Update app.py

app.py

@@ -11,13 +11,13 @@ import torch # Necessário para SentenceTransformer, mesmo que não explícito
 from sentence_transformers import SentenceTransformer 
 
 # --- Configuração Inicial ---
-DB_NAME = "training_data_large.db" # Usaremos o DB pré-gerado
+# DB_NAME e TABLE_NAME são necessários para saber onde o DB pré-gerado está.
+DB_NAME = "training_data_large.db" 
 TABLE_NAME = "events" 
 
 MODEL_NAME = "markusbayer/CySecBERT" 
 
-# Parâmetros de Treinamento (mantidos para consistência, mas não usados para treinamento em tempo real)
-RANDOM_SEED = 42
+RANDOM_SEED = 42 
 RISK_THRESHOLD = 50.0
 
 # --- Configuração de Seed Global (para reprodutibilidade da inferência, se houver aleatoriedade) ---
@@ -28,12 +28,13 @@ if torch.cuda.is_available():
     torch.cuda.manual_seed_all(RANDOM_SEED)
 
 # --- Globais para Modelos e Ferramentas (serão carregadas UMA VEZ) ---
-# Usamos st.cache_resource para carregar estes modelos apenas uma vez na inicialização do app
+# Declaradas globalmente para serem acessíveis pelas funções de inferência.
 model_base = None
 mlp_regressor, scaler = None, None
 tfidf_vectorizer, tfidf_regressor = None, None
 
 # --- Vocabulário de Palavras-Chave para a Cabeça 3 (Regra Baseada) ---
+# Essas listas são necessárias para a lógica de "Gerar Evento Aleatório" e a análise de palavras-chave.
 HIGH_RISK_KEYWORDS = {
     'failed': 15, 'unauthorized': 20, 'invalid': 15, 'blocked': 25, 'mfa_failed': 30, 'brute_force': 40, 'attack': 40,
     'threat': 30, 'compromise': 30, 'malicious': 35, 'lockout': 25, 'critical': 20, 'urgent': 20, 'severe': 25,
@@ -50,12 +51,131 @@ LOW_RISK_KEYWORDS = {
     'backup completed': -20, 'schema migration successful': -15, 'network policy updated': -10
 }
 
