beacon-hunter: open source detector for phi-structured C2 beacons that evade RITA
Built a companion to RITA that detects phi-structured C2 beacons — Fibonacci-scheduled connections that evade regularity-based detection.
Standard beacon detectors flag regular or near-regular intervals. An adversary using Fibonacci-spaced connections (each interval growing by factor phi) defeats CV and regularity checks entirely while leaving a mathematical fingerprint: consecutive inter-connection interval ratios converge toward phi (1.618...).
Two-gate detection:
- Ratio convergence test — ICI ratios cluster near phi with low scatter
- Fibonacci recurrence residual — ICIs satisfy ICI[n+2] ≈ ICI[n+1] + ICI[n]
Results on real network captures:
- Zero false Fibonacci flags across three 1-hour Windows network captures (~12,000 flows)
- Confirmed true positive on lab-generated ground-truth capture (score 88%, recurrence residual = 0.000)
- Synthetic validation 3/3
Looking for anyone with captures containing known irregular C2 scheduling to validate against real malware. That's the open gap.
AGPL-3.0, Python, no dependencies beyond numpy/scipy/dpkt.