feat: HTTP/2 passive fingerprinting with individual SETTINGS fields

Complete implementation of HTTP/2 passive fingerprinting per thesis §2.5.3: mod-reqin-log (C module): - Replace connection-level filter with ap_hook_process_connection (APR_HOOK_FIRST) to capture H2 preface before mod_http2 takes over the connection - AP_MODE_SPECULATIVE read of 512 bytes from c->input_filters - Parse SETTINGS, WINDOW_UPDATE, PRIORITY flags, pseudo-header order - Output individual SETTINGS params as separate JSON fields (IDs 1-6, 8) - Read H2 notes from c1 (master connection) for mod_http2 secondary conns - Fix header_order_signature JSON length bug (26→strlen) ClickHouse schema: - Add 8 new columns to http_logs: h2_has_priority, h2_header_table_size, h2_enable_push, h2_max_concurrent_streams, h2_initial_window_size, h2_max_frame_size, h2_max_header_list_size, h2_enable_connect_protocol - Use Int32/Int64 with DEFAULT -1 to distinguish absent vs zero - Update mv_http_logs to extract individual fields via JSONHas/JSONExtractInt - Migration 04_http2_fields.sql updated for existing deployments Correlator: - Accept both timestamp_ns and timestamp field names (backward compat) Integration: - Enable HTTP/2 in Apache: Protocols h2 http/1.1 in httpd-integration.conf Validated end-to-end via Playwright: H2 curl traffic → mod-reqin-log → correlator → ClickHouse with all 12 H2 columns populated correctly. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-11 02:33:45 +02:00
parent bd81331411
commit 85d3b95b7b
25 changed files with 649 additions and 160 deletions
--- a/services/dashboard/backend/templates/features.html
+++ b/services/dashboard/backend/templates/features.html
@ -26,12 +26,12 @@
            <div class="section-body"><div id="chart-radar" style="height:360px"></div></div>
        </div>
        <div class="section-card">
-            <div class="section-header"><span class="section-title">Importance des features (Variance)
+            <div class="section-header"><span class="section-title" id="importance-title">Importance des features (SHAP/ExIFFI)
                <span class="relative inline-block"><button onclick="docToggle(this)" class="doc-btn">ⓘ</button><div class="doc-panel">
                    <h4>Feature importance</h4>
-                    <p>Variance inter-classe (ISP vs datacenter) de chaque feature. Les features à haute variance discriminent le mieux bots et humains.</p>
-                    <p><strong>Usage :</strong> Les features en tête sont les plus utiles pour le modèle EIF. Celles à variance nulle sont élaguées automatiquement.</p>
-                    <p class="doc-source">Source : view_ai_features_1h</p>
+                    <p>Importance moyenne des features issue de SHAP (XGBoost) ou ExIFFI (EIF). Chaque barre représente la contribution absolue moyenne d'une feature aux décisions d'anomalie récentes.</p>
+                    <p><strong>Fallback :</strong> Si aucune donnée SHAP/ExIFFI n'est disponible, la variance inter-classe (proxy statistique) est affichée à la place.</p>
+                    <p class="doc-source">Source : ml_detected_anomalies.reason (SHAP/ExIFFI) ou view_ai_features_1h (variance)</p>
                </div></span>
            </span></div>
            <div class="section-body"><div id="chart-importance" style="height:360px"></div></div>
@ -158,8 +158,16 @@ async function loadAll() {
            }));
        }

-        // ── Feature Importance (horizontal bar) ──
-        const fi = (feat.feature_importance || []).sort((a,b) => a.variance - b.variance);
+        // ── Feature Importance (horizontal bar) — SHAP/ExIFFI si disponible, variance sinon ──
+        const shapData = feat.shap_importance || [];
+        const varianceData = (feat.feature_importance || []).sort((a,b) => a.variance - b.variance);
+        const useShap = shapData.length > 0;
+        const fi = useShap
+            ? shapData.slice().sort((a,b) => a.importance - b.importance)
+            : varianceData;
+        const impLabel = useShap ? 'SHAP/ExIFFI (|valeur| moyenne)' : 'Variance';
+        document.getElementById('importance-title').childNodes[0].textContent =
+            useShap ? 'Importance des features (SHAP/ExIFFI) ' : 'Importance des features (Variance) ';
        const impChart = initChart('chart-importance');
        if (impChart && fi.length) {
            impChart.setOption(ecBase({
@ -175,12 +183,13 @@ async function loadAll() {
                    type:'value',
                    splitLine:{lineStyle:{color:EC_GRID, type:'dashed'}},
                    axisLabel:{color:EC_TEXT},
-                    name:'Variance', nameTextStyle:{color:EC_TEXT},
+                    name: impLabel, nameTextStyle:{color:EC_TEXT},
                },
                series:[{
-                    type:'bar', data: fi.map(f => f.variance), barWidth:'60%',
+                    type:'bar', data: fi.map(f => useShap ? f.importance : f.variance), barWidth:'60%',
                    itemStyle:{color: new echarts.graphic.LinearGradient(0,0,1,0,[
-                        {offset:0, color:'#6366f1'}, {offset:1, color:'#8b5cf6'}
+                        {offset:0, color: useShap ? '#f59e0b' : '#6366f1'},
+                        {offset:1, color: useShap ? '#ef4444' : '#8b5cf6'}
                    ])},
                    label:{show:true, position:'right', color:EC_TEXT, fontSize:10, formatter:p => p.value.toFixed(4)},
                }]