+# Listas de vocabulário para o botão "Gerar Evento Aleatório" no app.py
+ADVERSARIAL_RISK_ACTORS = [
+    "Unsandboxed process", "Leaked API key", "Misconfigured service account", "Shadow IT application", 
+    "Dormant user account", "Ransomware payload", "Phishing attempt", "Insider threat", 
+    "Zero-day exploit", "Malicious actor", "Compromised credential", "Vulnerable third-party library",
+    "Compromised Kubernetes pod", "Malicious Docker container", "AWS IAM role escalation", 
+    "Azure AD privilege escalation", "GCP service account abuse", "Container escape attempt",
+    "Serverless function injection", "Cloud storage bucket enumeration", "API gateway bypass",
+    "Microservice lateral movement", "Container registry poisoning", "Cloud metadata exploitation",
+    "CI/CD pipeline compromise", "Git repository poisoning", "Build artifact tampering",
+    "Deployment script injection", "Infrastructure as Code attack", "Secret scanning bypass",
+    "Dependency confusion attack", "Supply chain compromise", "Code signing certificate theft",
+    "Pipeline privilege escalation", "Artifact repository poisoning", "Build environment escape",
+    "Compromised IoT device", "Edge computing exploit", "Industrial control system breach",
+    "SCADA system compromise", "Smart city infrastructure attack", "Medical device exploitation",
+    "Automotive system breach", "Home automation compromise", "Sensor data manipulation",
+    "Edge gateway exploitation", "Industrial protocol abuse", "IoT botnet recruitment",
+    "Mobile app sandbox escape", "iOS jailbreak exploitation", "Android rootkit installation",
+    "Mobile banking trojan", "Enterprise device compromise", "BYOD policy violation",
+    "Mobile device management bypass", "App store poisoning", "Mobile certificate pinning bypass",
+    "Endpoint detection evasion", "Mobile phishing campaign", "Device fingerprinting abuse",
+    "Network segmentation bypass", "Firewall rule manipulation", "VPN tunnel exploitation",
+    "DNS hijacking attempt", "BGP route hijacking", "Network protocol abuse",
+    "Wireless network compromise", "Bluetooth attack vector", "NFC exploitation",
+    "Network monitoring evasion", "Traffic analysis bypass", "Protocol fuzzing attack"
+]
+ADVERSARIAL_RISK_ACTIONS = [
+    "attempted lateral movement via", "initiated a DNS tunneling request to", 
+    "executed a living-off-the-land binary on", "was flagged for unusual API call patterns against", 
+    "triggered a data access anomaly in", "exfiltrated data from", "modified critical system files in", 
+    "gained unauthorized access to", "deployed malicious code on", "brute-forced login for", 
+    "injected SQL into", "exploited a vulnerability in",
+    "attempted container escape from", "escalated privileges in Kubernetes cluster", 
+    "abused IAM role permissions for", "enumerated cloud storage buckets through",
+    "bypassed API gateway authentication to", "injected malicious code into serverless function",
+    "compromised container registry access for", "exploited cloud metadata service to",
+    "performed lateral movement across microservices in", "poisoned container image in",
+    "abused cloud resource tagging for", "exploited cloud logging service to",
+    "compromised CI/CD pipeline to", "injected malicious code into build process for",
+    "poisoned dependency repository to", "tampered with build artifacts in",
+    "escalated privileges in deployment pipeline for", "bypassed security scanning in",
+    "abused infrastructure automation to", "compromised secret management system for",
+    "injected malicious code into deployment scripts for", "exploited build environment to",
+    "abused artifact signing process for", "compromised code repository access to",
+    "compromised IoT device firmware to", "exploited edge computing vulnerability in",
+    "breached industrial control system through", "manipulated sensor data from",
+    "exploited SCADA system vulnerability to", "compromised smart city infrastructure via",
+    "abused industrial protocol to", "exploited edge gateway vulnerability in",
+    "recruited device into botnet through", "compromised medical device firmware to",
+    "exploited automotive system vulnerability in", "breached home automation system via",
+    "escaped mobile app sandbox to", "exploited iOS jailbreak vulnerability in",
+    "installed rootkit on Android device to", "compromised enterprise mobile device through",
+    "bypassed mobile device management to", "poisoned mobile app store listing for",
+    "exploited mobile certificate pinning in", "compromised mobile banking app through",
+    "abused device fingerprinting to", "exploited mobile phishing vulnerability in",
+    "breached BYOD policy through", "compromised mobile endpoint security via",
+    "bypassed network segmentation to", "manipulated firewall rules for",
+    "exploited VPN tunnel vulnerability in", "hijacked DNS resolution for",
+    "abused BGP routing protocol to", "compromised wireless network through",
+    "exploited Bluetooth vulnerability in", "abused NFC communication to",
+    "evaded network monitoring through", "bypassed traffic analysis via",
+    "exploited network protocol vulnerability in", "compromised network infrastructure through"
