@panguard-ai/threat-cloud 0.1.0

package/dist/query-handlers.js

@@ -0,0 +1,211 @@
+/**
+ * Query Handlers for advanced analytics
+ * 進階分析查詢處理器
+ *
+ * Provides timeseries, geo distribution, trends, and MITRE heatmap queries.
+ *
+ * @module @panguard-ai/threat-cloud/query-handlers
+ */
+export class QueryHandlers {
+    db;
+    constructor(db) {
+        this.db = db;
+    }
+    /**
+     * Time-series query: event counts grouped by time bucket.
+     * 時間序列查詢：依時間桶分組的事件計數
+     */
+    getTimeSeries(granularity = 'day', since, attackType) {
+        const sinceDate = since ?? new Date(Date.now() - 30 * 24 * 60 * 60 * 1000).toISOString();
+        // Whitelist granularity → strftime format to prevent SQL injection
+        const GRANULARITY_FORMATS = {
+            hour: '%Y-%m-%dT%H:00:00Z',
+            week: '%Y-W%W',
+            day: '%Y-%m-%d',
+        };
+        const format = GRANULARITY_FORMATS[granularity] ?? GRANULARITY_FORMATS['day'];
+        const conditions = ['timestamp > ?'];
+        const params = [sinceDate];
+        if (attackType) {
+            conditions.push('attack_type = ?');
+            params.push(attackType);
+        }
+        const where = conditions.join(' AND ');
+        const rows = this.db
+            .prepare(`SELECT strftime('${format}', timestamp) as ts, COUNT(*) as count
+         FROM enriched_threats
+         WHERE ${where}
+         GROUP BY ts
+         ORDER BY ts ASC`)
+            .all(...params);
+        return rows.map((r) => ({ timestamp: r.ts, count: r.count }));
+    }
+    /**
+     * Geographic distribution query.
+     * 地理分佈查詢
+     */
+    getGeoDistribution(since) {
+        const sinceDate = since ?? new Date(Date.now() - 30 * 24 * 60 * 60 * 1000).toISOString();
+        const regionRows = this.db
+            .prepare(`SELECT region, COUNT(*) as count, COUNT(DISTINCT attack_source_ip) as unique_ips
+         FROM enriched_threats
+         WHERE timestamp > ?
+         GROUP BY region
+         ORDER BY count DESC`)
+            .all(sinceDate);
+        return regionRows.map((r) => {
+            const topTypes = this.db
+                .prepare(`SELECT attack_type as type, COUNT(*) as count
+           FROM enriched_threats
+           WHERE region = ? AND timestamp > ?
+           GROUP BY attack_type
+           ORDER BY count DESC
+           LIMIT 5`)
+                .all(r.region, sinceDate);
+            return {
+                region: r.region,
+                count: r.count,
+                topAttackTypes: topTypes,
+                uniqueIPs: r.unique_ips,
+            };
+        });
+    }
+    /**
+     * Trend analysis: compare current period with previous period.
+     * 趨勢分析：比較當前與前一期間
+     */
+    getTrends(periodDays = 7) {
+        const now = Date.now();
+        const currentStart = new Date(now - periodDays * 24 * 60 * 60 * 1000).toISOString();
+        const previousStart = new Date(now - periodDays * 2 * 24 * 60 * 60 * 1000).toISOString();
+        const currentCounts = this.db
+            .prepare(`SELECT attack_type, COUNT(*) as count
+         FROM enriched_threats
+         WHERE timestamp > ?
+         GROUP BY attack_type`)
+            .all(currentStart);
+        const previousCounts = this.db
+            .prepare(`SELECT attack_type, COUNT(*) as count
+         FROM enriched_threats
+         WHERE timestamp > ? AND timestamp <= ?
+         GROUP BY attack_type`)
+            .all(previousStart, currentStart);
+        const prevMap = new Map(previousCounts.map((r) => [r.attack_type, r.count]));
+        const allTypes = new Set([
+            ...currentCounts.map((r) => r.attack_type),
+            ...previousCounts.map((r) => r.attack_type),
+        ]);
+        const trends = [];
+        for (const attackType of allTypes) {
+            const currentCount = currentCounts.find((r) => r.attack_type === attackType)?.count ?? 0;
+            const previousCount = prevMap.get(attackType) ?? 0;
+            let changePercent = 0;
+            if (previousCount > 0) {
+                changePercent = Math.round(((currentCount - previousCount) / previousCount) * 100);
+            }
+            else if (currentCount > 0) {
+                changePercent = 100;
+            }
+            let direction = 'stable';
+            if (changePercent > 10)
+                direction = 'rising';
+            else if (changePercent < -10)
+                direction = 'falling';
+            trends.push({ attackType, currentCount, previousCount, changePercent, direction });
+        }
+        return trends.sort((a, b) => b.currentCount - a.currentCount);
+    }
+    /**
+     * MITRE ATT&CK technique heatmap.
