LAYER 01
情報蒐集與邊緣輸入層Input & Recon Sources
INPUT & RECON SOURCES
▾
Fluent Bit
fluent_bit.conf · honeypot_fluent_bit.conf
S1
收集 Log — 從各伺服器、K8s 節點、防火牆收集原始 Log,不做 AI
分析。
Collect Logs — Gathers raw logs from servers, K8s
nodes, and firewalls. No AI analysis at this stage.
S2
貼 Routing Key 標籤 — 依來源自動貼標籤後送入 RabbitMQ。
Tag with Routing Keys — Automatically labels logs
by source, then publishes to RabbitMQ.
Routing Keys →
log.network
log.endpoint
log.identity
honeypot.*
Intelligence Crawler
intelligence_crawler.py · 獨立排程腳本Scheduled standalone script
S0
定時主動出任務 — 每小時巡邏 NVD、AlienVault、ISAC、暗網,抓取最新 0-day
與惡意 IP/Domain IOC。
Scheduled Patrol — Hourly crawl of NVD,
AlienVault, ISAC, and dark web to harvest the latest 0-days and malicious
IP/Domain IOCs.
S1
打包成標準 JSON — 整理情資,貼上最高機密標籤送入 RabbitMQ。
Package as Standard JSON — Formats intel, tags
it, and publishes to RabbitMQ.
S2
Commander AI 接收 — 存入 OpenSearch 知識庫 + 啟動 CVE 比對 +
事前封鎖惡意 IP。
Commander AI Receives — Stores in OpenSearch +
triggers CVE matching + proactively blocks malicious IPs.
Routing Keys →
intel.external
alert.ioc
Manual Input
app_ui.py · 人工上傳介面Human
upload interface
S1
IT 人員上傳 — 透過 Dashboard UI 手動上傳 Log 或 STIX
威脅報告。
IT Staff Upload — Manually uploads logs or STIX
threat reports via the Dashboard UI.
S2
貼「人工報案」標籤入隊 — 不直接呼叫 LLM,送入 RabbitMQ 排隊。100
人同時上傳也不會崩潰。
Tag & Queue — Does NOT call the LLM directly.
Publishes to RabbitMQ. 100 concurrent uploads won't crash the system.
S3
最高優先級處理 — Commander AI 給予 manual
最高優先級,優先分析。
Highest Priority Processing — Commander AI gives
manual reports the highest priority queue slot.
Routing Keys →
alert.manual_upload
所有原始資料 → RabbitMQ 物流總局All
Raw Data → RabbitMQ Message Hub
Routing Key 分流 · 統一送入內部佇列Routed by key · unified internal
queue
LAYER 02
中樞物流與任務分派層Message Broker & Dispatch
Hub
RABBITMQ · MESSAGE BROKER HUB
▾
📥 Incoming ChannelsIncoming
Channels
log.network網路防火牆日誌Network firewall logs
log.endpointWindows 端點事件Windows endpoint events
log.identity帳號行為日誌Identity behavior logs
honeypot.*蜜罐互動流量Honeypot interaction traffic
intel.external外部 IOC 情資External IOC intelligence
alert.ioc最新漏洞通報Latest vulnerability alerts
alert.manual人工報案上傳Manual case upload
⟶
RabbitMQ
AMQP · 優先級佇列
零丟失 · Dead Letter QueuePriority Queue
Zero-loss · Dead Letter Queue
零丟失 · Dead Letter QueuePriority Queue
Zero-loss · Dead Letter Queue
⟶
📤 AI Agent Workers (邊緣過濾)AI
Agent Workers (Edge Filter) · ai_worker.py
log.network🚦
Network AI Worker
log.endpoint💻
Endpoint AI Worker
log.identity🔑
Identity AI Worker
📤 Commander AI (直達Direct)
alert.critical🧠
Commander AI
intel.external🧠
Commander AI
alert.manual🧠
Commander AI
AI Worker 邊緣過濾邏輯:各 Worker 以小型輕量 AI
模型做秒級雜訊過濾。正常流量 → Drop(大腦永不被打擾)。異常流量 → 打包為 alert.critical 再次送回 RabbitMQ,由 Commander AI
接手深度分析。
AI Worker Edge-Filter Logic: Each Worker uses a
lightweight AI model for sub-second noise filtering. Normal traffic →
Drop (brain is never disturbed). Anomalous traffic → packaged as
alert.critical and re-queued to RabbitMQ for
Commander AI deep analysis.
alert.critical / intel.external / alert.manual → Commander AI
只有高危案件才會喚醒最強大的 LLMOnly high-risk cases wake the most powerful
LLM
LAYER 03
Commander AI · 五階段防禦生命週期Commander AI ·
5-Phase Defense Lifecycle
CORE LLM PIPELINE · run_pipeline.py · llm_client.py
▾
Commander AI
監聽三個高危頻道 · 啟動最強 LLM 進行跨維度深度分析 · 下達五階段防禦決策
Monitors 3 high-risk channels · Activates the most powerful LLM for
multi-dimensional analysis · Issues 5-phase defense commands
alert.critical
intel.external
alert.manual_upload
PH.1PREDICT
預測與風險評估Prediction & Risk
Scoring
1
PII 去識別化 — pii_masker.py
正則遮蔽 Email/IP/手機,GDPR 合規。PII
De-identification — pii_masker.py uses regex to mask
Email/IP/phone. GDPR compliant.
