Domain Gap — VERITAS Signal Calibration

The Problem

Sysmon-trained signals have ~27% recall when applied to SIFT disk forensic tool output. Sysmon references Windows event fields invisible in disk forensics:

Sysmon signal:        EventID=8, GrantedAccess=0x1fffff, Host=WS01
SIFT disk output:     sekurlsa::logonpasswords | FLS: lsass.dmp

Same attack (T1003.001), zero token overlap. A model trained on Sysmon never learns to say “lsass.dmp”.

The Solution

Replaced the ASL training loop with corpus-calibrated log-odds weights derived from real malware samples:

Source Samples Labels
MalwareBazaar ~600 MITRE technique tags via SHA256 metadata
HybridAnalysis ~200 vx_family, submit_name, behavioral tags

Scoring model:

log_odds = log2( (p_malware + 0.05) / (p_benign + 0.05) )
weight   = normalize(log_odds) → [0, 1]

Cross-technique tokens (appearing in 4+ technique corpora) capped at 0.2. Confirmed case signals retain a floor weight of 0.5.

Training Data Provenance

Source Auditable?
MalwareBazaar Yes — public threat intel, SHA256 traceable
HybridAnalysis Yes — public sandbox, SHA256 traceable
Benign baseline Yes — curated Windows system string list in compute_weights.py

All signals are transparent substring matches. Each finding independently re-verified by auditor_agent.py.

Per-Technique Coverage

From data/calibrated_weights.json:

Technique Top Signals Weight
T1003.001 mimikatz, sekurlsa, hydrakatz 1.0
T1003.002 mimikatz, sekurlsa 1.0
T1059.001 powershell, invoke-expression 1.0
T1087.001 sharphound, hound, attack-tool 1.0
T1547.001 autorun 0.982
T1560.001 7zip 0.992
T1569.002 psexesvc, psexec, \admin$\ 0.877
T1071.001 cobalt, beacon, cobaltstrike 0.611
T1548.002 uacme, uacbypass 1.0

SANS FIND EVIL! Hackathon 2026  ·  Custom MCP Server + Multi-Agent Adversarial Pipeline  ·  MIT License