Reduce numeric-identifier noise in threat actor similarity report by adulau · Pull Request #1172 · MISP/misp-galaxy

adulau · 2026-04-12T09:06:57Z

Threat-actor names frequently reuse a textual stem with different numeric identifiers (e.g., apt 28 vs apt 29), which creates noisy high-similarity matches; the change aims to reduce these false positives while keeping comparisons focused on non-numeric content.

Add strip_numeric_tokens() to remove digit sequences from normalized names and numeric_tokens() to extract numeric token sequences.
Update find_similar_name_pairs() to skip candidate pairs when both names contain numeric tokens, share the same non-numeric stem, but have different numeric sequences.
Document the numeric-variant filtering behavior in the function docstring and keep all other similarity logic (length pre-filter, SequenceMatcher) unchanged.
No changes to the CLI or output formats were made; markdown and JSON outputs remain the same.

Ran python3 -m py_compile tools/threat_actor_similarity_report.py which succeeded.
Ran python3 tools/threat_actor_similarity_report.py --help | head -n 20 to validate CLI help which printed successfully.
Executed python3 tools/threat_actor_similarity_report.py --max-results 5 --markdown-output /tmp/threat_report.md --json-output /tmp/threat_report.json which produced a report and JSON file, printing analysis summary (reports written) with no errors.

Reduce false matches for numeric threat actor variants

ade4272

adulau added the codex label Apr 12, 2026 — with ChatGPT Codex Connector

adulau merged commit 30e4b8c into main Apr 12, 2026
3 checks passed

Provide feedback