Skip to content

Commit c59a2d7

Browse files
HackingLZHackingLZ
committed
Add complete detection suffix table with source and locality columns
Expanded the detection suffixes table in Stage 13 from a 2-column (Suffix/Meaning) to a 3-column (Suffix/Source/Local-Cloud) format covering all 8 suffixes including previously missing !atmn and !pz. Updated the Stage 14 suffix table with sig type sources and cross-reference link. Synced slides to match.
1 parent b0d1846 commit c59a2d7

3 files changed

Lines changed: 40 additions & 25 deletions

File tree

md/13_verdict_resolution.md

Lines changed: 10 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -278,15 +278,16 @@ Components:
278278

279279
### Detection Suffixes
280280

281-
| Suffix | Meaning |
282-
|--------|---------|
283-
| `!MTB` | Machine Learning / Tree-Based model — produced by SigTree decision tree ensemble. See [SigTree ML (SS14)](14_sigtree_ml_classification.md) |
284-
| `!ml` | Machine Learning detection — produced by SigTree classification. See [SS14](14_sigtree_ml_classification.md) |
285-
| `!dha` | Dynamic Heuristic Analysis |
286-
| `!pz` | Pattern-based heuristic |
287-
| `!rfn` | Real-time File Notification |
288-
| `!cl` | Cloud-delivered detection |
289-
| (none) | Traditional signature match |
281+
| Suffix | Source | Local/Cloud |
282+
|--------|--------|-------------|
283+
| `!MTB` | SIG_TREE 0x40 — PE boolean attribute decision trees. See [SigTree ML (SS14)](14_sigtree_ml_classification.md) | Local |
284+
| `!ml` | SIG_TREE_EXT 0x41 + SIG_TREE_BM 0xB3 — string-matching decision trees. See [SS14](14_sigtree_ml_classification.md) | Local |
285+
| `!atmn` | Original threat name suffix from VDM (not engine-generated) | Local (VDM) |
286+
| `!dha` | Dynamic Heuristic Analysis (PE emulation + Lua). See [Stage 5](05_pe_emulation.md), [Stage 10](10_lua_scripts.md) | Local |
287+
| `!pz` | Pattern-based heuristic | Local |
288+
| `!cl` | Cloud-delivered ML classification via MAPS. See [Stage 12](12_maps_cloud_lookup.md) | Cloud (MAPS) |
289+
| `!rfn` | Real-time File Notification (reputation) via MAPS. See [Stage 12](12_maps_cloud_lookup.md) | Cloud (MAPS) |
290+
| (none) | Traditional signature match (exact byte-pattern) | Local |
290291

291292
---
292293

md/14_sigtree_ml_model.md

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -25,12 +25,12 @@ in the VDM (Virus Definition Module) signature databases. This is a critical det
2525

2626
### Detection Output
2727

28-
SIG_TREE evaluations produce detections with these suffixes (see Stage 13):
28+
SIG_TREE evaluations produce detections with these suffixes (see [Stage 13 — full suffix table](13_verdict_resolution.md#detection-suffixes)):
2929

30-
| Suffix | Full Name | Example |
31-
|--------|-----------|---------|
32-
| `!MTB` | Machine Learning / Tree-Based model | `Trojan:Win32/Emotet.RPX!MTB` |
33-
| `!ml` | Machine Learning detection | `Trojan:Win32/AgentTesla!ml` |
30+
| Suffix | Source | Example |
31+
|--------|--------|---------|
32+
| `!MTB` | SIG_TREE 0x40 — PE boolean attribute decision trees | `Trojan:Win32/Emotet.RPX!MTB` |
33+
| `!ml` | SIG_TREE_EXT 0x41 + SIG_TREE_BM 0xB3 — string-matching trees | `Trojan:Win32/AgentTesla!ml` |
3434

