Update app.py

app.py

@@ -376,98 +376,157 @@ def detect_threats(logs, sensitivity):
     start_time = time.time()
     
     try:
-        if pipe is not None:
-            # Use GPT-OSS-20B for AI-powered detection
-            prompt = f"""Analyze these security logs for threats:
-
-{logs}
-
-Detection sensitivity: {sensitivity}
-
-Analysis:"""
-
-            response = pipe(
-                prompt,
-                max_new_tokens=200,
-                do_sample=True,
-                temperature=0.3,
-                pad_token_id=50256,
-                truncation=True
-            )
-            
-            ai_analysis = response[0]['generated_text'].split("Analysis:")[-1].strip()
-            
-        else:
-            # Fallback to pattern-based detection
-            ai_analysis = "AI model unavailable. Using pattern-based detection."
-        
-        # Enhanced pattern-based detection as backup/supplement
+        # Enhanced pattern-based detection with detailed analysis
         threats = []
         risk_score = 0
+        detailed_findings = []
         
-        # Authentication threats
-        failed_logins = len(re.findall(r'failed.*login|authentication.*failed', logs, re.IGNORECASE))
-        if failed_logins > 3:
-            threats.append(f"🚨 Brute Force Attack ({failed_logins} failed attempts)")
-            risk_score += 30
-        elif failed_logins > 0:
-            threats.append(f"⚠️ Failed Authentication ({failed_logins} attempts)")
-            risk_score += 15
+        # Authentication threats analysis
+        auth_failures = re.findall(r'failed.*login.*[\'"]([^\'"]*).*from\s+([\d\.]+)', logs, re.IGNORECASE)
+        if auth_failures:
+            usernames = [match[0] for match in auth_failures]
+            ips = list(set([match[1] for match in auth_failures]))
+            
+            if len(auth_failures) >= 3:
+                threats.append("🚨 CRITICAL: Brute Force Attack")
+                detailed_findings.append(f"Multiple failed login attempts detected:")
+                detailed_findings.append(f"  - {len(auth_failures)} failed attempts")
+                detailed_findings.append(f"  - Targeted accounts: {', '.join(set(usernames))}")
+                detailed_findings.append(f"  - Source IPs: {', '.join(ips)}")
+                risk_score += 35
+            else:
+                threats.append("⚠️ Authentication Failures")
+                risk_score += 15
         
-        # Malicious execution
-        if re.search(r'powershell.*-enc|cmd\.exe|eval\(|exec\(', logs, re.IGNORECASE):
-            threats.append("🚨 Malicious Script Execution")
-            risk_score += 35
+        # Malicious script execution
+        powershell_matches = re.findall(r'powershell.*-enc\s+([A-Za-z0-9+/=]+)', logs, re.IGNORECASE)
+        if powershell_matches:
+            threats.append("🚨 CRITICAL: Encoded PowerShell Execution")
+            detailed_findings.append("Suspicious PowerShell activity:")
+            detailed_findings.append("  - Encoded command execution detected")
+            detailed_findings.append("  - Potential command injection or malware")
+            detailed_findings.append("  - Hidden execution (-WindowStyle Hidden)")
+            risk_score += 40
         
-        # Network anomalies
-        if re.search(r'suspicious.*ip|unusual.*connection', logs, re.IGNORECASE):
-            threats.append("🚨 Suspicious Network Activity")
-            risk_score += 25
+        # Network connections analysis
+        network_matches = re.findall(r'connection to\s+([\d\.]+):(\d+)', logs, re.IGNORECASE)
+        if network_matches:
+            for ip, port in network_matches:
+                if re.search(r'suspicious.*connection', logs, re.IGNORECASE):
+                    threats.append("🚨 HIGH: Suspicious Network Activity")
+                    detailed_findings.append(f"Suspicious outbound connection:")
+                    detailed_findings.append(f"  - Destination: {ip}:{port}")
+                    detailed_findings.append(f"  - Potential C2 communication")
+                    risk_score += 30
         
