|
| 1 | +# **v0.7.1 — Heuristics Engine Expansion & Structural Analysis Improvements** |
| 2 | +**Released: 2026‑05‑??** |
| 3 | + |
| 4 | +v0.7.1 delivers a major upgrade to IOCX’s **PE heuristics engine**, **extractor correctness**, and **adversarial‑input resilience**. This release introduces six new structural heuristics, broad extractor hardening, and a significantly expanded adversarial test suite — including **full adversarial coverage for every IOC category**. |
| 5 | + |
| 6 | +--- |
| 7 | + |
| 8 | +# **Extractor Hardening** |
| 9 | + |
| 10 | +This release strengthens multiple IOC extractors with improved correctness, boundary handling, and adversarial‑text resilience. Updates span the **bare domain**, **strict URL**, **crypto**, and **hash** extractors, plus improved **URL normalisation**. |
| 11 | + |
| 12 | +## **Bare Domain Extractor** |
| 13 | + |
| 14 | +### **Improvements** |
| 15 | +- Expanded **TLD allow‑list** (e.g., `.ly`, `.gg`, `.sh`, `.app`, `.dev`, `.xyz`, `.online`) for broader real‑world coverage. |
| 16 | +- Strengthened **BAD_TLD deny‑list** to prevent file extensions, config keys, and log fields from being misclassified as domains. |
| 17 | +- Refined **boundary detection** to reduce false positives in noisy or punctuation‑heavy text. |
| 18 | +- Added **punycode + IDN homoglyph analysis**, including Unicode decoding, script classification, and confusable‑character detection. |
| 19 | +- Improved regex structure for **stability and predictable linear performance**, eliminating pathological backtracking cases. |
| 20 | + |
| 21 | +### **Impact** |
| 22 | +- Higher recall for legitimate domains across modern TLDs. |
| 23 | +- Significant reduction in false positives from filepaths, dotted identifiers, and structured logs. |
| 24 | +- Richer, homoglyph‑aware metadata for downstream analysis and phishing detection. |
| 25 | + |
| 26 | +--- |
| 27 | + |
| 28 | +## **Strict URL Extractor** |
| 29 | + |
| 30 | +### Improvements |
| 31 | +- Added support for `ftp`, `ftps`, and `sftp`. |
| 32 | +- RFC‑compliant **userinfo parsing** (`user:pass@host`). |
| 33 | +- Full **punycode** domain support. |
| 34 | +- Improved **IPv6** handling (including zone indices). |
| 35 | +- More robust host matching aligned with the updated domain extractor. |
| 36 | +- Cleaner separation of path/query/fragment parsing. |
| 37 | + |
| 38 | +### Impact |
| 39 | +- More complete URL extraction. |
| 40 | +- Fewer truncated or malformed URLs. |
| 41 | +- Better handling of obfuscated or credential‑embedded URLs. |
| 42 | + |
| 43 | +--- |
| 44 | + |
| 45 | +## **Crypto Extractor** |
| 46 | + |
| 47 | +### Improvements |
| 48 | +- Added **full Base58Check validation** for Bitcoin: |
| 49 | + - Double‑SHA256 checksum verification. |
| 50 | + - Version‑byte validation (`0x00`, `0x05`). |
| 51 | + - Rejects malformed Base58 sequences. |
| 52 | +- Preserved Bech32/Taproot and ETH detection. |
| 53 | + |
| 54 | +### Impact |
| 55 | +- Dramatic reduction in Base58 false positives. |
| 56 | +- Only cryptographically valid BTC addresses are extracted. |
| 57 | + |
| 58 | +--- |
| 59 | + |
| 60 | +## **Hash Extractor** |
| 61 | + |
| 62 | +### Improvements |
| 63 | +- Increased short‑hex minimum length from **8 → 10** characters. |
| 64 | +- Strict MD5/SHA1/SHA256/SHA512 detection unchanged. |
| 65 | + |
| 66 | +### Impact |
| 67 | +- Fewer false positives from small hex tokens. |
| 68 | +- Behaviour remains aligned with adversarial fixtures. |
