digital-forensics-labs/digital-forensics-lab
1
0
Fork 0
mirror of https://github.com/frankwxu/digital-forensics-lab.git synced 2026-04-10 12:13:44 +00:00
Code Issues Packages Projects Releases Wiki Activity

update dspy version

Browse Source
This commit is contained in:
Frank Xu
2024-10-14 11:53:27 -04:00
parent 75f6045f35
commit e3b19dccfd
6 changed files with 392 additions and 160 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb
View File

@@ -33,7 +33,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
"#!pip install dspy-ai\n",
"#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",
@@ -51,7 +51,7 @@
"source": [
"### Step 2: Config DSPy with openAI \n",
"- You `MUST` have an openAI api key\n",
"- load an openAI api key from `openai_api_key.txt` file\n",
"- Load an openAI api key from `openai_api_key.txt` file\n",
"- or, hard code your open api key"
]
},
@@ -80,6 +80,7 @@
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
" # \"tMq-fOFjuDB80LIjdPdmVibgoYZamwlfEjU635n37WWKjuNEsbX2WQML-Rns5BYwbrX0-qxLgrT3BlbkFJz2vo7FT9JAj_TPucTMpsdLq2QaNYuysLphE0Wg2ENUBOmWt6lMHjl1sq4_Oac-oh3yP0V4\"\n",
" os.environ[\"OPENAI_API_KEY\"] = (\n",
" \"sk-proj-yourapikeyhere\"\n",
" )\n",
@@ -90,7 +91,7 @@
"\n",
"# provide `openai_api_key.txt` with your openAI api key\n",
"turbo=set_dspy()\n",
"# optionally, hard code your openAI api key at line 21 \n",
"# optionally, hard code your openAI api key at line 21\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},

6
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb
View File

@@ -33,7 +33,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
"#!pip install dspy-ai\n",
"#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",
@@ -182,7 +182,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"### Step 4: Tell an LLM `WHAT` are the inputs/outputs by defining DSPy: Signature \n",
"### Step 4: Tell an LLM `WHAT` are the inputs/outputs by defining `dspy.Signature` \n",
"\n",
"- Goal\n",
" - to generate a simple plaintext file, call `DOT`. In DOT, you define nodes and edges.\n",
@@ -226,7 +226,7 @@
"- `output_file` (str): The file path where the identified evidence will be saved in DOT format.\n",
"\n",
"#### Notes:\n",
"- This function uses [`dspy.ChainOfThought`](https://arxiv.org/pdf/2201.11903) to process the conversation and create sknowledge graph\n",
"- This function uses [`dspy.ChainOfThought`](https://arxiv.org/pdf/2201.11903) to process the conversation and create a knowledge graph\n",
"- Other options include \n",
" - `dspy.ChainOfThoughtWithHint` : Provide hints for reasoning\n",
" - `dspy.Retrieve`: Retrieves passages from a retriever module\n",

2
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb
View File

@@ -67,7 +67,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
"#!pip install dspy-ai\n",
"#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",

7
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb
View File

@@ -9,10 +9,13 @@
"### Motivation\n",
"- The generated evidence graph (consists of evidence and their relations) doesn't follow STIX. \n",
"\n",
"### Solution: One-shot learning\n",
"### Solution: One-shot fine-tuning\n",
"\n",
"- Provide one training example to LLMs\n",
"- LLMs often produce more accurate results by learning the example \n",
"- Fine-tuning is a productive way to leverage machine learning\n",
"\n",
"<img src=\"notes/productive_way_llm.webp\" width=\"550\">\n",
"\n",
"### Implementation\n",
"- Add one-shot example as the `context` of answer (e.g., conversation)"
@@ -35,7 +38,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
"#!pip install dspy-ai\n",
"#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",

526
AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_evidence_stix_dot_generator.ipynb
View File

@@ -4,34 +4,32 @@
"cell_type": "markdown",
"metadata": {},
"source": [
"## A tutorial to visualize one-shot learning results\n",
"\n",
"### Goal\n",
"- Compare one-shot learning with zero-shot learning\n",
"- To visualize the different\n",
"## A tutorial to visually compare zero-shot and one-shot learning results\n",
"\n",
"### Approach\n",
"- Directly generate a DOT file from one-shot learning example completed in previous tutorial"
"- Directly generate a DOT file from one-shot learning example completed in previous tutorial\n",
"- Load the image containing zero-shot graph\n",
"- Visually compare the difference "
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Step 1: Download libraries and files for the lab\n",
"### Step 1: Download libraries\n",
"- Make use you download necessary library and files. \n",
"- All downloaded and saved files can be located in the `content` folder if using google Colab"
]
},
{
"cell_type": "code",
"execution_count": 17,
"execution_count": 39,
"metadata": {},
"outputs": [],
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
"#!pip install dspy-ai\n",
"#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"\n",
"import dspy\n",
@@ -43,9 +41,19 @@
"from IPython.display import display"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Step 2: Config DSPy with openAI \n",
"- You `MUST` have an openAI api key\n",
"- load an openAI api key from `openai_api_key.txt` file\n",
"- or, hard code your open api key"
]
},
{
"cell_type": "code",
"execution_count": 18,
"execution_count": 40,