+     * MITRE ATT&CK 技術熱力圖
+     */
+    getMitreHeatmap(since) {
+        const sinceDate = since ?? new Date(Date.now() - 30 * 24 * 60 * 60 * 1000).toISOString();
+        const rows = this.db
+            .prepare(`SELECT mitre_techniques, severity
+         FROM enriched_threats
+         WHERE timestamp > ?`)
+            .all(sinceDate);
+        const techMap = new Map();
+        for (const row of rows) {
+            const techniques = JSON.parse(row.mitre_techniques);
+            for (const t of techniques) {
+                const entry = techMap.get(t) ?? { count: 0, severities: [] };
+                entry.count++;
+                entry.severities.push(row.severity);
+                techMap.set(t, entry);
+            }
+        }
+        const severityOrder = ['critical', 'high', 'medium', 'low'];
+        return [...techMap.entries()]
+            .map(([technique, data]) => {
+            const maxSeverity = severityOrder.find((s) => data.severities.includes(s)) ?? 'medium';
+            return { technique, count: data.count, severity: maxSeverity };
+        })
+            .sort((a, b) => b.count - a.count);
+    }
+    /**
+     * Enhanced stats combining all data sources.
+     * 增強統計：整合所有資料來源
+     */
+    getEnhancedStats() {
+        const totalThreats = this.db.prepare('SELECT COUNT(*) as count FROM threats').get().count;
+        const totalRules = this.db.prepare('SELECT COUNT(*) as count FROM rules').get().count;
+        const topAttackTypes = this.db
+            .prepare(`SELECT attack_type as type, COUNT(*) as count
+         FROM threats
+         GROUP BY attack_type
+         ORDER BY count DESC
+         LIMIT 10`)
+            .all();
+        const totalIoCs = this.db.prepare("SELECT COUNT(*) as count FROM iocs WHERE status = 'active'").get().count;
+        const iocsByTypeRows = this.db
+            .prepare(`SELECT type, COUNT(*) as count FROM iocs WHERE status = 'active' GROUP BY type`)
+            .all();
+        const iocsByType = {};
+        for (const row of iocsByTypeRows) {
+            iocsByType[row.type] = row.count;
+        }
+        const activeCampaigns = this.db.prepare("SELECT COUNT(*) as count FROM campaigns WHERE status = 'active'").get().count;
+        const autoGeneratedRules = this.db.prepare('SELECT COUNT(*) as count FROM generated_patterns').get().count;
+        const trapEventsCount = this.db
+            .prepare("SELECT COUNT(*) as count FROM enriched_threats WHERE source_type = 'trap'")
+            .get().count;
+        const guardEventsCount = this.db
+            .prepare("SELECT COUNT(*) as count FROM enriched_threats WHERE source_type = 'guard'")
+            .get().count;
+        const topRegions = this.db
+            .prepare(`SELECT region, COUNT(*) as count
+         FROM enriched_threats
+         GROUP BY region
+         ORDER BY count DESC
+         LIMIT 10`)
+            .all();
+        const topMitreTechniques = this.db
+            .prepare(`SELECT mitre_technique as technique, COUNT(*) as count
+         FROM threats
+         GROUP BY mitre_technique
+         ORDER BY count DESC
+         LIMIT 10`)
+            .all();
+        const last24h = new Date(Date.now() - 24 * 60 * 60 * 1000).toISOString();
+        const last24hThreats = this.db
+            .prepare('SELECT COUNT(*) as count FROM threats WHERE received_at > ?')
+            .get(last24h).count;
+        return {
+            totalThreats,
+            totalRules,
+            topAttackTypes,
+            topMitreTechniques,
+            last24hThreats,
+            totalIoCs,
+            iocsByType,
+            activeCampaigns,
+            autoGeneratedRules,
+            trapEventsCount,
+            guardEventsCount,
+            topRegions,
+        };
+    }
+}
