Key Features

AI-Powered Threat Analysis

• Automated Reporting — Generates professional, SOC-ready threat reports with severity-calibrated assessments, false-positive awareness, and structured analysis workflow (Characterize → Identify → Assess → Recommend).
• Local & Cloud LLM Support
  • Local Privacy: Fully compatible with LM Studio (Llama 3, Mistral, etc.) for air-gapped or privacy-sensitive environments.
  • Cloud Power: Supports any OpenAI-compatible API endpoint for leveraging larger models.
• Multi-Language Reports — 9 languages with region-specific terminology: English, Traditional Chinese (Taiwan), Simplified Chinese, Japanese, Korean, Italian, Spanish, French, German.
• MITRE ATT&CK Mapping — Automated mapping of detected behaviors and IOCs to ATT&CK techniques and Kill Chain phases.
• Attack Narrative Synthesis — Translates raw events into a coherent, actionable security story.

IOC Priority Scoring

• Tiered Signal Architecture — Dynamically ranks indicators as Critical, High, Medium, or Low using a three-tier model:
  • Tier 1 (Definitive): OSINT confirmations (VirusTotal, GreyNoise malicious) — any single Tier 1 hit sets a score floor.
  • Tier 2 (Behavioral): C2 beaconing, flow asymmetry, DNS tunneling, DGA domains.
  • Tier 3 (Contextual): AbuseIPDB, self-signed certs, expired certs, YARA matches.
• Tier 3 signals alone never exceed "medium"; corroboration from multiple tiers is required for "high" or "critical".

Cross-Indicator Correlation Engine

• Independence-complement formula — Uses 1 − Π(1 − wᵢsᵢ) (Bayesian independence model) instead of linear summation, producing diminishing returns while allowing multiple weak signals to compound meaningfully.
• Strong-signal floors — A confirmed VirusTotal detection automatically sets a minimum score regardless of other factors.
• Aggregates signals across all analysis modules (OSINT, beaconing, DNS, TLS, YARA, flow analysis).
• Produces composite threat scores per indicator with verdict classification (critical / high / medium / low).

Flow Analysis & Exfiltration Detection

• Data Exfiltration Detection — Identifies suspicious outbound:inbound byte ratios per src/dst pair (default threshold: 10:1, minimum 1 MB).
• Port Anomaly Detection — Flags non-standard port usage, C2 common ports (4444, 5555, 6666, etc.), and high port pairs.

Multi-PCAP Batch Processing

• Multi-File Upload — Upload and analyze multiple PCAP files simultaneously.
• Cross-File Correlation — Detects shared IPs, domains, and JA3 fingerprints across files.
• Merged Dashboard — Aggregated results with per-file detail cards and batch summary.
• Resource Limits — Configurable limits: 1 GB per file, 50 files max, 5 GB total.

Parallel Pipeline Execution

• PyShark + Zeek in parallel — The two heaviest stages run concurrently via ThreadPoolExecutor.
• HTTP Carving in parallel with DNS/TLS/Beaconing analysis.
• Tshark -c optimization — Packet limit enforced at the tshark level for zero-waste I/O.

Deep Packet Inspection & Flow Analysis

• Multi-Engine Pipeline: PyShark for granular inspection, Tshark for high-speed statistics.
• Protocol Parsing: Automatically extracts metadata for HTTP, DNS, TLS/SSL, and SMB protocols.

Zeek Integration

• Automated Zeek execution on uploaded PCAPs — no manual CLI required.
• Parses and correlates core Zeek logs: conn.log, dns.log, http.log, ssl.log.

Advanced DNS & TLS Forensics

• DGA Detection — Shannon entropy-based Domain Generation Algorithm identification.
• DNS Tunneling — Detects high-volume / anomalous DNS payloads.
• Fast Flux Detection — Identifies domains resolving to rapidly changing IP addresses.
• JA3/JA3S Fingerprinting — Matches TLS fingerprints against 90+ known malware signatures (Cobalt Strike, Trickbot, Emotet, QakBot, etc.).
• Certificate Analysis — Validates certificate chains; detects self-signed and expired certificates.