-        # File anomalies
-        if re.search(r'unusual.*file|suspicious.*access', logs, re.IGNORECASE):
-            threats.append("⚠️ File System Anomaly")
+        # File system anomalies
+        if re.search(r'unusual.*file.*access.*pattern', logs, re.IGNORECASE):
+            threats.append("⚠️ MEDIUM: File System Anomaly")
+            detailed_findings.append("Unusual file access patterns detected")
+            detailed_findings.append("  - Potential data exfiltration or reconnaissance")
             risk_score += 20
         
-        # Generate final result
-        if threats or pipe is not None:
-            severity = "CRITICAL" if risk_score > 50 else "HIGH" if risk_score > 30 else "MEDIUM"
-            confidence = min(95, 70 + len(threats) * 5)
-            
-            result = f"""🚨 THREAT ANALYSIS RESULTS
+        # Multiple connections from same source
+        if re.search(r'multiple.*connections.*same.*source', logs, re.IGNORECASE):
+            threats.append("⚠️ MEDIUM: Persistent Connection Attempts")
+            detailed_findings.append("Multiple connections from same source IP")
+            detailed_findings.append("  - Potential persistence mechanism")
+            risk_score += 15
+        
+        # AI Analysis if model available
+        ai_analysis = ""
+        if pipe is not None:
+            try:
+                prompt = f"""Security Log Analysis - Detect threats and provide detailed assessment:
 
-AI ANALYSIS:
-{ai_analysis}
+{logs}
 
-DETECTED PATTERNS:
-{chr(10).join(f"• {threat}" for threat in threats) if threats else "• No obvious threat patterns detected"}
+Sensitivity: {sensitivity}
+
+Identify all security threats, attack patterns, and provide risk assessment:"""
+
+                response = pipe(
+                    prompt,
+                    max_new_tokens=250,
+                    do_sample=True,
+                    temperature=0.3,
+                    pad_token_id=50256,
+                    truncation=True
+                )
+                
+                ai_analysis = response[0]['generated_text'].split("Identify all security threats")[-1].strip()
+            except:
+                ai_analysis = "AI analysis temporarily unavailable"
+        
+        # Severity calculation with sensitivity adjustment
+        sensitivity_multiplier = {"High": 1.3, "Medium": 1.0, "Low": 0.7}
+        adjusted_score = min(100, risk_score * sensitivity_multiplier.get(sensitivity, 1.0))
+        
+        if threats:
+            if adjusted_score >= 70:
+                severity = "CRITICAL"
+            elif adjusted_score >= 50:
+                severity = "HIGH"
+            elif adjusted_score >= 30:
+                severity = "MEDIUM"
+            else:
+                severity = "LOW"
+            
+            confidence = min(95, 75 + len(threats) * 5)
+            
+            result = f"""🚨 THREAT DETECTION RESULTS
 
 ASSESSMENT:
-• Risk Score: {risk_score}/100
-• Severity: {severity if threats else "LOW"}
+• Risk Score: {int(adjusted_score)}/100
+• Severity: {severity}
 • Confidence: {confidence}%
 • Model: {"GPT-OSS-20B" if pipe else "Pattern-based"}
 
+DETECTED THREATS:
+{chr(10).join(f"• {threat}" for threat in threats)}
+
+DETAILED FINDINGS:
+{chr(10).join(detailed_findings)}
+
+{f"AI ANALYSIS:{chr(10)}{ai_analysis}{chr(10)}" if ai_analysis and ai_analysis != "AI analysis temporarily unavailable" else ""}
+
 RECOMMENDATIONS:
-• {"Immediate containment required" if risk_score > 40 else "Continue monitoring"}
-• {"Escalate to L2 analyst" if risk_score > 30 else "Standard response"}
-• Preserve all evidence
-• Update threat intelligence"""
+• {"🔴 Immediate containment required" if adjusted_score >= 60 else "🟡 Enhanced monitoring recommended"}
+• {"🚨 Escalate to L2 analyst immediately" if adjusted_score >= 50 else "📋 Document and continue monitoring"}
+• 🛡️ Preserve all evidence and logs
+• 🔍 Begin threat hunting activities
+• 📊 Update threat intelligence feeds"""
             