+//# sourceMappingURL=query-handlers.js.map

package/dist/query-handlers.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"query-handlers.js","sourceRoot":"","sources":["../src/query-handlers.ts"],"names":[],"mappings":"AAAA;;;;;;;GAOG;AAWH,MAAM,OAAO,aAAa;IACK;IAA7B,YAA6B,EAAqB;QAArB,OAAE,GAAF,EAAE,CAAmB;IAAG,CAAC;IAEtD;;;OAGG;IACH,aAAa,CACX,cAAuC,KAAK,EAC5C,KAAc,EACd,UAAmB;QAEnB,MAAM,SAAS,GAAG,KAAK,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAEzF,mEAAmE;QACnE,MAAM,mBAAmB,GAA2B;YAClD,IAAI,EAAE,oBAAoB;YAC1B,IAAI,EAAE,QAAQ;YACd,GAAG,EAAE,UAAU;SAChB,CAAC;QACF,MAAM,MAAM,GAAG,mBAAmB,CAAC,WAAW,CAAC,IAAI,mBAAmB,CAAC,KAAK,CAAE,CAAC;QAE/E,MAAM,UAAU,GAAG,CAAC,eAAe,CAAC,CAAC;QACrC,MAAM,MAAM,GAAc,CAAC,SAAS,CAAC,CAAC;QAEtC,IAAI,UAAU,EAAE,CAAC;YACf,UAAU,CAAC,IAAI,CAAC,iBAAiB,CAAC,CAAC;YACnC,MAAM,CAAC,IAAI,CAAC,UAAU,CAAC,CAAC;QAC1B,CAAC;QAED,MAAM,KAAK,GAAG,UAAU,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;QAEvC,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CACN,oBAAoB,MAAM;;iBAEjB,KAAK;;yBAEG,CAClB;aACA,GAAG,CAAC,GAAG,MAAM,CAAyC,CAAC;QAE1D,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,EAAE,SAAS,EAAE,CAAC,CAAC,EAAE,EAAE,KAAK,EAAE,CAAC,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC;IAChE,CAAC;IAED;;;OAGG;IACH,kBAAkB,CAAC,KAAc;QAC/B,MAAM,SAAS,GAAG,KAAK,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAEzF,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE;aACvB,OAAO,CACN;;;;6BAIqB,CACtB;aACA,GAAG,CAAC,SAAS,CAAiE,CAAC;QAElF,OAAO,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE;YAC1B,MAAM,QAAQ,GAAG,IAAI,CAAC,EAAE;iBACrB,OAAO,CACN;;;;;mBAKS,CACV;iBACA,GAAG,CAAC,CAAC,CAAC,MAAM,EAAE,SAAS,CAA2C,CAAC;YAEtE,OAAO;gBACL,MAAM,EAAE,CAAC,CAAC,MAAM;gBAChB,KAAK,EAAE,CAAC,CAAC,KAAK;gBACd,cAAc,EAAE,QAAQ;gBACxB,SAAS,EAAE,CAAC,CAAC,UAAU;aACxB,CAAC;QACJ,CAAC,CAAC,CAAC;IACL,CAAC;IAED;;;OAGG;IACH,SAAS,CAAC,aAAqB,CAAC;QAC9B,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,YAAY,GAAG,IAAI,IAAI,CAAC,GAAG,GAAG,UAAU,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QACpF,MAAM,aAAa,GAAG,IAAI,IAAI,CAAC,GAAG,GAAG,UAAU,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAEzF,MAAM,aAAa,GAAG,IAAI,CAAC,EAAE;aAC1B,OAAO,CACN;;;8BAGsB,CACvB;aACA,GAAG,CAAC,YAAY,CAAkD,CAAC;QAEtE,MAAM,cAAc,GAAG,IAAI,CAAC,EAAE;aAC3B,OAAO,CACN;;;8BAGsB,CACvB;aACA,GAAG,CAAC,aAAa,EAAE,YAAY,CAAkD,CAAC;QAErF,MAAM,OAAO,GAAG,IAAI,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,WAAW,EAAE,CAAC,CAAC,KAAK,CAAC,CAAC,CAAC,CAAC;QAC7E,MAAM,QAAQ,GAAG,IAAI,GAAG,CAAC;YACvB,GAAG,aAAa,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;YAC1C,GAAG,cAAc,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,CAAC;SAC5C,CAAC,CAAC;QAEH,MAAM,MAAM,GAAiB,EAAE,CAAC;QAChC,KAAK,MAAM,UAAU,IAAI,QAAQ,EAAE,CAAC;YAClC,MAAM,YAAY,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,WAAW,KAAK,UAAU,CAAC,EAAE,KAAK,IAAI,CAAC,CAAC;YACzF,MAAM,aAAa,GAAG,OAAO,CAAC,GAAG,CAAC,UAAU,CAAC,IAAI,CAAC,CAAC;YAEnD,IAAI,aAAa,GAAG,CAAC,CAAC;YACtB,IAAI,aAAa,GAAG,CAAC,EAAE,CAAC;gBACtB,aAAa,GAAG,IAAI,CAAC,KAAK,CAAC,CAAC,CAAC,YAAY,GAAG,aAAa,CAAC,GAAG,aAAa,CAAC,GAAG,GAAG,CAAC,CAAC;YACrF,CAAC;iBAAM,IAAI,YAAY,GAAG,CAAC,EAAE,CAAC;gBAC5B,aAAa,GAAG,GAAG,CAAC;YACtB,CAAC;YAED,IAAI,SAAS,GAA4B,QAAQ,CAAC;YAClD,IAAI,aAAa,GAAG,EAAE;gBAAE,SAAS,GAAG,QAAQ,CAAC;iBACxC,IAAI,aAAa,GAAG,CAAC,EAAE;gBAAE,SAAS,GAAG,SAAS,CAAC;YAEpD,MAAM,CAAC,IAAI,CAAC,EAAE,UAAU,EAAE,YAAY,EAAE,aAAa,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC,CAAC;QACrF,CAAC;QAED,OAAO,MAAM,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,YAAY,GAAG,CAAC,CAAC,YAAY,CAAC,CAAC;IAChE,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,KAAc;QAC5B,MAAM,SAAS,GAAG,KAAK,IAAI,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QAEzF,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CACN;;6BAEqB,CACtB;aACA,GAAG,CAAC,SAAS,CAA0D,CAAC;QAE3E,MAAM,OAAO,GAAG,IAAI,GAAG,EAAmD,CAAC;QAE3E,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;YACvB,MAAM,UAAU,GAAG,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,gBAAgB,CAAa,CAAC;YAChE,KAAK,MAAM,CAAC,IAAI,UAAU,EAAE,CAAC;gBAC3B,MAAM,KAAK,GAAG,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,EAAE,KAAK,EAAE,CAAC,EAAE,UAAU,EAAE,EAAE,EAAE,CAAC;gBAC7D,KAAK,CAAC,KAAK,EAAE,CAAC;gBACd,KAAK,CAAC,UAAU,CAAC,IAAI,CAAC,GAAG,CAAC,QAAQ,CAAC,CAAC;gBACpC,OAAO,CAAC,GAAG,CAAC,CAAC,EAAE,KAAK,CAAC,CAAC;YACxB,CAAC;QACH,CAAC;QAED,MAAM,aAAa,GAAG,CAAC,UAAU,EAAE,MAAM,EAAE,QAAQ,EAAE,KAAK,CAAC,CAAC;QAE5D,OAAO,CAAC,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC;aAC1B,GAAG,CAAC,CAAC,CAAC,SAAS,EAAE,IAAI,CAAC,EAAE,EAAE;YACzB,MAAM,WAAW,GAAG,aAAa,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC,UAAU,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC,IAAI,QAAQ,CAAC;YACvF,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,IAAI,CAAC,KAAK,EAAE,QAAQ,EAAE,WAAW,EAAE,CAAC;QACjE,CAAC,CAAC;aACD,IAAI,CAAC,CAAC,CAAC,EAAE,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,GAAG,CAAC,CAAC,KAAK,CAAC,CAAC;IACvC,CAAC;IAED;;;OAGG;IACH,gBAAgB;QACd,MAAM,YAAY,GAChB,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,uCAAuC,CAAC,CAAC,GAAG,EAC7D,CAAC,KAAK,CAAC;QAER,MAAM,UAAU,GACd,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,qCAAqC,CAAC,CAAC,GAAG,EAC3D,CAAC,KAAK,CAAC;QAER,MAAM,cAAc,GAAG,IAAI,CAAC,EAAE;aAC3B,OAAO,CACN;;;;kBAIU,CACX;aACA,GAAG,EAA4C,CAAC;QAEnD,MAAM,SAAS,GACb,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,4DAA4D,CAAC,CAAC,GAAG,EAGlF,CAAC,KAAK,CAAC;QAER,MAAM,cAAc,GAAG,IAAI,CAAC,EAAE;aAC3B,OAAO,CAAC,gFAAgF,CAAC;aACzF,GAAG,EAA4C,CAAC;QAEnD,MAAM,UAAU,GAA2B,EAAE,CAAC;QAC9C,KAAK,MAAM,GAAG,IAAI,cAAc,EAAE,CAAC;YACjC,UAAU,CAAC,GAAG,CAAC,IAAI,CAAC,GAAG,GAAG,CAAC,KAAK,CAAC;QACnC,CAAC;QAED,MAAM,eAAe,GACnB,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,iEAAiE,CAAC,CAAC,GAAG,EAGvF,CAAC,KAAK,CAAC;QAER,MAAM,kBAAkB,GACtB,IAAI,CAAC,EAAE,CAAC,OAAO,CAAC,kDAAkD,CAAC,CAAC,GAAG,EAGxE,CAAC,KAAK,CAAC;QAER,MAAM,eAAe,GACnB,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,2EAA2E,CAAC;aACpF,GAAG,EACP,CAAC,KAAK,CAAC;QAER,MAAM,gBAAgB,GACpB,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,4EAA4E,CAAC;aACrF,GAAG,EACP,CAAC,KAAK,CAAC;QAER,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE;aACvB,OAAO,CACN;;;;kBAIU,CACX;aACA,GAAG,EAA8C,CAAC;QAErD,MAAM,kBAAkB,GAAG,IAAI,CAAC,EAAE;aAC/B,OAAO,CACN;;;;kBAIU,CACX;aACA,GAAG,EAAiD,CAAC;QAExD,MAAM,OAAO,GAAG,IAAI,IAAI,CAAC,IAAI,CAAC,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,GAAG,IAAI,CAAC,CAAC,WAAW,EAAE,CAAC;QACzE,MAAM,cAAc,GAClB,IAAI,CAAC,EAAE;aACJ,OAAO,CAAC,6DAA6D,CAAC;aACtE,GAAG,CAAC,OAAO,CAGf,CAAC,KAAK,CAAC;QAER,OAAO;YACL,YAAY;YACZ,UAAU;YACV,cAAc;YACd,kBAAkB;YAClB,cAAc;YACd,SAAS;YACT,UAAU;YACV,eAAe;YACf,kBAAkB;YAClB,eAAe;YACf,gBAAgB;YAChB,UAAU;SACX,CAAC;IACJ,CAAC;CACF"}

package/dist/reputation-engine.d.ts

@@ -0,0 +1,44 @@
+/**
+ * IoC Reputation Scoring Engine
+ * IoC 信譽評分引擎
+ *
+ * Calculates reputation scores using a weighted formula:
+ *   sighting frequency, severity, recency (time-decay), source diversity, confidence.
+ *
+ * @module @panguard-ai/threat-cloud/reputation-engine
+ */
+import type Database from 'better-sqlite3';
+import type { ReputationConfig } from './types.js';
+export declare class ReputationEngine {
+    private readonly db;
+    private readonly config;
+    constructor(db: Database.Database, config?: Partial<ReputationConfig>);
+    /**
+     * Recalculate reputation scores for all active IoCs.
+     * 重新計算所有活躍 IoC 的信譽分數
+     */
+    recalculateAll(): {
+        updated: number;
+        duration: number;
+    };
+    /**
+     * Calculate reputation for a single IoC by ID.
+     * 計算單一 IoC 的信譽分數
+     */
+    calculateForIoC(iocId: number): number;
+    /**
+     * Core scoring algorithm.
