Bug Description
In netsecgame/game/global_defender.py, BlockIP has a default detection probability and a TW ratio threshold, but stochastic_with_threshold only runs detection logic for action types listed in _TW_CONSECUTIVE_TYPE_THRESHOLD or _EPISODE_REPEATED_ACTION_THRESHOLD. BlockIP is in neither list, so the function always falls through to return False for BlockIP. This lets any agent repeatedly issue BlockIP actions (including attackers) with zero chance of detection, effectively disabling the GlobalDefender for a high‑impact action.
Steps to Reproduce
Steps to Reproduce:
- Open
netsecgame/game/global_defender.py and note ActionType.BlockIP is present in _DEFAULT_DETECTION_PROBS and _TW_TYPE_RATIOS_THRESHOLD but missing from _TW_CONSECUTIVE_TYPE_THRESHOLD and _EPISODE_REPEATED_ACTION_THRESHOLD.
- Run the following in a Python REPL from the repo root:
from netsecgame.game.global_defender import GlobalDefender
from netsecgame.game_components import Action, ActionType, IP
defender = GlobalDefender()
action = Action(ActionType.BlockIP, {
"source_host": IP("10.0.0.1"),
"target_host": IP("10.0.0.1"),
"blocked_host": IP("10.0.0.2"),
})
episode_actions = [action.as_dict] * 10
print(defender.stochastic_with_threshold(action, episode_actions, tw_size=5))
Expected Behavior
Expected Behavior:
BlockIP should trigger stochastic detection when its TW ratio (and/or a defined threshold for repeated/consecutive actions) is exceeded, similar to other action types. At minimum, BlockIP should not be hard‑coded to “never detect” when it already has configured detection probabilities and thresholds.
Version
Version: 1.1
Installation / Deployment Method
Running locally from source
Bug Description
In
netsecgame/game/global_defender.py, BlockIP has a default detection probability and a TW ratio threshold, butstochastic_with_thresholdonly runs detection logic for action types listed in_TW_CONSECUTIVE_TYPE_THRESHOLDor_EPISODE_REPEATED_ACTION_THRESHOLD. BlockIP is in neither list, so the function always falls through toreturn Falsefor BlockIP. This lets any agent repeatedly issue BlockIP actions (including attackers) with zero chance of detection, effectively disabling the GlobalDefender for a high‑impact action.Steps to Reproduce
Steps to Reproduce:
netsecgame/game/global_defender.pyand note ActionType.BlockIP is present in_DEFAULT_DETECTION_PROBSand_TW_TYPE_RATIOS_THRESHOLDbut missing from_TW_CONSECUTIVE_TYPE_THRESHOLDand_EPISODE_REPEATED_ACTION_THRESHOLD.Expected Behavior
Expected Behavior:
BlockIP should trigger stochastic detection when its TW ratio (and/or a defined threshold for repeated/consecutive actions) is exceeded, similar to other action types. At minimum, BlockIP should not be hard‑coded to “never detect” when it already has configured detection probabilities and thresholds.
Version
Version: 1.1
Installation / Deployment Method
Running locally from source