"metadata": {},
"outputs": [],
"source": [
@@ -61,55 +69,38 @@
" # Set the API key as an environment variable\n",
" os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0)\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
" # ==============end of set openAI enviroment=========\n",
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
" os.environ[\"OPENAI_API_KEY\"] = (\n",
" \"sk-proj-yourapikeyhere\"\n",
" )\n",
" os.environ[\"OPENAI_API_KEY\"] = \"sk-proj-yourapikeyhere\"\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
" turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
"\n",
"turbo=set_dspy()\n",
"# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n",
"\n",
"# provide `openai_api_key.txt` with your openAI api key\n",
"turbo = set_dspy()\n",
"# optionally, hard code your openAI api key at line 21\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},
{
"cell_type": "code",
"execution_count": 19,
"cell_type": "markdown",
"metadata": {},
"outputs": [],
"source": [
"def load_text_file(file_path):\n",
" \"\"\"\n",
" Load a text file and return its contents as a string.\n",
"### Step 3: Load the cyber incident repot (e.g., conversation)\n",
"\n",
" Parameters:\n",
" file_path (str): The path to the text file.\n",
"\n",
" Returns:\n",
" str: The contents of the text file.\n",
" \"\"\"\n",
" try:\n",
" with open(file_path, \"r\") as file:\n",
" contents = file.read()\n",
" return contents\n",
" except FileNotFoundError:\n",
" return \"File not found.\"\n",
" except Exception as e:\n",
" return f\"An error occurred: {e}\"\n"
"- the same conversation as previous tutorial"
]
},
{
"cell_type": "code",
"execution_count": 20,
"execution_count": 41,
"metadata": {},
"outputs": [
{
@@ -208,13 +199,39 @@
}
],
"source": [
"def load_text_file(file_path):\n",
" \"\"\"\n",
" Load a text file and return its contents as a string.\n",
"\n",
" Parameters:\n",
" file_path (str): The path to the text file.\n",
"\n",
" Returns:\n",
" str: The contents of the text file.\n",
" \"\"\"\n",
" try:\n",
" with open(file_path, \"r\") as file:\n",
" contents = file.read()\n",
" return contents\n",
" except FileNotFoundError:\n",
" return \"File not found.\"\n",
" except Exception as e:\n",
" return f\"An error occurred: {e}\"\n",
"\n",
"conversation = load_text_file(\"04_output_for_viz.json\")\n",
"print(conversation)"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Step 4: Tell an LLM `WHAT` are the inputs/outputs by defining `dspy.Signature`"
]
},
{
"cell_type": "code",
"execution_count": 21,
"execution_count": 42,
"metadata": {},
"outputs": [],
"source": [
@@ -226,13 +243,20 @@
" )\n",
"\n",
" answer: str = dspy.OutputField(\n",
" desc=\"a graph in a dot format. The nodes of the graph are evidence entities in STIX or Cyber Forensic Domain Objects and Cyber Forensic Observable Objects in DFKG and the edges of the graph are the relationships between evidence entities in STIX. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n",
" desc=\"a graph in a dot format. The nodes of the graph are evidence entities and the edges of the graph are the relationships between evidence entities in STIX. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n",
" )"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Step 5: Tell an LLM `HOW` to generate answer. The business logic is defined in the module `.dspy.Predict`"
]
},
{
"cell_type": "code",
"execution_count": 22,
"execution_count": 43,
"metadata": {},
"outputs": [],
"source": [
@@ -248,9 +272,16 @@
" print(f\"The evidence has been saved to the file {output_file}\")"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Step 6: Actually call LLM to generate the graph in a `.DOT` file"
]
},
{
"cell_type": "code",
"execution_count": 23,
"execution_count": 44,
"metadata": {},
"outputs": [
{
@@ -258,23 +289,25 @@
"output_type": "stream",
"text": [
"digraph phishing_attack {\n",
" \"OurCompany\" [label=\"OurCompany\\norganization\\ninfo@ourcompany.com\"]\n",
" \"hr-dept@ourcompany-security.com\" [label=\"hr-dept@ourcompany-security.com\"]\n",
" \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\" [label=\"email-message\\nUrgent Benefits Package Update\\nFrom: hr-dept@ourcompany-security.com\\nPlease click the link to review the changes to your benefits package.\"]\n",
" \"http://phishing-link.com/login\" [label=\"http://phishing-link.com/login\"]\n",
" \"Taylor\" [label=\"Taylor\\ntaylor@ourcompany.com\"]\n",
" \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\" [label=\"OurCompany\", shape=\"ellipse\"];\n",
" \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\" [label=\"hr-dept@ourcompany-security.com\", shape=\"ellipse\"];\n",
" \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\" [label=\"Urgent Benefits Package Update\", shape=\"box\"];\n",
" \"url--4c3b-4c4b-bb6c-ded6b2a4a567\" [label=\"http://phishing-link.com/login\", shape=\"ellipse\"];\n",
" \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\" [label=\"Taylor (taylor@ourcompany.com)\", shape=\"ellipse\"];\n",
" \n",
" \"hr-dept@ourcompany-security.com\" -> \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\"\n",
" \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\" -> \"http://phishing-link.com/login\"\n",
" \"Taylor\" -> \"hr-dept@ourcompany-security.com\"\n",