-            status = f"🚨 Analysis Complete - {len(threats)} threats found" if threats else "✅ Analysis Complete"
+            status = f"🚨 {len(threats)} THREATS - {severity}"
         else:
-            result = """✅ NO THREATS DETECTED
+            result = f"""✅ NO IMMEDIATE THREATS DETECTED
 
-Clean log analysis with no suspicious patterns identified.
-Continue standard monitoring procedures."""
-            status = "✅ CLEAN"
+ASSESSMENT:
+• Risk Score: {int(adjusted_score)}/100
+• Confidence: 85%
+• Status: Normal Operation
+• Model: {"GPT-OSS-20B" if pipe else "Pattern-based"}
+
+SUMMARY:
+No critical threat patterns identified in the provided logs.
+All activities appear within normal operational parameters.
+
+{f"AI ANALYSIS:{chr(10)}{ai_analysis}{chr(10)}" if ai_analysis and ai_analysis != "AI analysis temporarily unavailable" else ""}
+
+RECOMMENDATIONS:
+• ✅ Continue standard monitoring
+• 📊 Maintain current security posture
+• 🔄 Schedule routine security assessment
+• 📈 Keep detection rules updated"""
+            
+            status = "✅ CLEAN - No Threats"
         
-        time_taken = round(time.time() - start_time, 1)
+        time_taken = round(time.time() - start_time, 2)
         return result, f"{status} ({time_taken}s)"
         
     except Exception as e:
         logger.error(f"Detection error: {str(e)}")
-        return f"❌ Analysis failed: {str(e)}", "❌ ERROR"
+        return f"❌ Detection failed: {str(e)}", "❌ ERROR"
 
 @spaces.GPU
 def analyze_threat(threat, level):
@@ -480,93 +539,167 @@ def analyze_threat(threat, level):
     start_time = time.time()
     
     try:
+        # Extract IOCs and key indicators
+        indicators = {
+            'ips': re.findall(r'\b(?:\d{1,3}\.){3}\d{1,3}\b', threat),
+            'domains': re.findall(r'\b[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}\b', threat),
+            'files': re.findall(r'\b\w+\.(exe|dll|bat|ps1|sh|zip|rar)\b', threat, re.IGNORECASE),
+            'processes': re.findall(r'\b(powershell|cmd|bash|python|java)\.exe\b', threat, re.IGNORECASE)
+        }
+        
+        # AI Analysis if model available
+        ai_analysis = ""
         if pipe is not None:
-            # Use GPT-OSS-20B for AI analysis
-            prompt = f"""As a Level {level} SOC analyst, analyze this security threat:
+            try:
+                prompt = f"""As a Level {level} SOC analyst, analyze this security incident:
 
 {threat}
 
-Provide detailed analysis including:
-1. Threat assessment
-2. Recommended actions
-3. Priority level
-4. Next steps
-
-Analysis:"""
-
-            response = pipe(
-                prompt,
-                max_new_tokens=300,
-                do_sample=True,
-                temperature=0.4,
-                pad_token_id=50256,
-                truncation=True
-            )
-            
-            ai_analysis = response[0]['generated_text'].split("Analysis:")[-1].strip()
-            
-            result = f"""🤖 AI-POWERED {level} ANALYSIS
-
-THREAT ASSESSMENT:
-{ai_analysis}
-
-MODEL: GPT-OSS-20B
-ANALYST LEVEL: {level}
-STATUS: AI Analysis Complete"""
-            
-        else:
-            # Fallback analysis templates
-            templates = {
-                "L1": f"""🚨 L1 TRIAGE ANALYSIS
-                
-THREAT: {threat[:60]}...
-
-IMMEDIATE ACTIONS:
-• Assess severity
-• Isolate systems
-• Document evidence
-• Escalate if high severity
-
-DECISION: Escalate to L2
-PRIORITY: High""",
-
-                "L2": f"""🔍 L2 INVESTIGATION
-                
-INCIDENT: {threat[:60]}...
-
-INVESTIGATION PLAN:
-1. Evidence collection
-2. Timeline analysis  
-3. Scope assessment
-4. IOC identification
-5. Containment measures
-
-NEXT STEPS: Deploy monitoring""",
-
-                "L3": f"""🎯 L3 STRATEGIC ANALYSIS
+Analyst Level: {level}
+- L1: Initial triage and escalation decisions
+- L2: Detailed investigation and response coordination  
+- L3: Strategic response and executive-level analysis
+
+Provide comprehensive analysis including threat assessment, IOCs, recommended actions, and next steps:"""
+
+                response = pipe(
+                    prompt,
+                    max_new_tokens=350,
+                    do_sample=True,
+                    temperature=0.4,
+                    pad_token_id=50256,
+                    truncation=True
+                )
                 
