entrenar/monitor/inference/provenance/
attack.rs

1//! Attack path and anomaly types for incident analysis.
2
3use super::edge::ProvenanceEdge;
4use super::node::{NodeId, ProvenanceNode};
5
6/// Reconstructed attack/incident path
7#[derive(Debug, Clone)]
8pub struct AttackPath {
9    /// Nodes in causal order (root cause → incident)
10    pub nodes: Vec<(NodeId, ProvenanceNode)>,
11    /// Edges connecting the path
12    pub edges: Vec<ProvenanceEdge>,
13    /// Time span of the incident in nanoseconds
14    pub duration_ns: u64,
15    /// Identified anomaly indices (in nodes vector)
16    pub anomaly_indices: Vec<usize>,
17}
18
19impl AttackPath {
20    /// Number of nodes in the path
21    pub fn len(&self) -> usize {
22        self.nodes.len()
23    }
24
25    /// Check if empty
26    pub fn is_empty(&self) -> bool {
27        self.nodes.is_empty()
28    }
29
30    /// Check if path contains anomalies
31    pub fn has_anomalies(&self) -> bool {
32        !self.anomaly_indices.is_empty()
33    }
34}
35
36/// Anomaly detected in provenance path
37#[derive(Debug, Clone)]
38pub struct Anomaly {
39    /// Node ID where anomaly was detected
40    pub node_id: NodeId,
41    /// Description of the anomaly
42    pub description: String,
43    /// Severity (0.0 - 1.0)
44    pub severity: f32,
45}

entrenar/monitor/inference/provenance/attack.rs

entrenar/monitor/inference/provenance/
attack.rs