" \"observable--001\" [label=\"hr-dept@ourcompany-security.com\", shape=\"ellipse\"];\n",
" \"observable--002\" [label=\"http://phishing-link.com/login\", shape=\"ellipse\"];\n",
" \n",
" \"Phishing Email Indicator\" [label=\"Phishing Email Indicator\\nPattern: [email-message:subject = 'Urgent Benefits Package Update']\\nValid From: 2024-07-17T00:00:00Z\"]\n",
" \"Phishing Attack on OurCompany\" [label=\"Phishing Attack on OurCompany\\nDescription: A phishing attack where a suspicious email was sent to an employee of OurCompany.\\nFirst Seen: 2024-07-17T08:00:00Z\\nLast Seen: 2024-07-17T08:10:00Z\\nStatus: ongoing\"]\n",
" \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\" [label=\"Phishing Email Indicator\", shape=\"diamond\"];\n",
" \n",
" \"Phishing Email Indicator\" -> \"Phishing Attack on OurCompany\"\n",
" \"OurCompany\" -> \"Phishing Attack on OurCompany\"\n",
" \"Phishing Attack on OurCompany\" -> \"Taylor\"\n",
" \"Phishing Attack on OurCompany\" -> \"http://phishing-link.com/login\"\n",
" \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\" [label=\"Phishing Attack on OurCompany\", shape=\"box\"];\n",
" \n",
" \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\" -> \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\";\n",
" \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\" -> \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\";\n",
" \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\" -> \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\";\n",
" \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\" -> \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\";\n",
" \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\" -> \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\";\n",
" \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\" -> \"url--4c3b-4c4b-bb6c-ded6b2a4a567\";\n",
"}\n"
]
}
@@ -288,9 +321,16 @@
")"
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
"### Step 7: Visualize one-shot learning results from a `.DOT` file"
]
},
{
"cell_type": "code",
"execution_count": 29,
"execution_count": 45,
"metadata": {},
"outputs": [
{
@@ -309,115 +349,127 @@
"<!-- Generated by graphviz version 2.47.1 (20210417.1919)\n",
" -->\n",
"<!-- Title: phishing_attack Pages: 1 -->\n",
"<svg width=\"924pt\" height=\"602pt\"\n",
" viewBox=\"0.00 0.00 923.82 602.24\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n",
"<g id=\"graph0\" class=\"graph\" transform=\"scale(1 1) rotate(0) translate(4 598.24)\">\n",
"<svg width=\"2649pt\" height=\"116pt\"\n",
" viewBox=\"0.00 0.00 2649.32 116.00\" xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\">\n",
"<g id=\"graph0\" class=\"graph\" transform=\"scale(1 1) rotate(0) translate(4 112)\">\n",
"<title>phishing_attack</title>\n",
"<polygon fill=\"white\" stroke=\"transparent\" points=\"-4,4 -4,-598.24 919.82,-598.24 919.82,4 -4,4\"/>\n",
"<!-- OurCompany -->\n",
"<polygon fill=\"white\" stroke=\"transparent\" points=\"-4,4 -4,-112 2645.32,-112 2645.32,4 -4,4\"/>\n",
"<!-- identity&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f -->\n",
"<g id=\"node1\" class=\"node\">\n",
"<title>OurCompany</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"198.22\" cy=\"-556.76\" rx=\"106.13\" ry=\"37.45\"/>\n",
"<text text-anchor=\"middle\" x=\"198.22\" y=\"-568.06\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">OurCompany</text>\n",
"<text text-anchor=\"middle\" x=\"198.22\" y=\"-553.06\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">organization</text>\n",
"<text text-anchor=\"middle\" x=\"198.22\" y=\"-538.06\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">info@ourcompany.com</text>\n",
"<title>identity&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"207.98\" cy=\"-18\" rx=\"60.39\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"207.98\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">OurCompany</text>\n",
"</g>\n",
"<!-- Phishing Attack on OurCompany -->\n",
"<g id=\"node7\" class=\"node\">\n",
"<title>Phishing Attack on OurCompany</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"400.22\" cy=\"-424.6\" rx=\"400.45\" ry=\"58.88\"/>\n",
"<text text-anchor=\"middle\" x=\"400.22\" y=\"-450.9\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Phishing Attack on OurCompany</text>\n",
"<text text-anchor=\"middle\" x=\"400.22\" y=\"-435.9\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Description: A phishing attack where a suspicious email was sent to an employee of OurCompany.</text>\n",
"<text text-anchor=\"middle\" x=\"400.22\" y=\"-420.9\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">First Seen: 2024&#45;07&#45;17T08:00:00Z</text>\n",
"<text text-anchor=\"middle\" x=\"400.22\" y=\"-405.9\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Last Seen: 2024&#45;07&#45;17T08:10:00Z</text>\n",
"<text text-anchor=\"middle\" x=\"400.22\" y=\"-390.9\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Status: ongoing</text>\n",
"</g>\n",
"<!-- OurCompany&#45;&gt;Phishing Attack on OurCompany -->\n",
"<g id=\"edge5\" class=\"edge\">\n",
"<title>OurCompany&#45;&gt;Phishing Attack on OurCompany</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M248.16,-523.59C265.15,-512.64 284.76,-500 304.14,-487.51\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"306.2,-490.35 312.71,-481.99 302.41,-484.46 306.2,-490.35\"/>\n",