2
知識擴充 — cve_enrichment.py
比對漏洞庫;cmdb_mock.py 查資產重要性。Knowledge
Enrichment — cve_enrichment.py cross-references
vulnerability DB; cmdb_mock.py checks asset criticality.
3
橫向移動預測 —
adversarial_engine.py + topology_graph.py 模擬駭客下一步。Lateral Movement Prediction —
adversarial_engine.py + topology_graph.py simulate the attacker's next
move.
4
多維度風險評分 — LLM 給出 0–100
風險分數,決定觸發哪些 Phase。Multi-dimensional Risk
Score — LLM outputs a 0–100 risk score to determine which
Phases to trigger.
pii_masker.pycve_enrichment.pycmdb_mock.pyadversarial_engine.pytopology_graph.pyllm_client.py
PH.2DECEIVE
動態誘捕與資料投毒Dynamic Deception & Data
Poisoning
1
戰術誘餌設計 — decoy_manager.py
選擇最能吸引該駭客的模板(如假 MySQL)。Tactical Decoy
Design — decoy_manager.py selects the most enticing
template for the attacker (e.g. fake MySQL).
2
次世代資料投毒 — 產生
fake_secrets.json / poisoned_db.sql,讓駭客 AI(WormGPT)幻覺崩潰。Next-Gen Data Poisoning — Generates
fake_secrets.json / poisoned_db.sql to induce hallucinations in attacker
AIs (WormGPT).
3
極速容器部署 — Docker Python SDK
在幾秒內拉起誘餌容器。Rapid Container
Deployment — Docker Python SDK spins up decoy containers
within seconds.
4
陷阱遙測追蹤 —
honeypot_fluent_bit.conf 回傳純淨駭客行為,精準勾勒指紋。Trap Telemetry — honeypot_fluent_bit.conf
returns clean attacker behavior to profile their fingerprint
precisely.
decoy_manager.pydata_poisoning.pydecoy_templates.pyfake_secrets.jsonpoisoned_db.sql
✦創新點:投毒假情資專門設計讓駭客使用的自動化攻擊 AI 產生幻覺或邏輯崩潰。Innovation:
Poisoned data is engineered to cause hallucinations and logic collapse in
automated attacker AIs.
PH.3MUTATE
移動目標防禦 MTDMoving Target Defense
(MTD)
1
變異策略判定 — mtd_controller.py
決定「輕微混淆」還是「徹底遷移」。Mutation Strategy
— mtd_controller.py decides between "light obfuscation" or "full
migration".
2
通訊層混淆 —
obfuscation_engine.py 修改 mtd_nginx.conf,動態更換 URL / Header /
加密方式。Comm Layer Obfuscation —
obfuscation_engine.py modifies mtd_nginx.conf, dynamically rotating
URLs, headers, and encryption.
3
數位雙生衝擊驗證 — Cyber Digital
Twin 模擬流量,確認 Zero Downtime 才允許執行。Digital
Twin Impact Check — Cyber Digital Twin simulates traffic to
confirm Zero Downtime before executing.
4
藍綠部署環境重塑 —
migration_engine.py 啟動乾淨容器,流量切換後銷毀舊環境。Blue-Green Redeploy — migration_engine.py
launches a clean container, swaps traffic, then destroys the old
environment.
mtd_controller.pydigital_twin.pyobfuscation_engine.pymtd_nginx.confmigration_engine.py
✦Cyber Digital Twin
確保每次 MTD 大規模變異前,先模擬驗證零業務中斷。Cyber Digital Twin guarantees
every large-scale MTD mutation is simulation-validated for zero business
disruption.
PH.4CONTAIN
自動化阻斷與隔離Automated Containment &
Isolation
1
行動劇本產出 — to_stix.py
輸出威脅情資;LLM 撰寫 soar_playbook.json 反擊指令。Playbook Generation — to_stix.py outputs threat
intel; LLM authors soar_playbook.json counter-attack commands.
2
硬體級 API 阻斷 — mock_soar.py
+ firewall_mock.py 對防火牆下 REJECT,秒級封鎖攻擊源 IP。Hardware-level API Block — mock_soar.py +
firewall_mock.py issue REJECT to the firewall, blocking the attacker's
IP within seconds.
3
IaC 自我修復 — AI 分析
Terraform/Nginx 漏洞,自動寫 Patch → PR → CI/CD 重部署「免疫後」基建。IaC Self-Healing — AI analyzes Terraform/Nginx
vulnerabilities, auto-writes a Patch → PR → CI/CD redeploys patched
infrastructure.
