feat: implement thesis §5 advanced detection techniques as ClickHouse MVs
New aggregation tables + materialized views:
- agg_path_sequences_1h + MV (§5.1 Path Sequence Entropy)
- agg_request_timing_1h + MV (§5.3 Request Cadence Fingerprint)
- agg_ip_behavior_1h + MV (§5.5 JA4 Drift + §5.8 Cross-Domain)
- agg_resource_cascade_1h + MV (§5.4 Resource Dependency Tree)
New analytical views:
- view_thesis_features_1h: unified view exposing all computable features
(path_transition_entropy, cadence_cv, burst_ratio, pause_ratio,
ja4_drift_ratio, host_diversity, host_sweep_speed,
host_coverage_uniformity)
- view_resource_cascade_1h: root_to_first_asset_delay, asset_load_stddev
Documented future techniques (not feasible as MV):
- §5.2 Bipartite Fleet Graph (needs Python networkx)
- §5.6 DNS Shadow Analysis (needs sentinel UDP/53 extension)
- §5.7 Compression Ratio Invariant (needs mod_reqin_log extension)
Updated: deploy_schema.sh, verify_mvs.py (sections 8-10)
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
6d02f21c1e