"</g>\n",
"<!-- hr&#45;dept@ourcompany&#45;security.com -->\n",
"<!-- email&#45;addr&#45;&#45;0c0d2094&#45;df97&#45;45a7&#45;9e9c&#45;223569a9e798 -->\n",
"<g id=\"node2\" class=\"node\">\n",
"<title>hr&#45;dept@ourcompany&#45;security.com</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"568.22\" cy=\"-222.17\" rx=\"141.07\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"568.22\" y=\"-218.47\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">hr&#45;dept@ourcompany&#45;security.com</text>\n",
"<title>email&#45;addr&#45;&#45;0c0d2094&#45;df97&#45;45a7&#45;9e9c&#45;223569a9e798</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"1444.98\" cy=\"-90\" rx=\"141.07\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"1444.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">hr&#45;dept@ourcompany&#45;security.com</text>\n",
"</g>\n",
"<!-- email&#45;message&#45;&#45;c79b6bde&#45;4f4c&#45;4b38&#45;a8c8&#45;fb82921d6b97 -->\n",
"<g id=\"node3\" class=\"node\">\n",
"<title>email&#45;message&#45;&#45;c79b6bde&#45;4f4c&#45;4b38&#45;a8c8&#45;fb82921d6b97</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"637.22\" cy=\"-120.08\" rx=\"278.7\" ry=\"48.17\"/>\n",
"<text text-anchor=\"middle\" x=\"637.22\" y=\"-138.88\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">email&#45;message</text>\n",
"<text text-anchor=\"middle\" x=\"637.22\" y=\"-123.88\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Urgent Benefits Package Update</text>\n",
"<text text-anchor=\"middle\" x=\"637.22\" y=\"-108.88\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">From: hr&#45;dept@ourcompany&#45;security.com</text>\n",
"<text text-anchor=\"middle\" x=\"637.22\" y=\"-93.88\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Please click the link to review the changes to your benefits package.</text>\n",
"<polygon fill=\"none\" stroke=\"black\" points=\"1801.48,-108 1604.48,-108 1604.48,-72 1801.48,-72 1801.48,-108\"/>\n",
"<text text-anchor=\"middle\" x=\"1702.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Urgent Benefits Package Update</text>\n",
"</g>\n",
"<!-- hr&#45;dept@ourcompany&#45;security.com&#45;&gt;email&#45;message&#45;&#45;c79b6bde&#45;4f4c&#45;4b38&#45;a8c8&#45;fb82921d6b97 -->\n",
"<g id=\"edge1\" class=\"edge\">\n",
"<title>hr&#45;dept@ourcompany&#45;security.com&#45;&gt;email&#45;message&#45;&#45;c79b6bde&#45;4f4c&#45;4b38&#45;a8c8&#45;fb82921d6b97</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M579.93,-204.19C585.33,-196.35 592.09,-186.54 599.05,-176.45\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"602.13,-178.15 604.92,-167.93 596.36,-174.18 602.13,-178.15\"/>\n",
"</g>\n",
"<!-- http://phishing&#45;link.com/login -->\n",
"<!-- url&#45;&#45;4c3b&#45;4c4b&#45;bb6c&#45;ded6b2a4a567 -->\n",
"<g id=\"node4\" class=\"node\">\n",
"<title>http://phishing&#45;link.com/login</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"483.22\" cy=\"-18\" rx=\"116.18\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"483.22\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">http://phishing&#45;link.com/login</text>\n",
"<title>url&#45;&#45;4c3b&#45;4c4b&#45;bb6c&#45;ded6b2a4a567</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"1077.98\" cy=\"-18\" rx=\"116.18\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"1077.98\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">http://phishing&#45;link.com/login</text>\n",
"</g>\n",
"<!-- email&#45;message&#45;&#45;c79b6bde&#45;4f4c&#45;4b38&#45;a8c8&#45;fb82921d6b97&#45;&gt;http://phishing&#45;link.com/login -->\n",
"<g id=\"edge2\" class=\"edge\">\n",
"<title>email&#45;message&#45;&#45;c79b6bde&#45;4f4c&#45;4b38&#45;a8c8&#45;fb82921d6b97&#45;&gt;http://phishing&#45;link.com/login</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M566.98,-73.43C549.77,-62.25 532.1,-50.77 517.46,-41.25\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"519.06,-38.11 508.76,-35.6 515.24,-43.98 519.06,-38.11\"/>\n",
"</g>\n",
"<!-- Taylor -->\n",
"<!-- user&#45;account&#45;&#45;bd5631cf&#45;2af6&#45;4bba&#45;bc92&#45;37c60d020400 -->\n",
"<g id=\"node5\" class=\"node\">\n",
"<title>Taylor</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"519.22\" cy=\"-303.04\" rx=\"113.27\" ry=\"26.74\"/>\n",
"<text text-anchor=\"middle\" x=\"519.22\" y=\"-306.84\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Taylor</text>\n",
"<text text-anchor=\"middle\" x=\"519.22\" y=\"-291.84\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">taylor@ourcompany.com</text>\n",
"<title>user&#45;account&#45;&#45;bd5631cf&#45;2af6&#45;4bba&#45;bc92&#45;37c60d020400</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"1954.98\" cy=\"-90\" rx=\"135.68\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"1954.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Taylor (taylor@ourcompany.com)</text>\n",
"</g>\n",
"<!-- Taylor&#45;&gt;hr&#45;dept@ourcompany&#45;security.com -->\n",
"<g id=\"edge3\" class=\"edge\">\n",
"<title>Taylor&#45;&gt;hr&#45;dept@ourcompany&#45;security.com</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M535.27,-276.21C540.65,-267.54 546.66,-257.87 552.06,-249.19\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"555.1,-250.92 557.4,-240.58 549.15,-247.23 555.1,-250.92\"/>\n",
"</g>\n",
"<!-- Phishing Email Indicator -->\n",