3535
---
3636

slides/13_verdict_resolution_slides.html

Lines changed: 25 additions & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -243,17 +243,31 @@ <h2 class="glow-cyan mb-1">Threat Name Anatomy</h2>
243243
</div>
244244
<div>
245245
<h3 style="color:var(--cyan)">Detection Suffixes</h3>
246-
<div style="display:grid;grid-template-columns:1fr 2fr;gap:6px;font-size:0.78rem;margin-top:12px">
247-
<div class="stat-card" style="transition-delay:0.3s;padding:10px"><span class="num" style="font-size:0.8rem;color:var(--cyan)">!MTB</span><span class="label">ML Tree-Based</span></div>
248-
<div class="stat-card" style="transition-delay:0.3s;padding:10px;text-align:left"><span class="label">Produced by SigTree decision tree ensemble. See SS14</span></div>
249-
<div class="stat-card" style="transition-delay:0.35s;padding:10px"><span class="num" style="font-size:0.8rem;color:var(--cyan)">!ml</span><span class="label">Machine Learning</span></div>
250-
<div class="stat-card" style="transition-delay:0.35s;padding:10px;text-align:left"><span class="label">Produced by SigTree ML classification. See SS14</span></div>
251-
<div class="stat-card" style="transition-delay:0.4s;padding:10px"><span class="num" style="font-size:0.8rem;color:var(--green)">!dha</span><span class="label">Dynamic Heuristic</span></div>
252-
<div class="stat-card" style="transition-delay:0.4s;padding:10px;text-align:left"><span class="label">Behavioral analysis result</span></div>
253-
<div class="stat-card" style="transition-delay:0.45s;padding:10px"><span class="num" style="font-size:0.8rem;color:var(--purple)">!rfn</span><span class="label">Real-time File</span></div>
254-
<div class="stat-card" style="transition-delay:0.45s;padding:10px;text-align:left"><span class="label">Real-time file notification</span></div>
255-
<div class="stat-card" style="transition-delay:0.5s;padding:10px"><span class="num" style="font-size:0.8rem;color:var(--orange)">!cl</span><span class="label">Cloud</span></div>
256-
<div class="stat-card" style="transition-delay:0.5s;padding:10px;text-align:left"><span class="label">Cloud-delivered FASTPATH</span></div>
246+
<div style="display:grid;grid-template-columns:auto 1fr auto;gap:6px;font-size:0.72rem;margin-top:12px">
247+
<div class="stat-card" style="transition-delay:0.3s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--cyan)">!MTB</span></div>
248+
<div class="stat-card" style="transition-delay:0.3s;padding:8px;text-align:left"><span class="label">SIG_TREE 0x40 — PE boolean attribute decision trees</span></div>
249+
<div class="stat-card" style="transition-delay:0.3s;padding:8px"><span class="label" style="color:var(--green)">Local</span></div>
250+
<div class="stat-card" style="transition-delay:0.35s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--cyan)">!ml</span></div>
251+
<div class="stat-card" style="transition-delay:0.35s;padding:8px;text-align:left"><span class="label">SIG_TREE_EXT 0x41 + SIG_TREE_BM 0xB3 — string-matching trees</span></div>
252+
<div class="stat-card" style="transition-delay:0.35s;padding:8px"><span class="label" style="color:var(--green)">Local</span></div>
253+
<div class="stat-card" style="transition-delay:0.38s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--yellow)">!atmn</span></div>
254+
<div class="stat-card" style="transition-delay:0.38s;padding:8px;text-align:left"><span class="label">Original threat name suffix from VDM (not engine-generated)</span></div>
255+
<div class="stat-card" style="transition-delay:0.38s;padding:8px"><span class="label" style="color:var(--green)">Local (VDM)</span></div>
256+
<div class="stat-card" style="transition-delay:0.4s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--green)">!dha</span></div>
257+
<div class="stat-card" style="transition-delay:0.4s;padding:8px;text-align:left"><span class="label">Dynamic Heuristic Analysis (PE emulation + Lua)</span></div>
258+
<div class="stat-card" style="transition-delay:0.4s;padding:8px"><span class="label" style="color:var(--green)">Local</span></div>
259+
<div class="stat-card" style="transition-delay:0.43s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--green)">!pz</span></div>
260+
<div class="stat-card" style="transition-delay:0.43s;padding:8px;text-align:left"><span class="label">Pattern-based heuristic</span></div>
261+
<div class="stat-card" style="transition-delay:0.43s;padding:8px"><span class="label" style="color:var(--green)">Local</span></div>
262+
<div class="stat-card" style="transition-delay:0.46s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--orange)">!cl</span></div>
263+
<div class="stat-card" style="transition-delay:0.46s;padding:8px;text-align:left"><span class="label">Cloud-delivered ML classification via MAPS</span></div>
264+
<div class="stat-card" style="transition-delay:0.46s;padding:8px"><span class="label" style="color:var(--purple)">Cloud (MAPS)</span></div>
265+
<div class="stat-card" style="transition-delay:0.49s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--purple)">!rfn</span></div>
266+
<div class="stat-card" style="transition-delay:0.49s;padding:8px;text-align:left"><span class="label">Real-time File Notification (reputation) via MAPS</span></div>
267+
<div class="stat-card" style="transition-delay:0.49s;padding:8px"><span class="label" style="color:var(--purple)">Cloud (MAPS)</span></div>
268+
<div class="stat-card" style="transition-delay:0.52s;padding:8px"><span class="num" style="font-size:0.8rem;color:var(--dim)">(none)</span></div>
269+
<div class="stat-card" style="transition-delay:0.52s;padding:8px;text-align:left"><span class="label">Traditional signature match (exact byte-pattern)</span></div>
270+
<div class="stat-card" style="transition-delay:0.52s;padding:8px"><span class="label" style="color:var(--green)">Local</span></div>
257271
</div>
258272
</div>
259273
</div>

0 commit comments

Comments
 (0)