fix: P0 audit bugs — bot-detector + dashboard + SQL

Bot-detector: - B1.1: campaign_id and raw_anomaly_score now inserted into ml_detected_anomalies - B1.4/B1.5: log_decision argument order fixed (cycle_id, name) - B1.7: AE broadcast error — model now returns features list, scoring uses model's features instead of current cycle's (prevents dim mismatch) - B1.8: Anubis ALLOW bots now get bot_name from anubis_bot_name Dashboard: - C1.1: XSS in ip_detail.html — {{ ip | tojson }} instead of raw string - C1.2: Stored XSS via innerHTML — added escapeHtml() helper, all user-facing formatters (fmtIP, fmtASN, fmtCountry, fmtJA4, fmtBotName, fmtLabel) sanitized - C2.1: status filter now correctly filters http_version column - C2.2: heatmap toDayOfWeek() - 1 for 0-indexed JS days SQL: - B1.3: view_ip_recurrence worst_score uses max() not min() (0=normal, 1=anomal) - B1.6: view_resource_cascade_1h joined into view_thesis_features_1h (§5.4) Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
2026-04-08 23:33:00 +02:00
parent b66d41a200
commit db306fb9da
6 changed files with 45 additions and 25 deletions
--- a/shared/clickhouse/06_ml_tables.sql
+++ b/shared/clickhouse/06_ml_tables.sql
@ -135,8 +135,8 @@ SELECT
    count()                             AS recurrence,
    min(detected_at)                    AS first_seen,
    max(detected_at)                    AS last_seen,
-    min(anomaly_score)                  AS worst_score,
-    argMin(threat_level, anomaly_score) AS worst_threat_level
+    max(anomaly_score)                  AS worst_score,
+    argMax(threat_level, anomaly_score) AS worst_threat_level
 FROM ja4_processing.ml_detected_anomalies
 -- Filtre temporel aligné sur le TTL de la table (30 jours)
 -- Évite de scanner les partitions expirées non encore supprimées par le TTL
--- a/shared/clickhouse/12_thesis_features.sql
+++ b/shared/clickhouse/12_thesis_features.sql
@ -419,6 +419,7 @@ cross_domain_features AS (

 -- ── Jointure finale : features §5.1/§5.3 par (window, ip, ja4, host)
 --    enrichies des features §5.5/§5.8 par (window, ip)
+--    et des features §5.4 Resource Cascade par (window, ip, ja4, host)
 SELECT
    p.window_start,
    p.src_ip,
@ -434,6 +435,11 @@ SELECT
    c.lag1_autocorrelation,
    c.benford_deviation,
    c.cadence_request_count,
+    -- §5.4 Resource Dependency Tree
+    coalesce(rc.doc_count, 0) AS doc_count,
+    coalesce(rc.asset_count, 0) AS asset_count,
+    coalesce(rc.root_to_first_asset_delay, -1.0) AS root_to_first_asset_delay,
+    coalesce(rc.asset_load_stddev, -1.0) AS asset_load_stddev,
    -- §5.5 Intra-Session JA4 Drift
    d.ja4_drift_ratio,
    d.ja4_distinct_in_session,
@ -449,7 +455,12 @@ LEFT JOIN cadence_features c
    AND p.host = c.host
 LEFT JOIN cross_domain_features d
    ON p.window_start = d.window_start
-    AND p.src_ip = d.src_ip;
+    AND p.src_ip = d.src_ip
+LEFT JOIN ja4_processing.view_resource_cascade_1h rc
+    ON p.window_start = rc.window_start
+    AND p.src_ip = rc.src_ip
+    AND p.ja4 = rc.ja4
+    AND p.host = rc.host;


 -- =============================================================================