"<!-- observable&#45;&#45;001 -->\n",
"<g id=\"node6\" class=\"node\">\n",
"<title>Phishing Email Indicator</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"603.22\" cy=\"-556.76\" rx=\"280.94\" ry=\"37.45\"/>\n",
"<text text-anchor=\"middle\" x=\"603.22\" y=\"-568.06\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Phishing Email Indicator</text>\n",
"<text text-anchor=\"middle\" x=\"603.22\" y=\"-553.06\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Pattern: [email&#45;message:subject = &#39;Urgent Benefits Package Update&#39;]</text>\n",
"<text text-anchor=\"middle\" x=\"603.22\" y=\"-538.06\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Valid From: 2024&#45;07&#45;17T00:00:00Z</text>\n",
"<title>observable&#45;&#45;001</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"2249.98\" cy=\"-90\" rx=\"141.07\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"2249.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">hr&#45;dept@ourcompany&#45;security.com</text>\n",
"</g>\n",
"<!-- Phishing Email Indicator&#45;&gt;Phishing Attack on OurCompany -->\n",
"<!-- observable&#45;&#45;002 -->\n",
"<g id=\"node7\" class=\"node\">\n",
"<title>observable&#45;&#45;002</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"2524.98\" cy=\"-90\" rx=\"116.18\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"2524.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">http://phishing&#45;link.com/login</text>\n",
"</g>\n",
"<!-- indicator&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f -->\n",
"<g id=\"node8\" class=\"node\">\n",
"<title>indicator&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f</title>\n",
"<polygon fill=\"none\" stroke=\"black\" points=\"725.98,-36 586.06,-18 725.98,0 865.91,-18 725.98,-36\"/>\n",
"<text text-anchor=\"middle\" x=\"725.98\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Phishing Email Indicator</text>\n",
"</g>\n",
"<!-- incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857 -->\n",
"<g id=\"node9\" class=\"node\">\n",
"<title>incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857</title>\n",
"<polygon fill=\"none\" stroke=\"black\" points=\"568.48,-36 365.48,-36 365.48,0 568.48,0 568.48,-36\"/>\n",
"<text text-anchor=\"middle\" x=\"466.98\" y=\"-14.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">Phishing Attack on OurCompany</text>\n",
"</g>\n",
"<!-- relationship&#45;&#45;3f1a8d8b&#45;6a6e&#45;4b5d&#45;8e15&#45;2d6d9a2b3f1d -->\n",
"<g id=\"node10\" class=\"node\">\n",
"<title>relationship&#45;&#45;3f1a8d8b&#45;6a6e&#45;4b5d&#45;8e15&#45;2d6d9a2b3f1d</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"642.98\" cy=\"-90\" rx=\"208.76\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"642.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">relationship&#45;&#45;3f1a8d8b&#45;6a6e&#45;4b5d&#45;8e15&#45;2d6d9a2b3f1d</text>\n",
"</g>\n",
"<!-- relationship&#45;&#45;3f1a8d8b&#45;6a6e&#45;4b5d&#45;8e15&#45;2d6d9a2b3f1d&#45;&gt;indicator&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f -->\n",
"<g id=\"edge1\" class=\"edge\">\n",
"<title>relationship&#45;&#45;3f1a8d8b&#45;6a6e&#45;4b5d&#45;8e15&#45;2d6d9a2b3f1d&#45;&gt;indicator&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M663.07,-72.05C674.3,-62.59 688.4,-50.69 700.41,-40.56\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"702.94,-43.01 708.33,-33.89 698.43,-37.66 702.94,-43.01\"/>\n",
"</g>\n",
"<!-- relationship&#45;&#45;3f1a8d8b&#45;6a6e&#45;4b5d&#45;8e15&#45;2d6d9a2b3f1d&#45;&gt;incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857 -->\n",
"<g id=\"edge2\" class=\"edge\">\n",
"<title>relationship&#45;&#45;3f1a8d8b&#45;6a6e&#45;4b5d&#45;8e15&#45;2d6d9a2b3f1d&#45;&gt;incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M600.83,-72.23C576.37,-62.51 545.36,-50.17 519.35,-39.83\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"520.6,-36.56 510.02,-36.12 518.02,-43.06 520.6,-36.56\"/>\n",
"</g>\n",
"<!-- relationship&#45;&#45;4b6e65f3&#45;743d&#45;40c2&#45;9194&#45;3b5e38b3efed -->\n",
"<g id=\"node11\" class=\"node\">\n",
"<title>relationship&#45;&#45;4b6e65f3&#45;743d&#45;40c2&#45;9194&#45;3b5e38b3efed</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"207.98\" cy=\"-90\" rx=\"207.96\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"207.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">relationship&#45;&#45;4b6e65f3&#45;743d&#45;40c2&#45;9194&#45;3b5e38b3efed</text>\n",
"</g>\n",
"<!-- relationship&#45;&#45;4b6e65f3&#45;743d&#45;40c2&#45;9194&#45;3b5e38b3efed&#45;&gt;identity&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f -->\n",
"<g id=\"edge4\" class=\"edge\">\n",
"<title>Phishing Email Indicator&#45;&gt;Phishing Attack on OurCompany</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M547.48,-520.02C531.75,-509.93 514.16,-498.65 496.76,-487.5\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"498.55,-484.49 488.24,-482.04 494.77,-490.38 498.55,-484.49\"/>\n",
"<title>relationship&#45;&#45;4b6e65f3&#45;743d&#45;40c2&#45;9194&#45;3b5e38b3efed&#45;&gt;identity&#45;&#45;1cba2e3c&#45;4bdb&#45;4d0b&#45;a87b&#45;2d504ad5923f</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M207.98,-71.7C207.98,-63.98 207.98,-54.71 207.98,-46.11\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"211.48,-46.1 207.98,-36.1 204.48,-46.1 211.48,-46.1\"/>\n",