-THREAT ASSESSMENT: {threat[:60]}...
-
-STRATEGIC RESPONSE:
-• Executive notification
-• Business impact review
-• Advanced forensics
-• Recovery planning
-• Security improvements
-
-RECOMMENDATION: Full IR activation"""
-            }
-            
-            result = templates.get(level, templates["L2"])
+                ai_analysis = response[0]['generated_text'].split("Provide comprehensive analysis")[-1].strip()
+            except:
+                ai_analysis = "AI analysis temporarily unavailable - using structured analysis"
+        
+        # Structured analysis based on analyst level
+        if level == "L1":
+            result = f"""🚨 LEVEL 1 TRIAGE ANALYSIS
+
+INCIDENT OVERVIEW:
+{threat[:150]}{'...' if len(threat) > 150 else ''}
+
+{f"AI ASSESSMENT:{chr(10)}{ai_analysis}{chr(10)}" if ai_analysis and "unavailable" not in ai_analysis else ""}
+
+EXTRACTED INDICATORS:
+• IP Addresses: {', '.join(indicators['ips']) if indicators['ips'] else 'None detected'}
+• Processes: {', '.join(indicators['processes']) if indicators['processes'] else 'None detected'}
+• Files: {', '.join(indicators['files']) if indicators['files'] else 'None detected'}
+
+IMMEDIATE TRIAGE ACTIONS:
+1. ✅ Validate threat indicators and scope
+2. 🔍 Assess immediate impact to business operations
+3. 🚨 Determine if systems need isolation
+4. 📋 Document all available evidence
+5. ⚡ Assess criticality and escalation needs
+6. 📞 Notify Level 2 analyst if high severity
+
+SEVERITY ASSESSMENT:
+• Initial Risk: {"HIGH" if any(indicators.values()) else "MEDIUM"}
+• Escalation Required: {"YES - Immediate" if len([v for v in indicators.values() if v]) > 2 else "YES - Standard"}
+• Business Impact: Under Assessment
+
+DECISION: ESCALATE TO L2
+PRIORITY: HIGH
+TIMELINE: Immediate (0-15 minutes)"""
+
+        elif level == "L2":
+            result = f"""🔍 LEVEL 2 INVESTIGATION
+
+INCIDENT CLASSIFICATION:
+{threat[:200]}{'...' if len(threat) > 200 else ''}
+
+{f"AI DETAILED ANALYSIS:{chr(10)}{ai_analysis}{chr(10)}" if ai_analysis and "unavailable" not in ai_analysis else ""}
+
+INDICATORS OF COMPROMISE (IOCs):
+• IP Addresses: {', '.join(indicators['ips']) if indicators['ips'] else 'None identified'}
+• Domains: {', '.join(indicators['domains']) if indicators['domains'] else 'None identified'}
+• Files/Hashes: {', '.join(indicators['files']) if indicators['files'] else 'None identified'}
+• Processes: {', '.join(indicators['processes']) if indicators['processes'] else 'None identified'}
+
+DETAILED INVESTIGATION PLAN:
+1. 📊 Comprehensive log analysis across all systems
+2. ⏰ Timeline reconstruction of attack sequence
+3. 🎯 Scope assessment - identify affected systems
+4. 🔍 IOC identification and threat hunting
+5. 🛡️ Implement immediate containment measures
+6. 🤝 Coordinate with IT for system isolation
+7. 🔎 Begin proactive threat hunting activities
+8. 📈 Update threat intelligence feeds and signatures
+