+]
+ADVERSARIAL_RISK_TARGETS = [
+    "a code repository", "the CI/CD pipeline", "a cloud storage bucket", "the internal DNS server", 
+    "the virtual machine hypervisor", "sensitive customer data", "financial databases", 
+    "intellectual property servers", "critical infrastructure controls", "user authentication service", 
+    "production web server", "database backup storage",
+    "Kubernetes cluster control plane", "Docker container registry", "AWS S3 bucket with sensitive data",
+    "Azure Active Directory tenant", "GCP Cloud Storage bucket", "container orchestration system",
+    "serverless function environment", "cloud API gateway", "microservice mesh network",
+    "container security scanning service", "cloud logging and monitoring system", "infrastructure as code repository",
+    "Git repository with production secrets", "Jenkins build pipeline", "Docker image registry",
+    "artifact repository with signed packages", "infrastructure provisioning system", "secret management vault",
+    "code signing certificate store", "dependency management system", "deployment automation platform",
+    "build environment with elevated privileges", "CI/CD security scanning tools", "infrastructure monitoring system",
+    "industrial control system network", "SCADA system database", "IoT device management platform",
+    "edge computing gateway", "smart city infrastructure", "medical device network",
+    "automotive system bus", "home automation hub", "sensor data collection system",
+    "industrial protocol gateway", "edge security monitoring system", "IoT device firmware repository",
+    "enterprise mobile device fleet", "mobile app store backend", "mobile device management system",
+    "mobile banking infrastructure", "mobile certificate authority", "mobile security scanning service",
+    "BYOD policy enforcement system", "mobile endpoint detection system", "mobile app security testing platform",
+    "mobile device fingerprinting database", "mobile phishing detection system", "mobile app code signing service",
+    "network segmentation firewall", "VPN concentrator", "DNS authoritative server",
+    "BGP route reflector", "wireless access point controller", "network monitoring system",
+    "traffic analysis platform", "network security scanning tool", "protocol analysis system",
+    "network infrastructure management", "security information system", "network forensics platform"
+]
+ADVERSARIAL_RISK_OUTCOMES = [
+    "the action was obfuscated", "a low-and-slow data transfer was detected", 
+    "the process terminated abnormally after execution", "security controls were temporarily disabled", 
+    "alert thresholds were bypassed", "data integrity was compromised", "system uptime was impacted", 
+    "a backdoor was established", "a privilege escalation was achieved", "system resources were depleted", 
+    "data encryption initiated",
+    "container escape was successful", "Kubernetes RBAC was bypassed", "cloud IAM policies were circumvented",
+    "container registry was compromised", "serverless function was weaponized", "cloud logging was manipulated",
+    "microservice communication was intercepted", "container security scanning was evaded",
+    "cloud resource tagging was abused", "container orchestration was compromised",
+    "cloud metadata service was exploited", "container networking was hijacked",
+    "build pipeline was compromised", "dependency repository was poisoned", "artifact signing was bypassed",
+    "infrastructure automation was weaponized", "secret management was breached", "code repository was compromised",
+    "deployment process was hijacked", "build environment was escaped", "CI/CD security was bypassed",
+    "infrastructure monitoring was disabled", "artifact integrity was compromised", "deployment approval was bypassed",
+    "IoT device was recruited into botnet", "industrial control system was compromised", "edge gateway was breached",
+    "sensor data was manipulated", "SCADA system was taken offline", "smart city infrastructure was disrupted",
+    "medical device was compromised", "automotive system was hijacked", "home automation was breached",
+    "industrial protocol was abused", "edge security was bypassed", "IoT device firmware was modified",
+    "mobile device was rooted/jailbroken", "enterprise mobile security was bypassed", "mobile app was compromised",
+    "mobile device management was evaded", "mobile banking was breached", "mobile certificate pinning was bypassed",
+    "BYOD policy was violated", "mobile endpoint detection was evaded", "mobile app store was poisoned",
+    "mobile device fingerprinting was spoofed", "mobile phishing was successful", "mobile security scanning was bypassed",
+    "network segmentation was bypassed", "firewall rules were manipulated", "VPN tunnel was compromised",
+    "DNS resolution was hijacked", "BGP routing was manipulated", "wireless network was compromised",
+    "Bluetooth security was bypassed", "NFC communication was intercepted", "network monitoring was evaded",
+    "traffic analysis was bypassed", "network protocol was abused", "network infrastructure was compromised"
+]
+
+
 # --- Funções para Inferência ---
 