"</g>\n",
"<!-- Phishing Attack on OurCompany&#45;&gt;http://phishing&#45;link.com/login -->\n",
"<g id=\"edge7\" class=\"edge\">\n",
"<title>Phishing Attack on OurCompany&#45;&gt;http://phishing&#45;link.com/login</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M369.3,-365.8C334.13,-291.29 288.88,-160.75 349.22,-72 360.89,-54.84 379.06,-43.24 398.29,-35.39\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"399.66,-38.62 407.8,-31.83 397.2,-32.06 399.66,-38.62\"/>\n",
"<!-- relationship&#45;&#45;4b6e65f3&#45;743d&#45;40c2&#45;9194&#45;3b5e38b3efed&#45;&gt;incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857 -->\n",
"<g id=\"edge3\" class=\"edge\">\n",
"<title>relationship&#45;&#45;4b6e65f3&#45;743d&#45;40c2&#45;9194&#45;3b5e38b3efed&#45;&gt;incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M268.05,-72.76C305.74,-62.58 354.57,-49.38 394.42,-38.61\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"395.34,-41.99 404.08,-36 393.51,-35.23 395.34,-41.99\"/>\n",
"</g>\n",
"<!-- Phishing Attack on OurCompany&#45;&gt;Taylor -->\n",
"<!-- relationship&#45;&#45;5c9b6eaf&#45;27a6&#45;4b2b&#45;9b17&#45;49e3b00f6051 -->\n",
"<g id=\"node12\" class=\"node\">\n",
"<title>relationship&#45;&#45;5c9b6eaf&#45;27a6&#45;4b2b&#45;9b17&#45;49e3b00f6051</title>\n",
"<ellipse fill=\"none\" stroke=\"black\" cx=\"1077.98\" cy=\"-90\" rx=\"207.96\" ry=\"18\"/>\n",
"<text text-anchor=\"middle\" x=\"1077.98\" y=\"-86.3\" font-family=\"Times New Roman,serif\" font-size=\"14.00\">relationship&#45;&#45;5c9b6eaf&#45;27a6&#45;4b2b&#45;9b17&#45;49e3b00f6051</text>\n",
"</g>\n",
"<!-- relationship&#45;&#45;5c9b6eaf&#45;27a6&#45;4b2b&#45;9b17&#45;49e3b00f6051&#45;&gt;url&#45;&#45;4c3b&#45;4c4b&#45;bb6c&#45;ded6b2a4a567 -->\n",
"<g id=\"edge6\" class=\"edge\">\n",
"<title>Phishing Attack on OurCompany&#45;&gt;Taylor</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M457.28,-366.27C467.45,-356.05 477.71,-345.74 486.88,-336.53\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"489.4,-338.96 493.97,-329.41 484.44,-334.02 489.4,-338.96\"/>\n",
"<title>relationship&#45;&#45;5c9b6eaf&#45;27a6&#45;4b2b&#45;9b17&#45;49e3b00f6051&#45;&gt;url&#45;&#45;4c3b&#45;4c4b&#45;bb6c&#45;ded6b2a4a567</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M1077.98,-71.7C1077.98,-63.98 1077.98,-54.71 1077.98,-46.11\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"1081.48,-46.1 1077.98,-36.1 1074.48,-46.1 1081.48,-46.1\"/>\n",
"</g>\n",
"<!-- relationship&#45;&#45;5c9b6eaf&#45;27a6&#45;4b2b&#45;9b17&#45;49e3b00f6051&#45;&gt;incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857 -->\n",
"<g id=\"edge5\" class=\"edge\">\n",
"<title>relationship&#45;&#45;5c9b6eaf&#45;27a6&#45;4b2b&#45;9b17&#45;49e3b00f6051&#45;&gt;incident&#45;&#45;7a2b252e&#45;c3e5&#45;4bc2&#45;bc6f&#45;cb917ecf7857</title>\n",
"<path fill=\"none\" stroke=\"black\" d=\"M941.69,-76.36C843.38,-66.83 707.26,-52.76 578.59,-36.18\"/>\n",
"<polygon fill=\"black\" stroke=\"black\" points=\"578.91,-32.69 568.54,-34.88 578.01,-39.63 578.91,-32.69\"/>\n",
"</g>\n",
"</g>\n",
"</svg>\n"
],
"text/plain": [
"<graphviz.sources.Source at 0x1291bc087a0>"
"<graphviz.sources.Source at 0x1291ba3a540>"
]
},
"execution_count": 29,
"execution_count": 45,
"metadata": {},
"output_type": "execute_result"
}
@@ -445,18 +497,189 @@
]
},
{
"cell_type": "code",
"execution_count": null,
"cell_type": "markdown",
"metadata": {},
"outputs": [],
"source": [
"from IPython.display import Image\n",
"### Step 8: Visualize zero-shot learning results from previous tutorial"
]
},
{
"cell_type": "code",
"execution_count": 46,
"metadata": {},
"outputs": [
{
"data": {
"image/svg+xml": [
"<svg xmlns=\"http://www.w3.org/2000/svg\" xmlns:xlink=\"http://www.w3.org/1999/xlink\" width=\"2500pt\" height=\"194pt\" viewBox=\"0.00 0.00 2500.29 194.40\">\n",
"<g id=\"graph0\" class=\"graph\" transform=\"scale(1 1) rotate(0) translate(4 190.4)\">\n",
"<title>G</title>\n",
"<polygon fill=\"#ffffff\" stroke=\"transparent\" points=\"-4,4 -4,-190.4 2496.2943,-190.4 2496.2943,4 -4,4\"/>\n",
"<!-- Email -->\n",
"<g id=\"node1\" class=\"node\">\n",
"<title>Email</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"613.4049,-186.6014 353.9079,-186.6014 353.9079,-127.7986 613.4049,-127.7986 613.4049,-186.6014\"/>\n",
"<text text-anchor=\"middle\" x=\"483.6564\" y=\"-169.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Email</text>\n",
"<text text-anchor=\"middle\" x=\"483.6564\" y=\"-153\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">sender: support@banksecure.com</text>\n",
"<text text-anchor=\"middle\" x=\"483.6564\" y=\"-136.2\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">subject: Urgent: Verify Your Account Now</text>\n",
"</g>\n",
"<!-- Headers -->\n",
"<g id=\"node2\" class=\"node\">\n",
"<title>Headers</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"165.4695,-83.7003 -.1567,-83.7003 -.1567,-8.2997 165.4695,-8.2997 165.4695,-83.7003\"/>\n",
"<text text-anchor=\"middle\" x=\"82.6564\" y=\"-67\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Headers</text>\n",
"<text text-anchor=\"middle\" x=\"82.6564\" y=\"-50.2\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">IP_address: 192.168.10.45</text>\n",
"<text text-anchor=\"middle\" x=\"82.6564\" y=\"-33.4\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">domain: banksecure.com</text>\n",