+CONTAINMENT MEASURES:
+• Network segmentation of affected systems
+• Account disabling if compromise suspected
+• Memory/disk imaging for forensic analysis
+• Traffic monitoring and filtering
+
+NEXT STEPS:
+• Deploy advanced monitoring on critical assets
+• Coordinate with threat intelligence team
+• Prepare incident report for management
+• Consider L3 escalation for strategic response
+
+INVESTIGATION STATUS: ACTIVE
+ESTIMATED COMPLETION: 1-4 hours"""
+
+        else:  # L3
+            result = f"""🎯 LEVEL 3 STRATEGIC ANALYSIS
+
+EXECUTIVE THREAT ASSESSMENT:
+{threat[:250]}{'...' if len(threat) > 250 else ''}
+
+{f"STRATEGIC AI ANALYSIS:{chr(10)}{ai_analysis}{chr(10)}" if ai_analysis and "unavailable" not in ai_analysis else ""}
+
+STRATEGIC INDICATORS:
+• Network IOCs: {len(indicators['ips'])} IP addresses identified
+• Process IOCs: {len(indicators['processes'])} suspicious processes
+• File IOCs: {len(indicators['files'])} potential malicious files
+• Domain IOCs: {len(indicators['domains'])} suspicious domains
+
+STRATEGIC RESPONSE FRAMEWORK:
+1. 🏢 Executive notification and stakeholder briefing
+2. 💼 Business impact assessment and risk quantification
+3. 🔬 Advanced forensic analysis coordination
+4. 🌐 External agency coordination (if required)
+5. 📋 Recovery and remediation planning
+6. 📚 Security policy and procedure updates
+7. 🔄 Post-incident review and lessons learned
+8. 🛡️ Strategic security improvements implementation
+
+BUSINESS IMPACT ANALYSIS:
+• Operational Disruption: Under Assessment
+• Data Integrity: Evaluation in Progress
+• Regulatory Implications: Under Review
+• Reputation Risk: Monitoring Required
+
+RECOVERY PLANNING:
+• System restoration priorities identified
+• Communication strategy established
+• Legal and compliance review initiated
+• Customer/partner notification prepared
+
+STRATEGIC RECOMMENDATIONS:
+• Full incident response activation recommended
+• Consider engaging external forensic experts
+• Implement enhanced monitoring capabilities
+• Review and update incident response procedures
+
+EXECUTIVE DECISION: FULL IR ACTIVATION
+PRIORITY: CRITICAL
+OVERSIGHT: C-Level Involvement Required
+TIMELINE: 4-24 hours for full resolution"""
         
-        time_taken = round(time.time() - start_time, 1)
-        return result, f"✅ {level} Complete ({time_taken}s)"
+        time_taken = round(time.time() - start_time, 2)
+        return result, f"✅ {level} Analysis Complete ({time_taken}s)"
         
     except Exception as e:
         logger.error(f"Analysis error: {str(e)}")
         return f"❌ Analysis failed: {str(e)}", "❌ ERROR"
 
-# Sample data
+# Sample data - matches the scenario in the screenshot
 SAMPLE_LOGS = """2025-08-11 14:30:15 [AUTH] Failed login: 'admin' from 192.168.1.100
 2025-08-11 14:30:18 [AUTH] Failed login: 'administrator' from 192.168.1.100  
 2025-08-11 14:30:45 [PROC] powershell.exe -WindowStyle Hidden -enc ZXhlYyBjYWxjLmV4ZQ==