 # Decorator para cachear o carregamento de recursos pesados, como modelos.
 # Isso garante que o modelo seja carregado apenas uma vez, mesmo após interações na UI.
 @st.cache_resource
-def load_all_models():
+def load_all_models_and_tokenizer():
     """
     Carrega todos os modelos pré-treinados e o SentenceTransformer.
     Esta função é cacheada pelo Streamlit para ser executada apenas uma vez.
@@ -137,25 +257,30 @@ st.sidebar.info("Desenvolvido para demonstração no Hugging Face Spaces.")
 # Este bloco de `st.empty()` e `st.spinner` permite que as mensagens de carregamento sejam temporárias
 loading_message_placeholder = st.empty()
 with loading_message_placeholder.container():
-    with st.spinner("Carregando modelos... isso pode levar um momento na primeira vez."):
-        model_base, mlp_regressor, scaler, tfidf_vectorizer, tfidf_regressor = load_all_models()
+    model_base, mlp_regressor, scaler, tfidf_vectorizer, tfidf_regressor = load_all_models_and_tokenizer()
 loading_message_placeholder.empty() # Remove a mensagem de carregamento após a conclusão
 
 st.subheader("Insira o Evento de Segurança para Análise:")
+# Use st.session_state para manter o texto da área de texto após a geração aleatória
+if 'event_text_input' not in st.session_state:
+    st.session_state.event_text_input = "Audit log: Unsandboxed process attempted lateral movement via a code repository. Status: the action was obfuscated."
+
 event_text = st.text_area(
     "Descrição do Evento", 
     height=200,
-    value="Audit log: Unsandboxed process attempted lateral movement via a code repository. Status: the action was obfuscated."
+    value=st.session_state.event_text_input,
+    key="event_text_input" # Atribui uma chave para o widget
 )
 
-# Adicione um botão para "Gerar Evento Aleatório" para facilitar a demonstração
+# Botão para "Gerar Evento Aleatório (Risco)"
 if st.button("Gerar Evento Aleatório (Risco)", help="Gera um exemplo de evento de alto risco para demonstração."):
-    actor = random.choice([a for a in ADVERSARIAL_RISK_ACTORS]) # Usar listas do script de treino
-    action = random.choice([a for a in ADVERSARIAL_RISK_ACTIONS])
-    target = random.choice([t for t in ADVERSARIAL_RISK_TARGETS])
-    outcome = random.choice([o for o in ADVERSARIAL_RISK_OUTCOMES])
-    event_text = f"Audit log: {actor} {action} {target}. Status: {outcome}."
-    st.session_state.event_text = event_text # Atualiza o estado da sessão para manter o texto
+    actor = random.choice(ADVERSARIAL_RISK_ACTORS)
+    action = random.choice(ADVERSARIAL_RISK_ACTIONS)
+    target = random.choice(ADVERSARIAL_RISK_TARGETS)
+    outcome = random.choice(ADVERSARIAL_RISK_OUTCOMES)
+    random_event_text = f"Audit log: {actor} {action} {target}. Status: {outcome}."
+    st.session_state.event_text_input = random_event_text # Atualiza o texto na sessão
+    st.experimental_rerun() # Força o Streamlit a re-executar para atualizar a text_area
 
 if st.button("Analisar Risco", type="primary"):
     if not event_text.strip():
@@ -209,126 +334,4 @@ if st.button("Analisar Risco", type="primary"):
                 plt.close(fig) # Fecha a figura para liberar memória
 
