Test a threshold of 0

Make sure we get near-perfect recall (ATM-light) and bad precision.
Don't hard-code the score cutoff
2026-05-16 04:09:27 +02:00 · 2022-01-04 16:41:21 -08:00 · 2022-01-04 15:48:38 -08:00 · 2022-01-04 15:46:17 -08:00 · 2022-01-04 15:41:51 -08:00
2 changed files with 5 additions and 11 deletions
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/ATMConfig.qll
@@ -105,8 +105,8 @@ abstract class ATMConfig extends string {
   *
   * Specifies the default cut-off value that controls how many alerts are produced.
   * The cut-off value must be in the range [0,1].
-   * A cut-off value of 0 only produces alerts that are likely true-positives.
-   * A cut-off value of 1 produces all alerts including those that are likely false-positives.
+   * A cut-off value of >~0.5 only produces alerts that are likely true-positives.
+   * A cut-off value of 0 produces all alerts including those that are likely false-positives.
   */
-  float getScoreCutoff() { result = 0.0 }
+  float getScoreCutoff() { result = 0. }
 }
--- a/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointScoring.qll
+++ b/javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/EndpointScoring.qll
@@ -205,14 +205,8 @@ class EndpointScoringResults extends ScoringResults {
        exists(float sinkScore |
          ModelScoring::endpointScores(sink, getCfg().getASinkEndpointType().getEncoding(),
            sinkScore) and
-          // Include the endpoint if (a) the query endpoint type scores higher than all other
-          // endpoint types, or (b) the query endpoint type scores at least
-          // 0.5 - (getCfg().getScoreCutoff() / 2).
-          sinkScore >=
-            [
-              max(float s | ModelScoring::endpointScores(sink, _, s)),
-              0.5 - getCfg().getScoreCutoff() / 2
-            ]
+          // Include the endpoint if the query endpoint type scores higher than a fixed threshold
+          sinkScore >= getCfg().getScoreCutoff()
        )
      )
  }
Author	SHA1	Message	Date
Tiferet Gazit	869846b306	Test a threshold of 0 Make sure we get near-perfect recall (ATM-light) and bad precision.	2022-01-04 16:41:21 -08:00
Tiferet Gazit	6d9a8fad34	Don't hard-code the score cutoff	2022-01-04 15:48:38 -08:00
Tiferet Gazit	e41b9e8776	Experiment with a threshold of 0.65	2022-01-04 15:46:17 -08:00
Tiferet Gazit	dc8711b28f	Experiment with a fixed threshold of 0.65	2022-01-04 15:41:51 -08:00