feat(clustering): combined edge weight + medium-tier wiring

The clusterer now drops a single high-tier function call in favor of a tier-weighted sum. Tier multipliers (high=1.0, medium=0.6, low=0.2, very_low=0.05) are tuned so the threshold (1.0) admits high-tier agreement alone while leaving every weaker tier — and every combination of weaker tiers — under threshold. Per-tier discipline tested: - high alone clusters - medium alone does NOT cluster (supporting signal only) - low alone does NOT cluster (fixture 1's failure mode) - very-low alone does NOT cluster (fixture 2's failure mode) - all three weak tiers stacked still don't reach threshold - high + medium clusters (high already saturates) The combination is forward-compatible: low + very-low contributions are computed today but always project to 0.0 because the production adapter doesn't populate credentials / ASN-edge inputs into the fixture path yet. Their contribution becomes load-bearing in commit 7 when the low-tier landing tightens the F1 / F2 bounds. Fixture 4 (paused_campaign) ratchet added: high-tier signal carries the multi-day-silence campaign into one identity. Time-agnostic invariant — silence is irrelevant to the edge weight.
2026-04-26 08:22:10 -04:00
parent de2f4c3a62
commit f7da33726c
4 changed files with 159 additions and 9 deletions
--- a/tests/clustering/test_connected_components.py
+++ b/tests/clustering/test_connected_components.py
@@ -287,6 +287,36 @@ def test_shared_wordlist_passes_with_production_clusterer():
    )


+def test_paused_campaign_passes_with_production_clusterer():
+    """Fixture 4: one campaign split across two operational windows by
+    a multi-day silence. Both halves share JA3 + HASSH + payload + C2;
+    the production clusterer must fold them into one identity. Time-
+    agnostic invariant: the silence window is irrelevant to clustering."""
+    from tests.clustering.fixture_harness import assert_fixture_bounds
+    from tests.factories.campaign_factory import generate, load_yaml
+
+    corpus = generate(load_yaml(FIXTURE_DIR / "paused_campaign.yaml"), seed=0)
+    assert_fixture_bounds(
+        corpus, _production_clusterer_predict,
+        FIXTURE_DIR / "paused_campaign.expected.yaml",
+    )
+
+
+def test_cluster_observations_medium_alone_does_not_fuse():
+    """Two observations sharing only command-sequence (medium-tier)
+    must stay in distinct clusters — medium is a supporting signal."""
+    a = Observation(
+        observation_id="a",
+        commands_by_phase={"discovery": ("ls", "id", "uname")},
+    )
+    b = Observation(
+        observation_id="b",
+        commands_by_phase={"discovery": ("ls", "id", "uname")},
+    )
+    labels = cluster_observations([a, b])
+    assert labels["a"] != labels["b"]
+
+
 def test_vpn_hopping_passes_at_identity_level_with_production_clusterer():
    """Fixture 2: one rotating actor with stable JA3 + HASSH across
    5 ASNs. The production clusterer must fold all 5 observations into
--- a/tests/clustering/test_similarity.py
+++ b/tests/clustering/test_similarity.py
@@ -10,7 +10,9 @@ from __future__ import annotations
 import pytest

 from decnet.clustering.impl.similarity import (
+    EDGE_THRESHOLD,
    Observation,
+    combined_edge_weight,
    from_synthetic,
    high_weight_edge,
    low_weight_edge,
@@ -179,6 +181,70 @@ def test_observations_carry_no_timestamps():
 # ─── from_synthetic adapter ────────────────────────────────────────────────


+# ─── combined_edge_weight tier discipline ─────────────────────────────────
+
+
+def test_combined_high_alone_crosses_threshold():
+    a = _obs(ja3="ja3-shared")
+    b = _obs(ja3="ja3-shared")
+    assert combined_edge_weight(a, b) >= EDGE_THRESHOLD
+
+
+def test_combined_medium_alone_below_threshold():
+    """Single medium-tier match must NOT cluster — medium is a
+    supporting signal, never a clustering driver on its own."""
+    a = _obs(commands_by_phase={"discovery": ("ls", "id", "uname")})
+    b = _obs(commands_by_phase={"discovery": ("ls", "id", "uname")})
+    weight = combined_edge_weight(a, b)
+    assert 0 < weight < EDGE_THRESHOLD
+
+
+def test_combined_low_alone_below_threshold():
+    """Credential-only overlap must NOT cluster — fixture 1's failure mode."""
+    a = _obs(credentials=frozenset({("root", "toor"), ("admin", "admin")}))
+    b = _obs(credentials=frozenset({("root", "toor"), ("admin", "admin")}))
+    weight = combined_edge_weight(a, b)
+    assert 0 < weight < EDGE_THRESHOLD
+
+
+def test_combined_very_low_alone_below_threshold():
+    """ASN-only overlap must NOT cluster — fixture 2's failure mode."""
+    a = _obs(asn=64500)
+    b = _obs(asn=64500)
+    weight = combined_edge_weight(a, b)
+    assert 0 < weight < EDGE_THRESHOLD
+
+
+def test_combined_all_weak_tiers_still_below_threshold():
+    """Even all three weaker tiers stacked don't reach threshold —
+    only a high-tier signal does."""
+    a = _obs(
+        asn=64500,
+        credentials=frozenset({("root", "toor")}),
+        commands_by_phase={"discovery": ("ls",)},
+    )
+    b = _obs(
+        asn=64500,
+        credentials=frozenset({("root", "toor")}),
+        commands_by_phase={"discovery": ("ls",)},
+    )
+    # 0.6*1.0 (medium) + 0.2*1.0 (low) + 0.05*1.0 (very_low) = 0.85
+    weight = combined_edge_weight(a, b)
+    assert weight < EDGE_THRESHOLD
+
+
+def test_combined_high_plus_medium_clusters():
+    a = _obs(ja3="ja3-x", commands_by_phase={"discovery": ("ls",)})
+    b = _obs(ja3="ja3-x", commands_by_phase={"discovery": ("ls",)})
+    assert combined_edge_weight(a, b) >= EDGE_THRESHOLD
+
+
+def test_combined_no_signal_returns_zero():
+    a = _obs()
+    b = _obs()
+    assert combined_edge_weight(a, b) == 0.0
+
+
 def test_from_synthetic_round_trip():
    """The adapter projects a SyntheticAttacker into an Observation
    that the edge functions can score over."""