                 st.markdown("---")
-                st.markdown("Para uma nova análise, modifique o texto do evento acima ou gere um aleatório e clique em 'Analisar Risco' novamente.")
-
-# --- As listas de vocabulário extensas foram movidas para `train_and_save_models.py` para reduzir o tamanho do `app.py` ---
-# Se você quiser usar a funcionalidade de "Gerar Evento Aleatório", você precisará incluir essas listas aqui também.
-# Para evitar repetição e manter o app.py mais leve, o "Gerar Evento Aleatório" do app.py irá usar variáveis fixas ou uma versão reduzida.
-# Para manter a funcionalidade do "Gerar Evento Aleatório" no app.py, as listas completas precisam estar presentes.
-# Vamos adicioná-las aqui para que o botão de "Gerar Evento Aleatório" funcione no app.py também.
-ADVERSARIAL_RISK_ACTORS = [
-    "Unsandboxed process", "Leaked API key", "Misconfigured service account", "Shadow IT application", 
-    "Dormant user account", "Ransomware payload", "Phishing attempt", "Insider threat", 
-    "Zero-day exploit", "Malicious actor", "Compromised credential", "Vulnerable third-party library",
-    "Compromised Kubernetes pod", "Malicious Docker container", "AWS IAM role escalation", 
-    "Azure AD privilege escalation", "GCP service account abuse", "Container escape attempt",
-    "Serverless function injection", "Cloud storage bucket enumeration", "API gateway bypass",
-    "Microservice lateral movement", "Container registry poisoning", "Cloud metadata exploitation",
-    "CI/CD pipeline compromise", "Git repository poisoning", "Build artifact tampering",
-    "Deployment script injection", "Infrastructure as Code attack", "Secret scanning bypass",
-    "Dependency confusion attack", "Supply chain compromise", "Code signing certificate theft",
-    "Pipeline privilege escalation", "Artifact repository poisoning", "Build environment escape",
-    "Compromised IoT device", "Edge computing exploit", "Industrial control system breach",
-    "SCADA system compromise", "Smart city infrastructure attack", "Medical device exploitation",
-    "Automotive system breach", "Home automation compromise", "Sensor data manipulation",
-    "Edge gateway exploitation", "Industrial protocol abuse", "IoT botnet recruitment",
-    "Mobile app sandbox escape", "iOS jailbreak exploitation", "Android rootkit installation",
-    "Mobile banking trojan", "Enterprise device compromise", "BYOD policy violation",
-    "Mobile device management bypass", "App store poisoning", "Mobile certificate pinning bypass",
-    "Endpoint detection evasion", "Mobile phishing campaign", "Device fingerprinting abuse",
-    "Network segmentation bypass", "Firewall rule manipulation", "VPN tunnel exploitation",
-    "DNS hijacking attempt", "BGP route hijacking", "Network protocol abuse",
-    "Wireless network compromise", "Bluetooth attack vector", "NFC exploitation",
-    "Network monitoring evasion", "Traffic analysis bypass", "Protocol fuzzing attack"
-]
-ADVERSARIAL_RISK_ACTIONS = [
-    "attempted lateral movement via", "initiated a DNS tunneling request to", 
-    "executed a living-off-the-land binary on", "was flagged for unusual API call patterns against", 
-    "triggered a data access anomaly in", "exfiltrated data from", "modified critical system files in", 
-    "gained unauthorized access to", "deployed malicious code on", "brute-forced login for", 
-    "injected SQL into", "exploited a vulnerability in",
-    "attempted container escape from", "escalated privileges in Kubernetes cluster", 
-    "abused IAM role permissions for", "enumerated cloud storage buckets through",
-    "bypassed API gateway authentication to", "injected malicious code into serverless function",
-    "compromised container registry access for", "exploited cloud metadata service to",
-    "performed lateral movement across microservices in", "poisoned container image in",
-    "abused cloud resource tagging for", "exploited cloud logging service to",
-    "compromised CI/CD pipeline to", "injected malicious code into build process for",
-    "poisoned dependency repository to", "tampered with build artifacts in",
-    "escalated privileges in deployment pipeline for", "bypassed security scanning in",
-    "abused infrastructure automation to", "compromised secret management system for",
-    "injected malicious code into deployment scripts for", "exploited build environment to",
-    "abused artifact signing process for", "compromised code repository access to",
-    "compromised IoT device firmware to", "exploited edge computing vulnerability in",
-    "breached industrial control system through", "manipulated sensor data from",
-    "exploited SCADA system vulnerability to", "compromised smart city infrastructure via",
-    "abused industrial protocol to", "exploited edge gateway vulnerability in",
-    "recruited device into botnet through", "compromised medical device firmware to",
-    "exploited automotive system vulnerability in", "breached home automation system via",
-    "escaped mobile app sandbox to", "exploited iOS jailbreak vulnerability in",
-    "installed rootkit on Android device to", "compromised enterprise mobile device through",
-    "bypassed mobile device management to", "poisoned mobile app store listing for",
-    "exploited mobile certificate pinning in", "compromised mobile banking app through",
-    "abused device fingerprinting to", "exploited mobile phishing vulnerability in",
-    "breached BYOD policy through", "compromised mobile endpoint security via",
-    "bypassed network segmentation to", "manipulated firewall rules for",
-    "exploited VPN tunnel vulnerability in", "hijacked DNS resolution for",
