Fixed issues:
- Corrected Welford's online algorithm for variance calculation
- Added NaN and infinity guards to prevent invalid calculations
- Added Serialize/Deserialize traits to AnomalyScore and ProcessProfile
Added functionality:
- Profile persistence with save_profiles() and load_profiles()
- Global baseline computation from all process profiles
- Profile cleanup method to remove stale profiles
- Additional utility methods for profile management
Added actual HTTP-based feed fetching for:
- AbuseIPDB - IP address blacklist with confidence scoring
- MalwareBazaar - Recent malware samples with SHA256 hashes
- AlienVault OTX - Threat pulses with multiple IOC types
Each feed properly parses JSON responses, extracts indicators of
compromise (IOCs), caches them with appropriate TTLs, and maps
threat levels. Feeds require API keys and can be enabled/disabled
individually. IOC cache supports multiple indicator types including
IPs, file hashes, and filenames.
Added comprehensive section-by-section PE comparison that reads the
executable from disk, parses PE sections, and compares them against
memory using SHA-256 hashing. Detects:
- Modified code sections (>5% difference from disk)
- Missing PE sections in memory
- Section hash mismatches
This catches sophisticated hollowing techniques that modify specific
code sections while preserving the PE header structure.
