Skip to content

Commit ebcb25f

Browse files
HackingLZHackingLZ
committed
Add SigTree ML classification docs and update slides with cross-references
New documentation and slide deck for the SIG_TREE on-device ML decision tree system (33,428 trees across 3 signature types). Updates existing markdown and slide decks (00, 03, 08, 09, 13) with SigTree cross-references, updated SIGTREE engine descriptions, and !MTB/!ml suffix documentation.
1 parent 21eb14f commit ebcb25f

13 files changed

Lines changed: 1325 additions & 23 deletions

md/00_overview.md

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,16 @@ File/Buffer Input
210210
211211
212212
┌──────────────────────────────────────────────────────────────────┐
213+
│ CROSS-CUTTING: SigTree ML Classification (§14) │
214+
│ 33,428 decision trees evaluate sigattr boolean features. │
215+
│ JIT-compiled into native x86 for speed. Produces !ml/!MTB. │
216+
│ String: "sigtree" @ 0x109C80B0 │
217+
│ "SIGNATURE_TYPE_SIGTREE" @ 0x10986C88 │
218+
│ "sigattr_head" @ 0x1097D710 │
219+
└────────┬─────────────────────────────────────────────────────────┘
220+
221+
222+
┌──────────────────────────────────────────────────────────────────┐
213223
│ STAGE 12: MAPS Cloud Lookup (§12) │
214224
│ Lowfi match → Bond serialize → HTTPS POST → parse response. │
215225
│ Delivers FASTPATH dynamic signatures (SDN, TDN, DATA). │
@@ -249,6 +259,7 @@ File/Buffer Input
249259
| Virtual files | 144 | VDM VFILE entries |
250260
| DBVARs (config entries) | 547 | VDM DBVAR entries |
251261
| FOP behavioral rules | 4,601 | VDM FOP entries |
262+
| SIG_TREE ML trees | 33,428 | VDM SIG_TREE + EXT + BM |
252263
| Threat name prefixes | 504 | VDM prefix table |
253264
| TLV entries | 9.3M | Across 4 VDM files |
254265
| Signature types | 158+ | TLV type constants |

md/03_static_engine_cascade.md

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -60,9 +60,9 @@ of the primary engines rather than standalone stages:
6060
| **NID** | `SIGNATURE_TYPE_NID` | `0x10986AD0` | Network Inspection Detection |
6161
| **NID64** | `SIGNATURE_TYPE_NID64` | `0x10987174` | 64-bit NID variant |
6262
| **BM_INFO** | `SIGNATURE_TYPE_BM_INFO` | `0x10986C58` | Behavioral monitoring info records |
63-
| **SIGTREE** | `SIGNATURE_TYPE_SIGTREE` | `0x10986C88` | Hierarchical signature tree |
64-
| **SIGTREE_EXT** | `SIGNATURE_TYPE_SIGTREE_EXT` | `0x10987008` | Extended signature tree |
65-
| **SIGTREE_BM** | `SIGNATURE_TYPE_SIGTREE_BM` | `0x109871D4` | BM-specific signature tree |
63+
| **SIGTREE** | `SIGNATURE_TYPE_SIGTREE` | `0x10986C88` | ML decision tree classifier (~14,926 trees). See [SigTree ML (SS14)](14_sigtree_ml_classification.md) |
64+
| **SIGTREE_EXT** | `SIGNATURE_TYPE_SIGTREE_EXT` | `0x10987008` | Extended ML decision tree (~3,771 trees). See [SS14](14_sigtree_ml_classification.md) |
65+
| **SIGTREE_BM** | `SIGNATURE_TYPE_SIGTREE_BM` | `0x109871D4` | Behavioral monitoring ML trees (~14,731 trees). See [SS14](14_sigtree_ml_classification.md) |
6666

6767
---
6868

md/08_script_deobfuscation.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -200,8 +200,9 @@ JavaScript interpreter evaluates expressions to resolve obfuscation.
200200
## JScript Feature Attributes
201201

202202
The engine extracts detailed structural features from JavaScript content for
203-
ML-based classification. These attributes are set during parsing and made
204-
available to Lua scripts and BRUTE matching:
203+
ML-based classification. These boolean attributes are deposited into the sigattr log
204+
and evaluated by the [SigTree ML decision tree ensemble (SS14)](14_sigtree_ml_classification.md)
205+
to produce `!ml` and `!MTB` detections. They are also available to Lua scripts and BRUTE matching:
205206

206207
| Attribute | Address | Purpose |
207208
|-----------|---------|---------|

md/09_brute_matching.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -622,7 +622,7 @@ BRUTE-deposited attributes participate in AAGG boolean expressions:
622622
BRUTE complements the static engines by providing:
623623
- Raw-data matching that static engines skip
624624
- Post-transformation matching
625-
- Feature extraction for ML classification
625+
- Feature extraction for ML classification (BRUTE:*:Feature:* attributes feed into SigTree decision trees — see [SigTree ML (SS14)](14_sigtree_ml_classification.md))
626626

627627
---
628628

md/13_verdict_resolution.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -280,8 +280,8 @@ Components:
280280

281281
| Suffix | Meaning |
282282
|--------|---------|
283-
| `!MTB` | Machine Learning / Tree-Based model |
284-
| `!ml` | Machine Learning detection |
283+
| `!MTB` | Machine Learning / Tree-Based model — produced by SigTree decision tree ensemble. See [SigTree ML (SS14)](14_sigtree_ml_classification.md) |
284+
| `!ml` | Machine Learning detection — produced by SigTree classification. See [SS14](14_sigtree_ml_classification.md) |
285285
| `!dha` | Dynamic Heuristic Analysis |
286286
| `!pz` | Pattern-based heuristic |
287287
| `!rfn` | Real-time File Notification |

0 commit comments

Comments
 (0)