-    "abused BGP routing protocol to", "compromised wireless network through",
-    "exploited Bluetooth vulnerability in", "abused NFC communication to",
-    "evaded network monitoring through", "bypassed traffic analysis via",
-    "exploited network protocol vulnerability in", "compromised network infrastructure through"
-]
-ADVERSARIAL_RISK_TARGETS = [
-    "a code repository", "the CI/CD pipeline", "a cloud storage bucket", "the internal DNS server", 
-    "the virtual machine hypervisor", "sensitive customer data", "financial databases", 
-    "intellectual property servers", "critical infrastructure controls", "user authentication service", 
-    "production web server", "database backup storage",
-    "Kubernetes cluster control plane", "Docker container registry", "AWS S3 bucket with sensitive data",
-    "Azure Active Directory tenant", "GCP Cloud Storage bucket", "container orchestration system",
-    "serverless function environment", "cloud API gateway", "microservice mesh network",
-    "container security scanning service", "cloud logging and monitoring system", "infrastructure as code repository",
-    "Git repository with production secrets", "Jenkins build pipeline", "Docker image registry",
-    "artifact repository with signed packages", "infrastructure provisioning system", "secret management vault",
-    "code signing certificate store", "dependency management system", "deployment automation platform",
-    "build environment with elevated privileges", "CI/CD security scanning tools", "infrastructure monitoring system",
-    "industrial control system network", "SCADA system database", "IoT device management platform",
-    "edge computing gateway", "smart city infrastructure", "medical device network",
-    "automotive system bus", "home automation hub", "sensor data collection system",
-    "industrial protocol gateway", "edge security monitoring system", "IoT device firmware repository",
-    "enterprise mobile device fleet", "mobile app store backend", "mobile device management system",
-    "mobile banking infrastructure", "mobile certificate authority", "mobile security scanning service",
-    "BYOD policy enforcement system", "mobile endpoint detection system", "mobile app security testing platform",
-    "mobile device fingerprinting database", "mobile phishing detection system", "mobile app code signing service",
-    "network segmentation firewall", "VPN concentrator", "DNS authoritative server",
-    "BGP route reflector", "wireless access point controller", "network monitoring system",
-    "traffic analysis platform", "network security scanning tool", "protocol analysis system",
-    "network infrastructure management", "security information system", "network forensics platform"
-]
-ADVERSARIAL_RISK_OUTCOMES = [
-    "the action was obfuscated", "a low-and-slow data transfer was detected", 
-    "the process terminated abnormally after execution", "security controls were temporarily disabled", 
-    "alert thresholds were bypassed", "data integrity was compromised", "system uptime was impacted", 
-    "a backdoor was established", "a privilege escalation was achieved", "system resources were depleted", 
-    "data encryption initiated",
-    "container escape was successful", "Kubernetes RBAC was bypassed", "cloud IAM policies were circumvented",
-    "container registry was compromised", "serverless function was weaponized", "cloud logging was manipulated",
-    "microservice communication was intercepted", "container security scanning was evaded",
-    "cloud resource tagging was abused", "container orchestration was compromised",
-    "cloud metadata service was exploited", "container networking was hijacked",
-    "build pipeline was compromised", "dependency repository was poisoned", "artifact signing was bypassed",
-    "infrastructure automation was weaponized", "secret management was breached", "code repository was compromised",
-    "deployment process was hijacked", "build environment was escaped", "CI/CD security was bypassed",
-    "infrastructure monitoring was disabled", "artifact integrity was compromised", "deployment approval was bypassed",
-    "IoT device was recruited into botnet", "industrial control system was compromised", "edge gateway was breached",
-    "sensor data was manipulated", "SCADA system was taken offline", "smart city infrastructure was disrupted",
-    "medical device was compromised", "automotive system was hijacked", "home automation was breached",
-    "industrial protocol was abused", "edge security was bypassed", "IoT device firmware was modified",
-    "mobile device was rooted/jailbroken", "enterprise mobile security was bypassed", "mobile app was compromised",
-    "mobile device management was evaded", "mobile banking was breached", "mobile certificate pinning was bypassed",
-    "BYOD policy was violated", "mobile endpoint detection was evaded", "mobile app store was poisoned",
-    "mobile device fingerprinting was spoofed", "mobile phishing was successful", "mobile security scanning was bypassed",
-    "network segmentation was bypassed", "firewall rules were manipulated", "VPN tunnel was compromised",
-    "DNS resolution was hijacked", "BGP routing was manipulated", "wireless network was compromised",
-    "Bluetooth security was bypassed", "NFC communication was intercepted", "network monitoring was evaded",
-    "traffic analysis was bypassed", "network protocol was abused", "network infrastructure was compromised"
-]
+                st.markdown("Para uma nova análise, modifique o texto do evento acima ou gere um aleatório e clique em 'Analisar Risco' novamente.")