diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb
index ea2c905..fee36ab 100644
--- a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb
+++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/01_evidence_entity_recognition.ipynb
@@ -33,7 +33,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
- "#!pip install dspy-ai\n",
+ "#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",
@@ -51,7 +51,7 @@
"source": [
"### Step 2: Config DSPy with openAI \n",
"- You `MUST` have an openAI api key\n",
- "- load an openAI api key from `openai_api_key.txt` file\n",
+ "- Load an openAI api key from `openai_api_key.txt` file\n",
"- or, hard code your open api key"
]
},
@@ -80,6 +80,7 @@
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
+ " # \"tMq-fOFjuDB80LIjdPdmVibgoYZamwlfEjU635n37WWKjuNEsbX2WQML-Rns5BYwbrX0-qxLgrT3BlbkFJz2vo7FT9JAj_TPucTMpsdLq2QaNYuysLphE0Wg2ENUBOmWt6lMHjl1sq4_Oac-oh3yP0V4\"\n",
" os.environ[\"OPENAI_API_KEY\"] = (\n",
" \"sk-proj-yourapikeyhere\"\n",
" )\n",
@@ -90,7 +91,7 @@
"\n",
"# provide `openai_api_key.txt` with your openAI api key\n",
"turbo=set_dspy()\n",
- "# optionally, hard code your openAI api key at line 21 \n",
+ "# optionally, hard code your openAI api key at line 21\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},
diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb
index 54768e3..855f69a 100644
--- a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb
+++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/02_evidence_knowledge_dot_generator.ipynb
@@ -33,7 +33,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
- "#!pip install dspy-ai\n",
+ "#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",
@@ -182,7 +182,7 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "### Step 4: Tell an LLM `WHAT` are the inputs/outputs by defining DSPy: Signature \n",
+ "### Step 4: Tell an LLM `WHAT` are the inputs/outputs by defining `dspy.Signature` \n",
"\n",
"- Goal\n",
" - to generate a simple plaintext file, call `DOT`. In DOT, you define nodes and edges.\n",
@@ -226,7 +226,7 @@
"- `output_file` (str): The file path where the identified evidence will be saved in DOT format.\n",
"\n",
"#### Notes:\n",
- "- This function uses [`dspy.ChainOfThought`](https://arxiv.org/pdf/2201.11903) to process the conversation and create sknowledge graph\n",
+ "- This function uses [`dspy.ChainOfThought`](https://arxiv.org/pdf/2201.11903) to process the conversation and create a knowledge graph\n",
"- Other options include \n",
" - `dspy.ChainOfThoughtWithHint` : Provide hints for reasoning\n",
" - `dspy.Retrieve`: Retrieves passages from a retriever module\n",
diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb
index 8bcef74..54e7cd9 100644
--- a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb
+++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/03_evidence_stix_zeroshot.ipynb
@@ -67,7 +67,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
- "#!pip install dspy-ai\n",
+ "#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",
diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb
index 71e8d5c..a213e5d 100644
--- a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb
+++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/04_evidence_stix_oneshot.ipynb
@@ -9,10 +9,13 @@
"### Motivation\n",
"- The generated evidence graph (consists of evidence and their relations) doesn't follow STIX. \n",
"\n",
- "### Solution: One-shot learning\n",
+ "### Solution: One-shot fine-tuning\n",
"\n",
"- Provide one training example to LLMs\n",
"- LLMs often produce more accurate results by learning the example \n",
+ "- Fine-tuning is a productive way to leverage machine learning\n",
+ "\n",
+ "![](\"notes/productive_way_llm.webp\")
\n",
"\n",
"### Implementation\n",
"- Add one-shot example as the `context` of answer (e.g., conversation)"
@@ -35,7 +38,7 @@
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
- "#!pip install dspy-ai\n",
+ "#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"# !wget https://raw.githubusercontent.com/frankwxu/digital-forensics-lab/main/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/conversation.txt\n",
"\n",
diff --git a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_evidence_stix_dot_generator.ipynb b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_evidence_stix_dot_generator.ipynb
index 038ef63..a81a9ce 100644
--- a/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_evidence_stix_dot_generator.ipynb
+++ b/AI4Forensics/CKIM2024/PhishingAttack/PhishingAttackScenarioDemo/05_evidence_stix_dot_generator.ipynb
@@ -4,34 +4,32 @@
"cell_type": "markdown",
"metadata": {},
"source": [
- "## A tutorial to visualize one-shot learning results\n",
- "\n",
- "### Goal\n",
- "- Compare one-shot learning with zero-shot learning\n",
- "- To visualize the different\n",
+ "## A tutorial to visually compare zero-shot and one-shot learning results\n",
"\n",
"### Approach\n",
- "- Directly generate a DOT file from one-shot learning example completed in previous tutorial"
+ "- Directly generate a DOT file from one-shot learning example completed in previous tutorial\n",
+ "- Load the image containing zero-shot graph\n",
+ "- Visually compare the difference "
]
},
{
"cell_type": "markdown",
"metadata": {},
"source": [
- "### Step 1: Download libraries and files for the lab\n",
+ "### Step 1: Download libraries\n",
"- Make use you download necessary library and files. \n",
"- All downloaded and saved files can be located in the `content` folder if using google Colab"
]
},
{
"cell_type": "code",
- "execution_count": 17,
+ "execution_count": 39,
"metadata": {},
"outputs": [],
"source": [
"# uncomment the commands to download libraries and files\n",
"#!pip install python-dotenv\n",
- "#!pip install dspy-ai\n",
+ "#!pip install dspy-ai == 2.4.17\n",
"#!pip install graphviz\n",
"\n",
"import dspy\n",
@@ -43,9 +41,19 @@
"from IPython.display import display"
]
},
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "### Step 2: Config DSPy with openAI \n",
+ "- You `MUST` have an openAI api key\n",
+ "- load an openAI api key from `openai_api_key.txt` file\n",
+ "- or, hard code your open api key"
+ ]
+ },
{
"cell_type": "code",
- "execution_count": 18,
+ "execution_count": 40,
"metadata": {},
"outputs": [],
"source": [
@@ -61,55 +69,38 @@
" # Set the API key as an environment variable\n",
" os.environ[\"OPENAI_API_KEY\"] = openai_api_key\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
- " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0)\n",
+ " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", max_tokens=2000, temperature=0.5)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
" # ==============end of set openAI enviroment=========\n",
"\n",
"\n",
"def set_dspy_hardcode_openai_key():\n",
- " os.environ[\"OPENAI_API_KEY\"] = (\n",
- " \"sk-proj-yourapikeyhere\"\n",
- " )\n",
+ " os.environ[\"OPENAI_API_KEY\"] = \"sk-proj-yourapikeyhere\"\n",
" openai.api_key = os.environ[\"OPENAI_API_KEY\"]\n",
- " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
+ " turbo = dspy.OpenAI(model=\"gpt-3.5-turbo\", temperature=0, max_tokens=2000)\n",
" dspy.settings.configure(lm=turbo)\n",
" return turbo\n",
"\n",
- "turbo=set_dspy()\n",
- "# comment out set_dspy() and use set_dspy_hardcode_openai_key is your option\n",
+ "\n",
+ "# provide `openai_api_key.txt` with your openAI api key\n",
+ "turbo = set_dspy()\n",
+ "# optionally, hard code your openAI api key at line 21\n",
"# turbo=set_dspy_hardcode_openai_key()"
]
},
{
- "cell_type": "code",
- "execution_count": 19,
+ "cell_type": "markdown",
"metadata": {},
- "outputs": [],
"source": [
- "def load_text_file(file_path):\n",
- " \"\"\"\n",
- " Load a text file and return its contents as a string.\n",
+ "### Step 3: Load the cyber incident repot (e.g., conversation)\n",
"\n",
- " Parameters:\n",
- " file_path (str): The path to the text file.\n",
- "\n",
- " Returns:\n",
- " str: The contents of the text file.\n",
- " \"\"\"\n",
- " try:\n",
- " with open(file_path, \"r\") as file:\n",
- " contents = file.read()\n",
- " return contents\n",
- " except FileNotFoundError:\n",
- " return \"File not found.\"\n",
- " except Exception as e:\n",
- " return f\"An error occurred: {e}\"\n"
+ "- the same conversation as previous tutorial"
]
},
{
"cell_type": "code",
- "execution_count": 20,
+ "execution_count": 41,
"metadata": {},
"outputs": [
{
@@ -208,13 +199,39 @@
}
],
"source": [
+ "def load_text_file(file_path):\n",
+ " \"\"\"\n",
+ " Load a text file and return its contents as a string.\n",
+ "\n",
+ " Parameters:\n",
+ " file_path (str): The path to the text file.\n",
+ "\n",
+ " Returns:\n",
+ " str: The contents of the text file.\n",
+ " \"\"\"\n",
+ " try:\n",
+ " with open(file_path, \"r\") as file:\n",
+ " contents = file.read()\n",
+ " return contents\n",
+ " except FileNotFoundError:\n",
+ " return \"File not found.\"\n",
+ " except Exception as e:\n",
+ " return f\"An error occurred: {e}\"\n",
+ "\n",
"conversation = load_text_file(\"04_output_for_viz.json\")\n",
"print(conversation)"
]
},
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "### Step 4: Tell an LLM `WHAT` are the inputs/outputs by defining `dspy.Signature`"
+ ]
+ },
{
"cell_type": "code",
- "execution_count": 21,
+ "execution_count": 42,
"metadata": {},
"outputs": [],
"source": [
@@ -226,13 +243,20 @@
" )\n",
"\n",
" answer: str = dspy.OutputField(\n",
- " desc=\"a graph in a dot format. The nodes of the graph are evidence entities in STIX or Cyber Forensic Domain Objects and Cyber Forensic Observable Objects in DFKG and the edges of the graph are the relationships between evidence entities in STIX. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n",