"<text text-anchor=\"middle\" x=\"82.6564\" y=\"-16.6\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">registered_to: Russia</text>\n",
"</g>\n",
"<!-- Email&#45;&gt;Headers -->\n",
"<g id=\"edge1\" class=\"edge\">\n",
"<title>Email-&gt;Headers</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M353.775,-137.6786C297.4837,-127.2351 231.3854,-112.2695 173.6564,-92 169.8657,-90.669 166.0318,-89.2125 162.1924,-87.6631\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"163.2322,-84.3031 152.6582,-83.6394 160.5104,-90.7523 163.2322,-84.3031\"/>\n",
"</g>\n",
"<!-- Link_0 -->\n",
"<g id=\"node3\" class=\"node\">\n",
"<title>Link_0</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"460.4245,-75.4014 182.8883,-75.4014 182.8883,-16.5986 460.4245,-16.5986 460.4245,-75.4014\"/>\n",
"<text text-anchor=\"middle\" x=\"321.6564\" y=\"-58.6\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Link</text>\n",
"<text text-anchor=\"middle\" x=\"321.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">URL: http://banksecure-verification.com/login</text>\n",
"<text text-anchor=\"middle\" x=\"321.6564\" y=\"-25\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">timestamp: 10:15 AM</text>\n",
"</g>\n",
"<!-- Email&#45;&gt;Link_0 -->\n",
"<g id=\"edge2\" class=\"edge\">\n",
"<title>Email-&gt;Link_0</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M441.0928,-127.9835C420.0619,-113.5475 394.5307,-96.0223 372.4805,-80.8867\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"374.442,-77.9879 364.2167,-75.2142 370.4805,-83.7591 374.442,-77.9879\"/>\n",
"</g>\n",
"<!-- Link_1 -->\n",
"<g id=\"node4\" class=\"node\">\n",
"<title>Link_1</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"811.3839,-75.4014 477.9289,-75.4014 477.9289,-16.5986 811.3839,-16.5986 811.3839,-75.4014\"/>\n",
"<text text-anchor=\"middle\" x=\"644.6564\" y=\"-58.6\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Link</text>\n",
"<text text-anchor=\"middle\" x=\"644.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">URL: http://banksecure-verification.com/account-details</text>\n",
"<text text-anchor=\"middle\" x=\"644.6564\" y=\"-25\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">timestamp: 10:17 AM</text>\n",
"</g>\n",
"<!-- Email&#45;&gt;Link_1 -->\n",
"<g id=\"edge3\" class=\"edge\">\n",
"<title>Email-&gt;Link_1</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M525.9573,-127.9835C546.7663,-113.6111 572.0085,-96.1767 593.8562,-81.0869\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"596.1197,-83.7772 602.3588,-75.2142 592.1416,-78.0175 596.1197,-83.7772\"/>\n",
"</g>\n",
"<!-- Attachment_0 -->\n",
"<g id=\"node5\" class=\"node\">\n",
"<title>Attachment_0</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"1132.4912,-92 828.8216,-92 828.8216,0 1132.4912,0 1132.4912,-92\"/>\n",
"<text text-anchor=\"middle\" x=\"980.6564\" y=\"-75.4\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Attachment</text>\n",
"<text text-anchor=\"middle\" x=\"980.6564\" y=\"-58.6\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">file_name: AccountDetails.exe</text>\n",
"<text text-anchor=\"middle\" x=\"980.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">created_at: 10:20 AM</text>\n",
"<text text-anchor=\"middle\" x=\"980.6564\" y=\"-25\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">MD5_hash: e99a18c428cb38d5f260853678922e03</text>\n",
"<text text-anchor=\"middle\" x=\"980.6564\" y=\"-8.2\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">status: known_malware</text>\n",
"</g>\n",
"<!-- Email&#45;&gt;Attachment_0 -->\n",
"<g id=\"edge4\" class=\"edge\">\n",
"<title>Email-&gt;Attachment_0</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M613.4582,-134.872C673.6142,-123.8466 746.1735,-109.5917 818.9279,-92.37\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"819.8125,-95.7572 828.7275,-90.0324 818.1883,-88.9483 819.8125,-95.7572\"/>\n",
"</g>\n",
"<!-- Actions -->\n",
"<g id=\"node6\" class=\"node\">\n",
"<title>Actions</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"1820.6852,-175.2 1722.6276,-175.2 1722.6276,-139.2 1820.6852,-139.2 1820.6852,-175.2\"/>\n",
"<text text-anchor=\"middle\" x=\"1771.6564\" y=\"-153\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Actions Taken</text>\n",
"</g>\n",
"<!-- Action_0 -->\n",
"<g id=\"node7\" class=\"node\">\n",
"<title>Action_0</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"1347.0201,-64 1150.2927,-64 1150.2927,-28 1347.0201,-28 1347.0201,-64\"/>\n",
"<text text-anchor=\"middle\" x=\"1248.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Clear browser history and cache</text>\n",
"</g>\n",
"<!-- Actions&#45;&gt;Action_0 -->\n",
"<g id=\"edge5\" class=\"edge\">\n",
"<title>Actions-&gt;Action_0</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M1722.4388,-153.5006C1643.6934,-146.6934 1485.077,-129.3195 1355.6564,-92 1334.7144,-85.9612 1312.4383,-76.8526 1293.6643,-68.3299\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"1295.0174,-65.0995 1284.4719,-64.078 1292.0786,-71.4528 1295.0174,-65.0995\"/>\n",
"</g>\n",
"<!-- Action_1 -->\n",
"<g id=\"node8\" class=\"node\">\n",
"<title>Action_1</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"1508.3003,-64 1365.0125,-64 1365.0125,-28 1508.3003,-28 1508.3003,-64\"/>\n",