+     * 核心評分演算法
+     */
+    private calculateScore;
+    /** Compute weighted severity score / 計算加權嚴重度分數 */
+    private computeSeverityScore;
+    /** Compute recency score with exponential decay / 計算時間衰減分數 */
+    private computeRecencyScore;
+    /**
+     * Get associated threat data for an IoC.
+     * 取得 IoC 的關聯威脅資料
+     */
+    private getAssociatedThreats;
+}
+//# sourceMappingURL=reputation-engine.d.ts.map

package/dist/reputation-engine.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"reputation-engine.d.ts","sourceRoot":"","sources":["../src/reputation-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAEH,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,gBAAgB,EAAE,MAAM,YAAY,CAAC;AA+BnD,qBAAa,gBAAgB;IAIzB,OAAO,CAAC,QAAQ,CAAC,EAAE;IAHrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAmB;gBAGvB,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACtC,MAAM,CAAC,EAAE,OAAO,CAAC,gBAAgB,CAAC;IAQpC;;;OAGG;IACH,cAAc,IAAI;QAAE,OAAO,EAAE,MAAM,CAAC;QAAC,QAAQ,EAAE,MAAM,CAAA;KAAE;IA+BvD;;;OAGG;IACH,eAAe,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM;IAoBtC;;;OAGG;IACH,OAAO,CAAC,cAAc;IAkCtB,kDAAkD;IAClD,OAAO,CAAC,oBAAoB;IAa5B,8DAA8D;IAC9D,OAAO,CAAC,mBAAmB;IAQ3B;;;OAGG;IACH,OAAO,CAAC,oBAAoB;CA6D7B"}

package/dist/reputation-engine.js

@@ -0,0 +1,169 @@
+/**
+ * IoC Reputation Scoring Engine
+ * IoC 信譽評分引擎
+ *
+ * Calculates reputation scores using a weighted formula:
+ *   sighting frequency, severity, recency (time-decay), source diversity, confidence.
+ *
+ * @module @panguard-ai/threat-cloud/reputation-engine
+ */
+/** Severity numeric mapping / 嚴重度數值對映 */
+const SEVERITY_MAP = {
+    critical: 100,
+    high: 75,
+    medium: 50,
+    low: 25,
+};
+/** Default config / 預設配置 */
+const DEFAULT_CONFIG = {
+    halfLifeDays: 30,
+    weights: {
+        sighting: 0.3,
+        severity: 0.25,
+        recency: 0.2,
+        diversity: 0.15,
+        confidence: 0.1,
+    },
+};
+export class ReputationEngine {
+    db;
+    config;
+    constructor(db, config) {
+        this.db = db;
+        this.config = { ...DEFAULT_CONFIG, ...config };
+        if (config?.weights) {
+            this.config.weights = { ...DEFAULT_CONFIG.weights, ...config.weights };
+        }
+    }
+    /**
+     * Recalculate reputation scores for all active IoCs.
+     * 重新計算所有活躍 IoC 的信譽分數
+     */
+    recalculateAll() {
+        const startTime = Date.now();
+        const iocs = this.db
+            .prepare("SELECT id, sightings, confidence, last_seen FROM iocs WHERE status = 'active'")
+            .all();
+        const updateStmt = this.db.prepare("UPDATE iocs SET reputation_score = ?, updated_at = datetime('now') WHERE id = ?");
+        const updateAll = this.db.transaction(() => {
+            for (const ioc of iocs) {
+                const score = this.calculateScore(ioc);
+                updateStmt.run(score, ioc.id);
+            }
+        });
+        updateAll();
+        return {
+            updated: iocs.length,
+            duration: Date.now() - startTime,
+        };
+    }
+    /**
+     * Calculate reputation for a single IoC by ID.
+     * 計算單一 IoC 的信譽分數
+     */
+    calculateForIoC(iocId) {
+        const ioc = this.db
+            .prepare('SELECT id, sightings, confidence, last_seen, type, normalized_value FROM iocs WHERE id = ?')
+            .get(iocId);
+        if (!ioc)
+            return 0;
+        return this.calculateScore(ioc);
+    }
+    /**
+     * Core scoring algorithm.
+     * 核心評分演算法
+     */
+    calculateScore(ioc) {
+        const summary = this.getAssociatedThreats(ioc.id);
+        const w = this.config.weights;
+        // Sighting score: each sighting adds 5 pts, capped at 100
+        const sightingScore = Math.min(100, ioc.sightings * 5);
+        // Severity score: weighted average of associated threats
+        const severityScore = this.computeSeverityScore(summary.severityCounts, summary.totalThreats);
+        // Recency score: exponential decay with configurable half-life
+        const recencyScore = this.computeRecencyScore(ioc.last_seen);
+        // Diversity score: each unique source adds 25 pts, capped at 100
+        const diversityScore = Math.min(100, summary.uniqueSources * 25);
+        // Confidence score: max confidence across sightings
+        const confidenceScore = Math.max(ioc.confidence, summary.maxConfidence);
+        const rawScore = sightingScore * w.sighting +
+            severityScore * w.severity +
+            recencyScore * w.recency +
+            diversityScore * w.diversity +
+            confidenceScore * w.confidence;
+        return Math.max(0, Math.min(100, Math.round(rawScore)));
+    }
+    /** Compute weighted severity score / 計算加權嚴重度分數 */
+    computeSeverityScore(severityCounts, totalThreats) {
+        if (totalThreats === 0)
+            return 0;
+        let weightedSum = 0;
+        for (const [severity, count] of Object.entries(severityCounts)) {
+            weightedSum += (SEVERITY_MAP[severity] ?? 50) * count;
+        }
+        return weightedSum / totalThreats;
+    }
+    /** Compute recency score with exponential decay / 計算時間衰減分數 */
+    computeRecencyScore(lastSeen) {
+        const now = Date.now();
+        const lastSeenMs = new Date(lastSeen).getTime();
+        const daysSince = Math.max(0, (now - lastSeenMs) / (1000 * 60 * 60 * 24));
+        const lambda = Math.LN2 / this.config.halfLifeDays;
+        return 100 * Math.exp(-lambda * daysSince);
+    }
+    /**
+     * Get associated threat data for an IoC.