| 69 | + |
| 70 | +--- |
| 71 | + |
| 72 | +## **URL Normalisation** |
| 73 | + |
| 74 | +- `normalise_url()` now wraps `urlparse()` in safe error handling. |
| 75 | +- Malformed URLs return `None` instead of raising. |
| 76 | + |
| 77 | +### Impact |
| 78 | +- More robust behaviour on adversarial URL input. |
| 79 | +- Prevents crashes during bulk extraction. |
| 80 | + |
| 81 | +--- |
| 82 | + |
| 83 | +# **Heuristics Engine Expansion (PE Structural Analysis)** |
| 84 | + |
| 85 | +To support the expanded adversarial PE corpus, v0.7.1 introduces **six new deterministic heuristics** for detecting malformed or inconsistent PE structures: |
| 86 | + |
| 87 | +- **Section overlap detection** |
| 88 | + `_analyse_section_overlap` |
| 89 | +- **Section alignment validation** |
| 90 | + `_analyse_section_alignment` |
| 91 | +- **Optional‑header consistency checks** |
| 92 | + `_analyse_optional_header_consistency` |
| 93 | +- **Entrypoint → section mapping validation** |
| 94 | + `_analyse_entrypoint_mapping` |
| 95 | +- **Data‑directory anomaly detection** |
| 96 | + `_analyse_data_directory_anomalies` |
| 97 | +- **Import‑directory validity checks** |
| 98 | + `_analyse_import_directory_validity` |
| 99 | + |
| 100 | +### Impact |
| 101 | +- Clearer, reason‑coded anomaly reporting. |
| 102 | +- No false positives on benign binaries. |
| 103 | +- Deterministic behaviour across malformed PE structures. |
| 104 | + |
| 105 | +--- |
| 106 | + |
| 107 | +# **Added** |
| 108 | + |
| 109 | +### **1. Full adversarial fixtures for *all* IOC categories** |
| 110 | +New adversarial string corpora added for: |
| 111 | + |
| 112 | +- **crypto wallets** (BTC/ETH, reversed, embedded, noisy, base58‑adjacent) |
| 113 | +- **domains** (Unicode homoglyphs, mixed‑script lookalikes) |
| 114 | +- **URLs** (broken schemes, nested encodings, truncated fragments) |
| 115 | +- **IPs** (malformed IPv4/IPv6, concatenated segments, invalid scopes) |
| 116 | +- **filepaths** (MAX_PATH‑breaking Windows paths, malformed UNC prefixes) |
| 117 | +- **hashes** (near‑miss hex sequences, truncated digests) |
| 118 | +- **base64** (invalid padding, embedded noise, extremely long runs) |
| 119 | +- **emails** (Unicode variants, malformed local parts) |
| 120 | + |
| 121 | +Each fixture includes a deterministic snapshot. |
| 122 | + |
| 123 | +### **2. Expanded adversarial PE corpus** |
| 124 | +Fixtures include: |
| 125 | + |
| 126 | +- broken RVAs |
| 127 | +- overlapping/misaligned sections |
| 128 | +- corrupted data directories |
| 129 | +- malformed import tables |
| 130 | +- invalid optional headers (PE32 & PE32+) |
| 131 | +- truncated Rich headers |
| 132 | +- packed‑lookalike binaries |
| 133 | +- franken‑PE hybrids |
| 134 | + |
| 135 | +### **3. Heuristics engine upgrades** |
| 136 | +- New structural heuristics (see above) |
| 137 | +- Unified internal analysis structure (`sections` + `data_directories`) |
| 138 | +- Deterministic, JSON‑safe anomaly reporting |
| 139 | + |
| 140 | +--- |
| 141 | + |
| 142 | +# **Fixed** |
| 143 | + |
| 144 | +- Improved stability when parsing malformed or adversarial PE files. |
| 145 | +- More robust handling of malformed URLs during normalisation. |
| 146 | + |
| 147 | +--- |
| 148 | + |
| 149 | +# **Notes** |
| 150 | + |
| 151 | +- Updated snapshot for `heuristic_rich.full.exe` to reflect new heuristics. |
| 152 | +- Previous snapshot predated directory‑range and RVA‑validation logic. |
| 153 | + |
| 154 | +--- |
0 commit comments