"<text text-anchor=\"middle\" x=\"1436.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Run full antivirus scan</text>\n",
"</g>\n",
"<!-- Actions&#45;&gt;Action_1 -->\n",
"<g id=\"edge6\" class=\"edge\">\n",
"<title>Actions-&gt;Action_1</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M1722.4666,-148.7423C1670.1693,-138.8108 1585.6568,-120.0472 1516.6564,-92 1501.7032,-85.9218 1486.1289,-77.5031 1472.7385,-69.5275\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"1474.2122,-66.3269 1463.8516,-64.111 1470.569,-72.3042 1474.2122,-66.3269\"/>\n",
"</g>\n",
"<!-- Action_2 -->\n",
"<g id=\"node9\" class=\"node\">\n",
"<title>Action_2</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"1787.473,-64 1525.8398,-64 1525.8398,-28 1787.473,-28 1787.473,-64\"/>\n",
"<text text-anchor=\"middle\" x=\"1656.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Provide browser history entries and cookies</text>\n",
"</g>\n",
"<!-- Actions&#45;&gt;Action_2 -->\n",
"<g id=\"edge7\" class=\"edge\">\n",
"<title>Actions-&gt;Action_2</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M1752.9237,-139.0863C1733.8777,-120.6697 1704.2098,-91.982 1682.8426,-71.3209\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"1685.0029,-68.5412 1675.3811,-64.1059 1680.137,-73.5734 1685.0029,-68.5412\"/>\n",
"</g>\n",
"<!-- Action_3 -->\n",
"<g id=\"node10\" class=\"node\">\n",
"<title>Action_3</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"1967.8347,-64 1805.4781,-64 1805.4781,-28 1967.8347,-28 1967.8347,-64\"/>\n",
"<text text-anchor=\"middle\" x=\"1886.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Quarantine suspicious file</text>\n",
"</g>\n",
"<!-- Actions&#45;&gt;Action_3 -->\n",
"<g id=\"edge8\" class=\"edge\">\n",
"<title>Actions-&gt;Action_3</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M1790.3891,-139.0863C1809.4351,-120.6697 1839.103,-91.982 1860.4702,-71.3209\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"1863.1758,-73.5734 1867.9317,-64.1059 1858.3099,-68.5412 1863.1758,-73.5734\"/>\n",
"</g>\n",
"<!-- Action_4 -->\n",
"<g id=\"node11\" class=\"node\">\n",
"<title>Action_4</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"2157.1649,-64 1986.1479,-64 1986.1479,-28 2157.1649,-28 2157.1649,-64\"/>\n",
"<text text-anchor=\"middle\" x=\"2071.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Check network connections</text>\n",
"</g>\n",
"<!-- Actions&#45;&gt;Action_4 -->\n",
"<g id=\"edge9\" class=\"edge\">\n",
"<title>Actions-&gt;Action_4</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M1820.8076,-143.7144C1862.7732,-131.6934 1924.447,-112.8189 1976.6564,-92 1993.8733,-85.1346 2012.3158,-76.5132 2028.3275,-68.5952\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"2030.0692,-71.6375 2037.4465,-64.0331 2026.9372,-65.3773 2030.0692,-71.6375\"/>\n",
"</g>\n",
"<!-- Action_5 -->\n",
"<g id=\"node12\" class=\"node\">\n",
"<title>Action_5</title>\n",
"<polygon fill=\"none\" stroke=\"#000000\" points=\"2492.4323,-64 2174.8805,-64 2174.8805,-28 2492.4323,-28 2492.4323,-64\"/>\n",
"<text text-anchor=\"middle\" x=\"2333.6564\" y=\"-41.8\" font-family=\"Times,serif\" font-size=\"14.00\" fill=\"#000000\">Reset passwords and enable two-factor authentication</text>\n",
"</g>\n",
"<!-- Actions&#45;&gt;Action_5 -->\n",
"<g id=\"edge10\" class=\"edge\">\n",
"<title>Actions-&gt;Action_5</title>\n",
"<path fill=\"none\" stroke=\"#000000\" d=\"M1820.9286,-150.7657C1895.9867,-140.5822 2043.2728,-119.0973 2166.6564,-92 2198.9837,-84.9003 2234.3812,-75.4031 2264.2341,-66.882\"/>\n",
"<polygon fill=\"#000000\" stroke=\"#000000\" points=\"2265.4904,-70.1627 2274.1331,-64.0346 2263.5552,-63.4354 2265.4904,-70.1627\"/>\n",
"</g>\n",
"</g>\n",
"</svg>"
],
"text/plain": [
"<IPython.core.display.SVG object>"
]
},
"execution_count": 46,
"metadata": {},
"output_type": "execute_result"
}
],
"source": [
"from IPython.display import SVG\n",
"\n",
"# Path to the image file\n",
"image_path = \"path/to/your/image.png\"\n",
"# Path to the SVG file\n",
"image_path = \"05_output_stix_zeroshot.svg\"\n",
"\n",
"# Display the image\n",
"Image(filename=image_path)"
"# Display the SVG image\n",
"SVG(filename=image_path)"
]
},
{
@@ -464,8 +687,11 @@
"metadata": {},
"source": [
"# Summary\n",
"\n",
", e.g., [Digital Forensic Knowledge Graph (DFKG)](https://github.com/frankwxu/digital-forensics-lab/tree/main/STIX_for_digital_forensics). "
"- One-shot learning results make more sense when analyzing digital forensic evidence\n",
"- STIX mainly focus on cyber incident formalization, not forensic evidence\n",
" - although basic evidence types are included in its document\n",
"- [Digital Forensic Knowledge Graph (DFKG)](https://github.com/frankwxu/digital-forensics-lab/tree/main/STIX_for_digital_forensics) is an extension of STIX\n",
" - Cyber Forensic Domain Objects and Cyber Forensic Observable Objects"
]
}
],

4
README.md
View File

@@ -395,8 +395,10 @@ Here are some political insights based on the leaked email summaries obtained fr
## Contribution
- PI of the project
- PIs of the project
- Dr. Frank Xu (Email: fxu at ubalt dot edu)
- Dr. Debra L. Stanley
- Dr. Lin Deng; Twoson University
- Students:
- Eric Xu: University of Maryland (LLM for Digital Forensics)
- Sarfraz Shaikh: University of Baltimore (Echo Show)