整的系统架构 |
| [docs/developer_guide.md](docs/developer_guide.md) | 贡献指南 |
| [docs/module_contracts.md](docs/module_contracts.md) | 模块接口 |
| [docs/adr/](docs/adr/) | 架构决策记录 |
## 实施时间表
| 周 | 模块 | 状态 |
|------|--------|--------|
| 0 | 学习 + 研究 | ✅ 已完成 |
| **1** | **1.1 代码仓库基础** | ✅ **本 PR** |
| 1 | 1.2–1.4 日志流水线 + 特征 | ⏳ 下一步 |
| 2 | 2.x ML + 图谱引擎 | ⏳ 已规划 |
| 3 | 3.x LLM + 响应 | ⏳ 已规划 |
| 4 | 4.x 完善与演示 | ⏳ 已规划 |
## 许可证
专有软件 —— CyberShield 团队。保留所有权利。
标签:Cloudflare, DLL 劫持, IP 地址批量处理, MITRE ATT&CK, 图人工智能, 大语言模型, 安全规则引擎, 安全防护, 异常检测, 无监督学习, 特权检测, 自主事件响应, 请求拦截, 逆向工具