4
不可竄改稽核 — audit_logger.py
寫入 OpenSearch 稽核索引,時間戳記簽章,法規鑑識依據。Immutable
Audit Log — audit_logger.py writes to OpenSearch with
timestamped signatures for forensic and compliance evidence.
contain_engine.pyto_stix.pysoar_playbook.jsonmock_soar.pyfirewall_mock.pyaudit_logger.py
✦Self-Healing IaC:AI
自動寫 Patch、提交 PR、觸發 CI/CD,無需人工介入基建修復。Self-Healing IaC: AI
auto-writes the Patch, submits a PR, and triggers CI/CD — zero human
intervention required.
PH.5ADAPT
大腦自我進化Brain Self-Evolution
1
情報品質控管 — validate_stix.py
確保 STIX 2.1 格式符合國際標準,可與外部資安聯盟共享。Intel
Quality Control — validate_stix.py ensures STIX 2.1
compliance for sharing with external security alliances.
2
長效知識寫入 —
setup_knowledge_base.py 將攻擊者 TTPs 存入 OpenSearch KNN
向量庫,語義搜尋瞬間反應。Long-term Knowledge
Write — setup_knowledge_base.py stores attacker TTPs in
OpenSearch KNN vector DB for instant semantic recall.
3
強化學習反饋 — feedback_loop.py
根據防禦成效自動調整 Commander AI Prompt 權重,完成 AI Brain Growth。Reinforcement Feedback — feedback_loop.py
auto-adjusts Commander AI Prompt weights based on defense outcomes. AI
Brain Growth achieved.
4
分析報告 — to_pdf.py 提取 Phase
1–4 數據,產出精美 PDF Executive Report,推送至 Dashboard。Executive Report — to_pdf.py extracts Phase 1–4
data, generates a polished PDF Executive Report, and pushes it to the
Dashboard.
adapt_engine.pyvalidate_stix.pysetup_knowledge_base.pyfeedback_loop.pyto_pdf.py
Phase 5 完成 → 成果輸出至 Dashboard &
ReportsPhase 5 Complete → Output to
Dashboard & Reports
PDF 推送 · OpenSearch 查詢 · 即時戰情更新PDF push · OpenSearch query ·
live situation update
LAYER 04
成果展示與輸出層Output & Reporting
Layer
DASHBOARD · REPORTING · app_ui.py · to_pdf.py
▾
實時戰情室 DashboardLive
Operations Dashboard
app_ui.py · setup_dashboards.py · OpenSearch
即時查詢OpenSearch live query
威脅地圖 (Threat Map)Threat
Map
即時顯示駭客攻擊來源 IP 與地理位置。Real-time display of
attacker source IPs and geographic origins.
預測地圖 (Predictive Map)Predictive
Map
顯示 Phase 1 AI 預測的攻擊橫向移動路徑。Visualizes the
lateral movement paths predicted by the Phase 1 AI engine.
MTD 狀態面板MTD Status Panel
顯示哪些服務正在變異、哪些蜜罐被觸發。Shows which services are
currently mutating and which honeypots have been triggered.
即時告警串流Live Alert Stream
從 OpenSearch Hot Tier 提取最新分析結果。Pulls the
latest analysis results from OpenSearch Hot Tier in real time.
人工報案入口Manual Report
Portal
IT 人員上傳 Log / STIX 的操作界面。The interface for
IT staff to upload Logs or STIX threat reports.
阻斷行動中心Containment Ops (Phase 4)
Phase 4 防火牆封鎖記錄、SOAR Playbook 檢視、IaC 自我修復狀態。Phase 4 firewall blocks, SOAR playbook viewer, IaC self-healing patch status.
自適應學習中心Adaptation & Learning (Phase 5)
Phase 5 知識庫成長、RLHF 回饋指標、事件時間線、PDF 報告下載。Phase 5 KB growth, RLHF feedback metrics, incident timelines, PDF report downloads.
自動結案報告 PDFAuto-Generated
PDF Report
to_pdf.py · to_stix.py · Phase 5 ADAPT
觸發Triggered by Phase 5 ADAPT
觸發時機Trigger Condition
Phase 5 ADAPT 完成後,偵測到完整攻擊事件 (Incident) 結束。Fires after Phase 5 ADAPT completes and a full attack Incident
lifecycle is detected as closed.
自動串聯Auto-Correlation
將 Phase 1–4 完整過程:發現 → 誘捕 → 變異 → 反擊,串聯成完整時序報告。Chains Phase 1–4 into a complete timeline: Detect → Deceive → Mutate
→ Contain.
STIX 2.1 標準輸出STIX 2.1 Standard
Output
符合國際標準,可與外部資安聯盟交換情資。Meets international
standards for sharing intelligence with external security
alliances.
Executive Summary
精美 PDF 自動推送至 Dashboard 供管理員下載。Polished PDF
automatically pushed to the Dashboard for executive download.
數位鑑識附件Digital Forensics
Annex
附帶 audit_logger 的不可竄改稽核記錄。Includes the
immutable audit trail from audit_logger for legal and forensic
use.