C2 Beaconing Detection

• Statistical algorithm scoring flows based on:
  • Periodicity — Regularity of communication intervals (CV + entropy scoring).
  • Jitter — Modal interval analysis with ±20% tolerance for detecting randomized C2.
  • Volume — Packet count and payload size consistency.
• False-Positive Reduction — Multi-layered penalties to prevent benign traffic from triggering alerts:
  • Infrastructure allowlist (DNS resolvers: 1.1.1.1, 8.8.8.8, etc.)
  • Protocol awareness (ICMP, NTP, mDNS, SSDP, IGMP are inherently periodic)
  • Service port penalties (HTTPS, IMAPS, Apple Push, MQTT, SIP)
  • High-volume large-payload filtering (streaming/downloads vs. C2)

Payload Carving & YARA Scanning

• HTTP Payload Extraction via tshark with automatic SHA256 hashing.
• YARA Scanner — Scan carved files with custom/community YARA rules.
• Safe Storage — Quarantined directory with path traversal and symlink protection.

Interactive Dashboard & World Map

• Threat Summary Panel — At-a-glance risk level (Critical/High/Medium/Low) with corroboration-based escalation, alert count, beacon candidates, YARA hits, and certificate issues.
• World Map — Threat-level coloring, connectivity arcs with volume-based thickness, configurable home location.
• Cross-Filtering — Unified drill-down across Map, Protocol Pie Chart, and Flow Timeline.
• Persistent View Options — "Exclude Private IPs" toggle persists during interactive exploration.
• TopN Charts — Top IPs, Ports, Protocols, Domains with aggregated bar charts, metrics, and reverse DNS hostnames.
• Dashboard Detections — Beaconing candidates, YARA matches, and TLS certificate risks surfaced directly on the dashboard.
• Network Communication Graph — Force-directed graph with threat-colored nodes and equal-aspect-ratio rendering.

OSINT Enrichment

Integrates with leading threat intelligence providers:

• VirusTotal — File hash and IP/Domain reputation.
• AbuseIPDB — Crowdsourced IP abuse reports.
• GreyNoise — Internet background noise and scanner identification.
• OTX (AlienVault) — Open Threat Exchange pulses and indicators.
• Shodan — Internet-facing device details and open ports.
• Smart Caching — SQLite-backed caching with configurable TTL to preserve API quotas.
• Bulk Reverse DNS — Parallel rDNS resolution for all public IPs with 7-day SQLite cache. Hostnames displayed throughout the dashboard.

Case Management System

• Create, track, and close investigation cases.
• Store IOCs (IP, Domain, Hash, JA3, URL) with severity and context.
• Investigation notes, tag-based organization, and search.

Professional PDF Export

• Multi-page PDF reports with executive summary, key findings, technical analysis, and recommendations.
• Chart/visualization embedding via WeasyPrint.
• Configurable TLP classification.

Export Formats

• CSV / JSON — Export any data table with CSV injection protection.
• STIX 2.0/2.1 — Export indicators in standard STIX format.
• ATT&CK Navigator — Export technique mappings for MITRE ATT&CK Navigator.

Architecture

app/
├── analysis/        # Correlation engine, flow analysis, IOC scorer, narrator
├── database/        # Case management (SQLite)
├── llm/             # LLM client & multi-language report generation
├── pipeline/        # 10-stage analysis pipeline
│   ├── beacon.py    # C2 beaconing detection
│   ├── carve.py     # HTTP payload carving
│   ├── dns_analysis.py  # DGA, tunneling, fast flux
│   ├── geoip.py     # GeoIP resolution
│   ├── ja3.py       # JA3/JA3S fingerprinting
│   ├── batch.py     # Multi-PCAP batch processing & correlation
│   ├── osint.py     # OSINT provider queries (parallel)
│   ├── osint_cache.py   # SQLite OSINT caching layer
│   ├── rdns_cache.py    # SQLite reverse-DNS caching layer
│   ├── tls_certs.py # Certificate validation
│   └── yara_scan.py # YARA rule scanning
├── reports/         # PDF report generation
├── security/        # OPSEC hardening & data sanitization
├── threat_intel/    # MITRE ATT&CK mapping
├── ui/              # Streamlit interface (8 tabs)
├── utils/           # Export, GeoIP, config, binary discovery, network utils
├── config.py        # Application defaults
└── main.py          # Streamlit entry point

Analysis Pipeline (10 Stages)

1. Packet Counting — Fast preliminary count via tshark
2. Packet Parsing — Deep inspection up to 200,000 packets (configurable)
3. **Ze