-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathconfig.yaml
More file actions
94 lines (83 loc) · 5.6 KB
/
Copy pathconfig.yaml
File metadata and controls
94 lines (83 loc) · 5.6 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
# Number of concurrent Celery worker containers
# Total possible simultaneous competitor containers = num_workers * defense.evaluation.batch_size
worker:
num_workers: 2
# All settings related to defense submissions
defense:
# Docker resource limits applied to each competitor's running defense container
container:
mem_limit: "1g" # Docker memory limit for each competitor container
nano_cpus: 1000000000 # CPU quota in nanocpus; 1000000000 = 1 full CPU core
pids_limit: 100 # max processes/threads inside the competitor container
container_timeout: 30 # seconds before the container is force-killed
max_uncompressed_size_mb: 1024 # max allowed uncompressed submission size in MB
# Controls how attack files are batched and sent to the defense container during evaluation
evaluation:
requests_timeout_seconds: 5 # per-request HTTP timeout when sending samples to the defense container
batch_size: 2 # number of attack files sent to the defense container per request
max_empty_polls: 3 # consecutive empty queue polls before the evaluation worker shuts down
defense_max_ram: 1024 # MB - soft RAM threshold; sample marked evaded and container restarted if exceeded
defense_max_time: 5000 # ms - per-sample time limit; exceeded = evaded
defense_max_timeout: 20000 # ms - forced restart threshold (must be >= defense_max_time)
defense_max_restarts: 3 # max container restarts before error state
stats_sampling_rate: 25 # samples evaluated between container stats checks (has a large impact on total evaluation time)
# Heuristic pre-acceptance checks run against a defense before it enters the leaderboard
validation:
enabled: false # run validation against uploaded sample sets before accepting a defense
malware_fpr_minimum: 0.0 # minimum acceptable false-positive rate on malware samples
malware_tpr_minimum: 0.30 # minimum acceptable true-positive rate on malware samples
goodware_fpr_minimum: 0.0 # minimum acceptable false-positive rate on goodware samples
goodware_tpr_minimum: 0.30 # minimum acceptable true-positive rate on goodware samples
reject_failures: false # if true, submissions that fail thresholds are rejected outright
# Building a defense Docker image from a submitted ZIP or GitHub repository
build:
max_zip_size_mb: 512
max_uncompressed_zip_size_mb: 2048
max_build_time_seconds: 300
build_mem_limit: "2g"
temp_build_dir: "/tmp/mlsec-builds" # inside container only - NOT mounted from host
# Security settings for build isolation
use_buildkit: true # enable Docker BuildKit security features
network_disabled: false # allow network access during builds (needed for pip install)
no_cache: true # prevent cache poisoning
build_cpu_quota: 100000 # limit CPU usage to 1 core (100000 = 1 core)
max_dockerfile_size_kb: 100 # limit Dockerfile size
# Cleanup settings
cleanup_built_images: true # remove built images after evaluation (ZIP/GitHub sources)
cleanup_pulled_images: true # remove pulled images after evaluation (Docker Hub sources)
# All settings related to attack submissions
attack:
skip_seeding: true # true = skip template seeding and all behavioral checks
check_similarity: false # false = skip evaluation, accept all validated attacks
reject_dissimilar_attacks: false # only applies when check_similarity=true
# true = reject if score < minimum_attack_similarity
# false = log score but accept regardless
minimum_attack_similarity: 65 # 0-100 threshold (used when check_similarity=true)
max_zip_size_mb: 100
sandbox_backend: "virustotal" # "virustotal" | "cape"
cape_sandbox_name: "win10"
behavior_sample_rate: 1.0 # fraction of attack files to behaviorally check (0.0-1.0)
deny_duplicate_attacks: true # reject attack submissions whose file hashes match another competitor's validated submission
cache_persistence_duration: 300 # seconds of inactivity before clearing the sample cache
cache_max_size_gb: 10 # maximum size of local sample cache before pruning
# MinIO object storage (credentials come from environment variables)
storage:
bucket_name: "mlsec-submissions"
# Platform-wide application settings
application:
join_code: 'ABC' # required code users must enter at registration; omit or leave blank to disable
defense_submission_cooldown: 30 # seconds between defense submissions per user; 0 = no cooldown
attack_submission_cooldown: 30 # seconds between attack submissions per user; 0 = no cooldown
# Email and MFA settings (SMTP credentials live in .env)
email:
mfa_enabled: false # require email verification on every login
delivery: log # "log" (print code to server logs) or "smtp" (send real email)
code_ttl_minutes: 10 # how long a login code remains valid
max_attempts: 5 # failed attempts before the code is invalidated
base_url: mlsec2.com # platform URL included in the email body
from_address: "MLSEC Platform <mlsec2.noreply@gmail.com>" # email From header
subject: "Your MLSEC verification code" # email Subject header
smtp_host: smtp.gmail.com # SMTP server hostname
smtp_port: 587 # SMTP server port
smtp_use_tls: true # use STARTTLS (recommended for port 587)
smtp_use_ssl: false # use implicit SSL (for port 465)