+     * 取得 IoC 的關聯威脅資料
+     */
+    getAssociatedThreats(iocId) {
+        // Get the IoC's normalized value for matching
+        const ioc = this.db
+            .prepare('SELECT type, normalized_value FROM iocs WHERE id = ?')
+            .get(iocId);
+        if (!ioc) {
+            return {
+                totalThreats: 0,
+                severityCounts: {},
+                uniqueSources: 0,
+                maxConfidence: 0,
+                latestTimestamp: '',
+            };
+        }
+        // For IP-type IoCs, match against enriched_threats.attack_source_ip
+        if (ioc.type === 'ip') {
+            const rows = this.db
+                .prepare(`SELECT severity, source_type, confidence, timestamp
+           FROM enriched_threats
+           WHERE attack_source_ip = ?`)
+                .all(ioc.normalized_value);
+            const severityCounts = {};
+            const sources = new Set();
+            let maxConfidence = 0;
+            let latestTimestamp = '';
+            for (const row of rows) {
+                severityCounts[row.severity] = (severityCounts[row.severity] ?? 0) + 1;
+                sources.add(row.source_type);
+                if (row.confidence > maxConfidence)
+                    maxConfidence = row.confidence;
+                if (row.timestamp > latestTimestamp)
+                    latestTimestamp = row.timestamp;
+            }
+            return {
+                totalThreats: rows.length,
+                severityCounts,
+                uniqueSources: sources.size,
+                maxConfidence,
+                latestTimestamp,
+            };
+        }
+        // For non-IP types, no associated threats (future: match by metadata)
+        return {
+            totalThreats: 0,
+            severityCounts: {},
+            uniqueSources: 0,
+            maxConfidence: 0,
+            latestTimestamp: '',
+        };
+    }
+}
+//# sourceMappingURL=reputation-engine.js.map

package/dist/reputation-engine.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"reputation-engine.js","sourceRoot":"","sources":["../src/reputation-engine.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAKH,yCAAyC;AACzC,MAAM,YAAY,GAA2B;IAC3C,QAAQ,EAAE,GAAG;IACb,IAAI,EAAE,EAAE;IACR,MAAM,EAAE,EAAE;IACV,GAAG,EAAE,EAAE;CACR,CAAC;AAEF,4BAA4B;AAC5B,MAAM,cAAc,GAAqB;IACvC,YAAY,EAAE,EAAE;IAChB,OAAO,EAAE;QACP,QAAQ,EAAE,GAAG;QACb,QAAQ,EAAE,IAAI;QACd,OAAO,EAAE,GAAG;QACZ,SAAS,EAAE,IAAI;QACf,UAAU,EAAE,GAAG;KAChB;CACF,CAAC;AAWF,MAAM,OAAO,gBAAgB;IAIR;IAHF,MAAM,CAAmB;IAE1C,YACmB,EAAqB,EACtC,MAAkC;QADjB,OAAE,GAAF,EAAE,CAAmB;QAGtC,IAAI,CAAC,MAAM,GAAG,EAAE,GAAG,cAAc,EAAE,GAAG,MAAM,EAAE,CAAC;QAC/C,IAAI,MAAM,EAAE,OAAO,EAAE,CAAC;YACpB,IAAI,CAAC,MAAM,CAAC,OAAO,GAAG,EAAE,GAAG,cAAc,CAAC,OAAO,EAAE,GAAG,MAAM,CAAC,OAAO,EAAE,CAAC;QACzE,CAAC;IACH,CAAC;IAED;;;OAGG;IACH,cAAc;QACZ,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QAE7B,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;aACjB,OAAO,CAAC,+EAA+E,CAAC;aACxF,GAAG,EAKJ,CAAC;QAEH,MAAM,UAAU,GAAG,IAAI,CAAC,EAAE,CAAC,OAAO,CAChC,iFAAiF,CAClF,CAAC;QAEF,MAAM,SAAS,GAAG,IAAI,CAAC,EAAE,CAAC,WAAW,CAAC,GAAG,EAAE;YACzC,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,MAAM,KAAK,GAAG,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;gBACvC,UAAU,CAAC,GAAG,CAAC,KAAK,EAAE,GAAG,CAAC,EAAE,CAAC,CAAC;YAChC,CAAC;QACH,CAAC,CAAC,CAAC;QAEH,SAAS,EAAE,CAAC;QAEZ,OAAO;YACL,OAAO,EAAE,IAAI,CAAC,MAAM;YACpB,QAAQ,EAAE,IAAI,CAAC,GAAG,EAAE,GAAG,SAAS;SACjC,CAAC;IACJ,CAAC;IAED;;;OAGG;IACH,eAAe,CAAC,KAAa;QAC3B,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CACN,4FAA4F,CAC7F;aACA,GAAG,CAAC,KAAK,CASC,CAAC;QAEd,IAAI,CAAC,GAAG;YAAE,OAAO,CAAC,CAAC;QACnB,OAAO,IAAI,CAAC,cAAc,CAAC,GAAG,CAAC,CAAC;IAClC,CAAC;IAED;;;OAGG;IACK,cAAc,CAAC,GAKtB;QACC,MAAM,OAAO,GAAG,IAAI,CAAC,oBAAoB,CAAC,GAAG,CAAC,EAAE,CAAC,CAAC;QAClD,MAAM,CAAC,GAAG,IAAI,CAAC,MAAM,CAAC,OAAO,CAAC;QAE9B,0DAA0D;QAC1D,MAAM,aAAa,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,CAAC,SAAS,GAAG,CAAC,CAAC,CAAC;QAEvD,yDAAyD;QACzD,MAAM,aAAa,GAAG,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,cAAc,EAAE,OAAO,CAAC,YAAY,CAAC,CAAC;QAE9F,+DAA+D;QAC/D,MAAM,YAAY,GAAG,IAAI,CAAC,mBAAmB,CAAC,GAAG,CAAC,SAAS,CAAC,CAAC;QAE7D,iEAAiE;QACjE,MAAM,cAAc,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,OAAO,CAAC,aAAa,GAAG,EAAE,CAAC,CAAC;QAEjE,oDAAoD;QACpD,MAAM,eAAe,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,CAAC,UAAU,EAAE,OAAO,CAAC,aAAa,CAAC,CAAC;QAExE,MAAM,QAAQ,GACZ,aAAa,GAAG,CAAC,CAAC,QAAQ;YAC1B,aAAa,GAAG,CAAC,CAAC,QAAQ;YAC1B,YAAY,GAAG,CAAC,CAAC,OAAO;YACxB,cAAc,GAAG,CAAC,CAAC,SAAS;YAC5B,eAAe,GAAG,CAAC,CAAC,UAAU,CAAC;QAEjC,OAAO,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,IAAI,CAAC,GAAG,CAAC,GAAG,EAAE,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;IAC1D,CAAC;IAED,kDAAkD;IAC1C,oBAAoB,CAC1B,cAAsC,EACtC,YAAoB;QAEpB,IAAI,YAAY,KAAK,CAAC;YAAE,OAAO,CAAC,CAAC;QAEjC,IAAI,WAAW,GAAG,CAAC,CAAC;QACpB,KAAK,MAAM,CAAC,QAAQ,EAAE,KAAK,CAAC,IAAI,MAAM,CAAC,OAAO,CAAC,cAAc,CAAC,EAAE,CAAC;YAC/D,WAAW,IAAI,CAAC,YAAY,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC,GAAG,KAAK,CAAC;QACxD,CAAC;QACD,OAAO,WAAW,GAAG,YAAY,CAAC;IACpC,CAAC;IAED,8DAA8D;IACtD,mBAAmB,CAAC,QAAgB;QAC1C,MAAM,GAAG,GAAG,IAAI,CAAC,GAAG,EAAE,CAAC;QACvB,MAAM,UAAU,GAAG,IAAI,IAAI,CAAC,QAAQ,CAAC,CAAC,OAAO,EAAE,CAAC;QAChD,MAAM,SAAS,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,EAAE,CAAC,GAAG,GAAG,UAAU,CAAC,GAAG,CAAC,IAAI,GAAG,EAAE,GAAG,EAAE,GAAG,EAAE,CAAC,CAAC,CAAC;QAC1E,MAAM,MAAM,GAAG,IAAI,CAAC,GAAG,GAAG,IAAI,CAAC,MAAM,CAAC,YAAY,CAAC;QACnD,OAAO,GAAG,GAAG,IAAI,CAAC,GAAG,CAAC,CAAC,MAAM,GAAG,SAAS,CAAC,CAAC;IAC7C,CAAC;IAED;;;OAGG;IACK,oBAAoB,CAAC,KAAa;QACxC,8CAA8C;QAC9C,MAAM,GAAG,GAAG,IAAI,CAAC,EAAE;aAChB,OAAO,CAAC,sDAAsD,CAAC;aAC/D,GAAG,CAAC,KAAK,CAA2D,CAAC;QAExE,IAAI,CAAC,GAAG,EAAE,CAAC;YACT,OAAO;gBACL,YAAY,EAAE,CAAC;gBACf,cAAc,EAAE,EAAE;gBAClB,aAAa,EAAE,CAAC;gBAChB,aAAa,EAAE,CAAC;gBAChB,eAAe,EAAE,EAAE;aACpB,CAAC;QACJ,CAAC;QAED,oEAAoE;QACpE,IAAI,GAAG,CAAC,IAAI,KAAK,IAAI,EAAE,CAAC;YACtB,MAAM,IAAI,GAAG,IAAI,CAAC,EAAE;iBACjB,OAAO,CACN;;sCAE4B,CAC7B;iBACA,GAAG,CAAC,GAAG,CAAC,gBAAgB,CAKzB,CAAC;YAEH,MAAM,cAAc,GAA2B,EAAE,CAAC;YAClD,MAAM,OAAO,GAAG,IAAI,GAAG,EAAU,CAAC;YAClC,IAAI,aAAa,GAAG,CAAC,CAAC;YACtB,IAAI,eAAe,GAAG,EAAE,CAAC;YAEzB,KAAK,MAAM,GAAG,IAAI,IAAI,EAAE,CAAC;gBACvB,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,GAAG,CAAC,cAAc,CAAC,GAAG,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,GAAG,CAAC,CAAC;gBACvE,OAAO,CAAC,GAAG,CAAC,GAAG,CAAC,WAAW,CAAC,CAAC;gBAC7B,IAAI,GAAG,CAAC,UAAU,GAAG,aAAa;oBAAE,aAAa,GAAG,GAAG,CAAC,UAAU,CAAC;gBACnE,IAAI,GAAG,CAAC,SAAS,GAAG,eAAe;oBAAE,eAAe,GAAG,GAAG,CAAC,SAAS,CAAC;YACvE,CAAC;YAED,OAAO;gBACL,YAAY,EAAE,IAAI,CAAC,MAAM;gBACzB,cAAc;gBACd,aAAa,EAAE,OAAO,CAAC,IAAI;gBAC3B,aAAa;gBACb,eAAe;aAChB,CAAC;QACJ,CAAC;QAED,sEAAsE;QACtE,OAAO;YACL,YAAY,EAAE,CAAC;YACf,cAAc,EAAE,EAAE;YAClB,aAAa,EAAE,CAAC;YAChB,aAAa,EAAE,CAAC;YAChB,eAAe,EAAE,EAAE;SACpB,CAAC;IACJ,CAAC;CACF"}

package/dist/rule-generator.d.ts

@@ -0,0 +1,47 @@
+/**
+ * Automatic Sigma Rule Generator
+ * 自動 Sigma 規則產生器
+ *
+ * Analyzes enriched threat events, detects recurring patterns,
+ * and generates Sigma detection rules automatically.
+ *
+ * @module @panguard-ai/threat-cloud/rule-generator
+ */
+import type Database from 'better-sqlite3';
+import type { DetectedPattern, RuleGenerationResult, RuleGeneratorConfig } from './types.js';
+export declare class RuleGenerator {
+    private readonly db;
+    private readonly config;
+    constructor(db: Database.Database, config?: Partial<RuleGeneratorConfig>);
+    /**
+     * Analyze recent events and generate rules for recurring patterns.
+     * 分析近期事件並為反覆出現的模式產生規則
+     */
+    generateRules(): RuleGenerationResult;
+    /**
+     * Detect recurring patterns in enriched threat events.
+     * 偵測豐富化威脅事件中的反覆模式
+     */
+    detectPatterns(): DetectedPattern[];
+    /**
+     * Get all generated patterns.
+     * 取得所有已產生的模式
+     */
+    getGeneratedPatterns(): Array<{
+        patternHash: string;
+        attackType: string;
+        mitreTechniques: string[];
+        ruleId: string;
+        occurrences: number;
+        distinctIPs: number;
+    }>;
+    /** Create a new rule from a detected pattern */
+    private createRuleFromPattern;
+    /** Update an existing pattern's statistics */
+    private updatePattern;
+    /** Generate Sigma YAML rule content */
+    private generateSigmaYaml;
+    /** Pick highest severity from counts */
+    private pickMaxSeverity;
+}
+//# sourceMappingURL=rule-generator.d.ts.map

package/dist/rule-generator.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"rule-generator.d.ts","sourceRoot":"","sources":["../src/rule-generator.ts"],"names":[],"mappings":"AAAA;;;;;;;;GAQG;AAGH,OAAO,KAAK,QAAQ,MAAM,gBAAgB,CAAC;AAC3C,OAAO,KAAK,EAAE,eAAe,EAAE,oBAAoB,EAAE,mBAAmB,EAAE,MAAM,YAAY,CAAC;AAqC7F,qBAAa,aAAa;IAItB,OAAO,CAAC,QAAQ,CAAC,EAAE;IAHrB,OAAO,CAAC,QAAQ,CAAC,MAAM,CAAsB;gBAG1B,EAAE,EAAE,QAAQ,CAAC,QAAQ,EACtC,MAAM,CAAC,EAAE,OAAO,CAAC,mBAAmB,CAAC;IAKvC;;;OAGG;IACH,aAAa,IAAI,oBAAoB;IA+BrC;;;OAGG;IACH,cAAc,IAAI,eAAe,EAAE;IA2FnC;;;OAGG;IACH,oBAAoB,IAAI,KAAK,CAAC;QAC5B,WAAW,EAAE,MAAM,CAAC;QACpB,UAAU,EAAE,MAAM,CAAC;QACnB,eAAe,EAAE,MAAM,EAAE,CAAC;QAC1B,MAAM,EAAE,MAAM,CAAC;QACf,WAAW,EAAE,MAAM,CAAC;QACpB,WAAW,EAAE,MAAM,CAAC;KACrB,CAAC;IA8BF,gDAAgD;IAChD,OAAO,CAAC,qBAAqB;IAoC7B,8CAA8C;IAC9C,OAAO,CAAC,aAAa;IAyBrB,uCAAuC;IACvC,OAAO,CAAC,iBAAiB;IA0BzB,wCAAwC;IACxC,OAAO,CAAC,eAAe;CAMxB"}