detection

package
v3.1.6 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Jan 31, 2026 License: MIT Imports: 6 Imported by: 0

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ComputeTopologySimilarity

func ComputeTopologySimilarity(topo *topology.FunctionTopology, sig Signature) float64

func ExtractStringPatterns

func ExtractStringPatterns(literals []string) []string

func GenerateTopologyHash

func GenerateTopologyHash(topo *topology.FunctionTopology) string

func HasReconnectLogic

func HasReconnectLogic(topo *topology.FunctionTopology) bool

func MatchCalls

func MatchCalls(topo *topology.FunctionTopology, required []string) (score float64, matched, missing []string)

func MatchStrings

func MatchStrings(topo *topology.FunctionTopology, patterns []string) (score float64, matched []string)

Types

type ControlFlowHints

type ControlFlowHints struct {
	HasInfiniteLoop   bool `json:"has_infinite_loop,omitempty"`
	HasReconnectLogic bool `json:"has_reconnect_logic,omitempty"`
}

ControlFlowHints captures control flow patterns.

type IdentifyingFeatures

type IdentifyingFeatures struct {
	RequiredCalls  []string          `json:"required_calls,omitempty"`
	OptionalCalls  []string          `json:"optional_calls,omitempty"`
	StringPatterns []string          `json:"string_patterns,omitempty"`
	ControlFlow    *ControlFlowHints `json:"control_flow,omitempty"`
}

IdentifyingFeatures captures behavioral markers for detection.

type MatchDetails

type MatchDetails struct {
	TopologyMatch      bool     `json:"topology_match"`
	EntropyMatch       bool     `json:"entropy_match"`
	CallsMatched       []string `json:"calls_matched"`
	CallsMissing       []string `json:"calls_missing"`
	StringsMatched     []string `json:"strings_matched"`
	TopologySimilarity float64  `json:"topology_similarity"`
	EntropyDistance    float64  `json:"entropy_distance"`
}

MatchDetails provides granular information about the match.

type ScanResult

type ScanResult struct {
	SignatureID     string       `json:"signature_id"`
	SignatureName   string       `json:"signature_name"`
	Severity        string       `json:"severity"`
	MatchedFunction string       `json:"matched_function"`
	Confidence      float64      `json:"confidence"` // 0.0 to 1.0
	MatchDetails    MatchDetails `json:"match_details"`
}

ScanResult represents a match between analyzed code and a signature.

func MatchSignature

func MatchSignature(topo *topology.FunctionTopology, funcName string, sig Signature, entropyTolerance float64) ScanResult

MatchSignature checks a function topology against a signature.

type Signature

type Signature struct {
	ID                  string              `json:"id"`
	Name                string              `json:"name"`
	Description         string              `json:"description"`
	Severity            string              `json:"severity"`
	Category            string              `json:"category"`
	TopologyHash        string              `json:"topology_hash"`
	FuzzyHash           string              `json:"fuzzy_hash,omitempty"`
	EntropyScore        float64             `json:"entropy_score"`
	EntropyTolerance    float64             `json:"entropy_tolerance"`
	NodeCount           int                 `json:"node_count"`
	LoopDepth           int                 `json:"loop_depth"`
	IdentifyingFeatures IdentifyingFeatures `json:"identifying_features"`
	Metadata            SignatureMetadata   `json:"metadata"`
}

Signature represents a single malware signature entry.

func IndexFunction

func IndexFunction(topo *topology.FunctionTopology, name, description, severity, category string) Signature

type SignatureDatabase

type SignatureDatabase struct {
	Version     string      `json:"version"`
	Description string      `json:"description"`
	Signatures  []Signature `json:"signatures"`
}

SignatureDatabase represents the malware signature database.

type SignatureMetadata

type SignatureMetadata struct {
	Author     string   `json:"author"`
	Created    string   `json:"created"`
	References []string `json:"references,omitempty"`
}

SignatureMetadata contains provenance information.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL