test(clustering): full-bound passes through production campaign clusterer
Runs the chained identity + campaign clustering pipeline against all seven fixtures via from_synthetic / from_synthetic_identity adapters and ratchets every YAML floor to 1.0 — the production clusterer (and the reference clusterers used in the per-fixture tests) all score perfectly across ARI / homogeneity / completeness / singleton_recall on each fixture. Three substrate fixes surfaced by the ratchet: - Tuning: shared_infra now Jaccards payload+C2 only; decky_set moved into cohort_weight to prevent fleet-scarcity false-merges (F1's shared_wordlist failure mode). Tier weight raised to 1.0 so shared payload+C2 alone crosses threshold (F5's intended pass). - Adapter: from_synthetic_identity now reads SyntheticSession started_at + duration_s for session_windows and per-decky timestamps (the production-row adapter still uses start_ts/end_ts when available). - Fixture data: paused_campaign.yaml's JA3 collided exactly with vpn_hopping.yaml's (same TLS extension list). The collision fused two unrelated campaigns under the chained identity layer in the noise_floor composite. Made paused's JA3 distinct. Also wires Campaign / CampaignsResponse into models/__init__.py's __all__ that was missed in the schema commit.
This commit is contained in:
@@ -275,36 +275,36 @@ def test_cohort_alone_below_threshold():
|
||||
assert combined_campaign_weight(a, b) < CAMPAIGN_EDGE_THRESHOLD
|
||||
|
||||
|
||||
def test_shared_infra_plus_temporal_overlap_crosses_threshold():
|
||||
"""The canonical co-op pattern: shared infra during the same window."""
|
||||
def test_shared_infra_alone_crosses_threshold():
|
||||
"""Shared payload + C2 alone is enough — F5's intended pass condition."""
|
||||
a = _features(
|
||||
"a",
|
||||
payload_hashes=frozenset({"h"}),
|
||||
c2_endpoints=frozenset({"c"}),
|
||||
decky_set=frozenset({"d1"}),
|
||||
session_windows=((0.0, 100.0),),
|
||||
)
|
||||
b = _features(
|
||||
"b",
|
||||
payload_hashes=frozenset({"h"}),
|
||||
c2_endpoints=frozenset({"c"}),
|
||||
decky_set=frozenset({"d1"}),
|
||||
session_windows=((0.0, 100.0),),
|
||||
)
|
||||
assert combined_campaign_weight(a, b) >= CAMPAIGN_EDGE_THRESHOLD
|
||||
|
||||
|
||||
def test_shared_infra_plus_cohort_below_threshold():
|
||||
"""F1 shared_wordlist: shared signals minus operational overlap is NOT co-op."""
|
||||
def test_decky_overlap_alone_below_threshold():
|
||||
"""F1's failure mode: shared targeting on a small fleet is NOT co-op.
|
||||
|
||||
Two campaigns hitting the same SSH deckies share no payload/C2,
|
||||
just the decky set. Cohort tier alone must not cross threshold.
|
||||
"""
|
||||
a = _features(
|
||||
"a",
|
||||
payload_hashes=frozenset({"h"}),
|
||||
decky_set=frozenset({"d1", "d2"}),
|
||||
asn_cohort=frozenset({64512}),
|
||||
)
|
||||
b = _features(
|
||||
"b",
|
||||
payload_hashes=frozenset({"h"}),
|
||||
asn_cohort=frozenset({64512}),
|
||||
decky_set=frozenset({"d1", "d2"}),
|
||||
asn_cohort=frozenset({64513}),
|
||||
)
|
||||
assert combined_campaign_weight(a, b) < CAMPAIGN_EDGE_THRESHOLD
|
||||
|
||||
|
||||
Reference in New Issue
Block a user