+ " desc=\"a graph in a dot format. The nodes of the graph are evidence entities and the edges of the graph are the relationships between evidence entities in STIX. A dot format is primarily associated with Graphviz, a graph visualization software. For example, a dot should looks like: digraph incident_name {...}. Don't include `````` \"\n",
" )"
]
},
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "### Step 5: Tell an LLM `HOW` to generate answer. The business logic is defined in the module `.dspy.Predict`"
+ ]
+ },
{
"cell_type": "code",
- "execution_count": 22,
+ "execution_count": 43,
"metadata": {},
"outputs": [],
"source": [
@@ -248,9 +272,16 @@
" print(f\"The evidence has been saved to the file {output_file}\")"
]
},
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "### Step 6: Actually call LLM to generate the graph in a `.DOT` file"
+ ]
+ },
{
"cell_type": "code",
- "execution_count": 23,
+ "execution_count": 44,
"metadata": {},
"outputs": [
{
@@ -258,23 +289,25 @@
"output_type": "stream",
"text": [
"digraph phishing_attack {\n",
- " \"OurCompany\" [label=\"OurCompany\\norganization\\ninfo@ourcompany.com\"]\n",
- " \"hr-dept@ourcompany-security.com\" [label=\"hr-dept@ourcompany-security.com\"]\n",
- " \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\" [label=\"email-message\\nUrgent Benefits Package Update\\nFrom: hr-dept@ourcompany-security.com\\nPlease click the link to review the changes to your benefits package.\"]\n",
- " \"http://phishing-link.com/login\" [label=\"http://phishing-link.com/login\"]\n",
- " \"Taylor\" [label=\"Taylor\\ntaylor@ourcompany.com\"]\n",
+ " \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\" [label=\"OurCompany\", shape=\"ellipse\"];\n",
+ " \"email-addr--0c0d2094-df97-45a7-9e9c-223569a9e798\" [label=\"hr-dept@ourcompany-security.com\", shape=\"ellipse\"];\n",
+ " \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\" [label=\"Urgent Benefits Package Update\", shape=\"box\"];\n",
+ " \"url--4c3b-4c4b-bb6c-ded6b2a4a567\" [label=\"http://phishing-link.com/login\", shape=\"ellipse\"];\n",
+ " \"user-account--bd5631cf-2af6-4bba-bc92-37c60d020400\" [label=\"Taylor (taylor@ourcompany.com)\", shape=\"ellipse\"];\n",
" \n",
- " \"hr-dept@ourcompany-security.com\" -> \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\"\n",
- " \"email-message--c79b6bde-4f4c-4b38-a8c8-fb82921d6b97\" -> \"http://phishing-link.com/login\"\n",
- " \"Taylor\" -> \"hr-dept@ourcompany-security.com\"\n",
+ " \"observable--001\" [label=\"hr-dept@ourcompany-security.com\", shape=\"ellipse\"];\n",
+ " \"observable--002\" [label=\"http://phishing-link.com/login\", shape=\"ellipse\"];\n",
" \n",
- " \"Phishing Email Indicator\" [label=\"Phishing Email Indicator\\nPattern: [email-message:subject = 'Urgent Benefits Package Update']\\nValid From: 2024-07-17T00:00:00Z\"]\n",
- " \"Phishing Attack on OurCompany\" [label=\"Phishing Attack on OurCompany\\nDescription: A phishing attack where a suspicious email was sent to an employee of OurCompany.\\nFirst Seen: 2024-07-17T08:00:00Z\\nLast Seen: 2024-07-17T08:10:00Z\\nStatus: ongoing\"]\n",
+ " \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\" [label=\"Phishing Email Indicator\", shape=\"diamond\"];\n",
" \n",
- " \"Phishing Email Indicator\" -> \"Phishing Attack on OurCompany\"\n",
- " \"OurCompany\" -> \"Phishing Attack on OurCompany\"\n",
- " \"Phishing Attack on OurCompany\" -> \"Taylor\"\n",
- " \"Phishing Attack on OurCompany\" -> \"http://phishing-link.com/login\"\n",
+ " \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\" [label=\"Phishing Attack on OurCompany\", shape=\"box\"];\n",
+ " \n",
+ " \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\" -> \"indicator--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\";\n",
+ " \"relationship--3f1a8d8b-6a6e-4b5d-8e15-2d6d9a2b3f1d\" -> \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\";\n",
+ " \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\" -> \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\";\n",
+ " \"relationship--4b6e65f3-743d-40c2-9194-3b5e38b3efed\" -> \"identity--1cba2e3c-4bdb-4d0b-a87b-2d504ad5923f\";\n",
+ " \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\" -> \"incident--7a2b252e-c3e5-4bc2-bc6f-cb917ecf7857\";\n",
+ " \"relationship--5c9b6eaf-27a6-4b2b-9b17-49e3b00f6051\" -> \"url--4c3b-4c4b-bb6c-ded6b2a4a567\";\n",
"}\n"
]
}
@@ -288,9 +321,16 @@
")"
]
},
+ {
+ "cell_type": "markdown",
+ "metadata": {},
+ "source": [
+ "### Step 7: Visualize one-shot learning results from a `.DOT` file"
+ ]
+ },
{
"cell_type": "code",
- "execution_count": 29,
+ "execution_count": 45,
"metadata": {},
"outputs": [
{
@@ -309,115 +349,127 @@
"\n",
"\n",
- "