File: base64_strings_adversarial.full.bin
Layer: 3 — Adversarial
This adversarial fixture validates IOCX’s base64 extraction pipeline under noisy, misleading, and boundary‑challenging conditions. It ensures that the extractor:
- extracts only standalone, decodable, ASCII‑dominant base64 tokens
- rejects short, random, numeric‑only, or binary‑like decodes
- correctly handles URL‑safe and unpadded base64
- enforces strict token boundaries (no embedded matches)
- remains deterministic and resistant to false positives
The fixture confirms that IOCX’s base64 extractor is strict, predictable, and adversarially hardened.
This sample mixes valid base64, near‑misses, binary‑like decodes, and boundary edge cases to test the robustness of the detector.
The fixture includes base64 tokens that decode to human‑readable ASCII and appear with clear boundaries:
QmFzZTY0IGlzIG5vdCBqdXN0IGZvciBiaW5hcnk=ZXhhbXBsZS11cmwtc2FmZS1iYXNlNjQQUJDREVGRw==(short, but ASCII‑only → accepted)
These confirm that IOCX:
- decodes safely
- accepts ASCII‑dominant output
- preserves the original encoded value
- requires clear token boundaries
The fixture includes:
ZXhhbXBsZS11cmwtc2FmZS1iYXNlNjQ
This confirms that IOCX:
- accepts URL‑safe base64 (
-and_) - handles missing padding
- decodes using URL‑safe semantics
Examples:
QUJDREVGRw==-->"ABCDEFG"--> accepted (ASCII‑only)YWJjZA==-->"abcd"--> rejected (too short, low signal)
These confirm that IOCX:
- accepts short ASCII‑only decodes
- rejects short low‑signal decodes
- avoids over‑matching trivial noise
Examples:
/////w8PDw8PDw8PDw8PDw8PDw8PDw8PDw8=AAAAAAAA8P///wD////A////AP///wD///8=
These confirm that IOCX:
- rejects decodes dominated by non‑printable bytes
- avoids surfacing encrypted or random binary blobs
Example:
MTIzNDU2Nzg5MDA5ODc2NTQzMjEw-->123456789009876543210
This confirms that IOCX:
- rejects purely numeric decodes
- avoids meaningless or low‑entropy output
Example:
prefix-SGVsbG8sIFdvcmxkIQ==-suffixxxxxVXNlci1hZ2VudDogQmFzZTY0LXRlc3Q=yyyywrapped_token=xxxSGVsbG8sIFdvcmxkIQ==yyy
These confirm that IOCX:
- does not match base64 embedded inside larger tokens
- requires clear boundaries before and after the token
- avoids false positives in structured text
Example:
++++////++++////++++////
This confirms that IOCX:
- does not rely on regex alone
- requires successful decoding + text‑likeness
- rejects alphabet‑compatible noise
The fixture includes:
dXRmMTYtTEU6AEgAZQBsAGwAbwAhAA==
This confirms that IOCX:
- no longer treats UTF‑16LE as text
- requires ASCII‑dominant decodes
- avoids null‑byte‑heavy output
Under analysis_level = full, IOCX must:
QmFzZTY0IGlzIG5vdCBqdXN0IGZvciBiaW5hcnk=ZXhhbXBsZS11cmwtc2FmZS1iYXNlNjQQUJDREVGRw==
Each detection must include:
- the original encoded value as
value category = "base64"metadata.decodedcontaining the decoded ASCII text
- short low‑signal decodes (YWJjZA==)
- binary‑like decodes
- numeric‑only decodes
- embedded base64 inside larger tokens
- random alphabet‑compatible noise
- UTF‑16LE‑like decodes
- deterministic ordering
- strict boundary enforcement
- safe decoding
- zero false positives
"base64": [
"QmFzZTY0IGlzIG5vdCBqdXN0IGZvciBiaW5hcnk=",
"ZXhhbXBsZS11cmwtc2FmZS1iYXNlNjQ",
"QUJDREVGRw=="
]
No other IOC categories should produce matches.
This adversarial fixture confirms that IOCX’s base64 extractor is:
- strict and ASCII‑focused
- resistant to noise, binary blobs, and embedded tokens
- robust against misleading or borderline input
- deterministic and safe under adversarial conditions
It extracts only meaningful, standalone, text‑like base64 IOCs — fully aligned with the engine’s design goals.