Data

Tools

Indexes

Applications

Experiments

Open Source Science

zeek_anomaly_detector

A completely automated anomaly detector Zeek network flows files (conn.log).

https://github.com/stratosphereips/zeek_anomaly_detector

Science Score: 44.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
    Found CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
  • Academic publication links
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (7.0%) to scientific vocabulary

Keywords

anomaly-detection ids intrusion-detection network-security python zeek zeek-analysis zeek-ids
Last synced: 6 months ago · JSON representation ·

Repository

A completely automated anomaly detector Zeek network flows files (conn.log).

Basic Info
  • Host: GitHub
  • Owner: stratosphereips
  • License: gpl-2.0
  • Language: Python
  • Default Branch: main
  • Homepage:
  • Size: 1.29 MB
Statistics
  • Stars: 83
  • Watchers: 5
  • Forks: 33
  • Open Issues: 6
  • Releases: 2
Topics
anomaly-detection ids intrusion-detection network-security python zeek zeek-analysis zeek-ids
Created over 6 years ago · Last pushed 7 months ago
Metadata Files
Readme Contributing License Citation

README.md

zeekanomalydetector

Docker Image CI Python Checks GitHub last commit (branch) Docker Pulls

An anomaly detector for conn.log files of zeek/bro. It uses Zeek Analysis Tools (ZAT) to load the file, and pyod models. It is completely automated, so you can just give the file and will ouput the anomalous flows. By default uses the PCA model.

Performace

Using the PCA model the zeek_anomaly_detector.py is capable of training and testing 6.3 million flow lines in 11 minutes.

Usage

```bash $ time ./zeekanomalydetector.py -a 20 -f dataset/001-zeek-scenario-malicious/conn.log Simple Anomaly Detector for Zeek conn.log files. Version: 0.2 Author: Sebastian Garcia (eldraco@gmail.com), Veronica Valeros (vero.valeros@gmail.com)

Flows of the top anomalies id.origh id.origp id.resph id.respp proto service duration origbytes respbytes origpkts origipbytes resppkts respipbytes durationsec score 24482 192.168.1.125 53510 87.236.19.168 80 tcp http 00:05:33.102728 108 2455407 593 23852 1686 2524319 333.102728 3.091147e+07 109 192.168.1.125 49188 201.232.32.124 443 tcp ssl 00:02:08.617586 79809 2544 78 84351 55 4828 128.617586 2.377891e+07 35031 192.168.1.125 62788 192.157.238.15 447 tcp ssl 00:01:06.384740 522 611151 295 16506 444 655203 66.384740 8.334937e+06 28096 192.168.1.125 56689 5.172.34.138 447 tcp ssl 00:02:45.920620 506 608558 336 16309 446 639202 165.920620 8.262826e+06 28460 192.168.1.125 57002 5.172.34.138 447 tcp ssl 00:02:23.709549 469 608336 328 16359 436 631468 143.709549 8.180498e+06 26385 192.168.1.125 55173 217.31.111.153 447 tcp ssl 00:01:08.363216 783 630568 239 11475 442 648260 68.363216 8.095119e+06 29848 192.168.1.125 58222 91.219.28.14 447 tcp ssl 00:01:05.301758 506 611151 152 6598 437 628643 65.301758 7.728219e+06 33329 192.168.1.125 61298 151.80.84.3 447 tcp ssl 00:01:05.182020 506 611151 135 5918 428 628283 65.182020 7.658844e+06 31604 192.168.1.125 59773 151.80.84.3 447 tcp ssl 00:01:05.181878 506 611151 128 5638 428 628283 65.181878 7.652506e+06 819 192.168.1.125 49417 84.42.159.138 443 tcp ssl 00:01:57.329889 24618 4215 45 26454 31 5691 117.329889 7.261139e+06 1307 192.168.1.125 49574 200.116.206.58 443 tcp ssl 00:02:05.574474 24618 4199 43 26350 42 5891 125.574474 7.252795e+06 318 192.168.1.125 49258 36.66.107.162 443 tcp ssl 00:02:09.694961 24602 4199 42 26294 51 6251 129.694961 7.248093e+06 563 192.168.1.125 49336 200.116.206.58 443 tcp ssl 00:01:58.684675 24597 4162 40 26209 38 5694 118.684675 7.229915e+06 1058 192.168.1.125 49496 203.92.62.46 443 tcp ssl 00:01:58.581551 24565 4162 40 26177 39 5734 118.581551 7.220959e+06 57 192.168.1.125 49170 190.138.249.45 443 tcp ssl 00:02:12.193263 23903 73195 62 26391 93 76923 132.193263 7.217059e+06 24688 192.168.1.125 53673 217.31.111.153 447 tcp ssl 00:01:08.831043 783 553108 197 9131 389 570140 68.831043 7.058567e+06 2591 192.168.1.125 50637 203.92.62.46 447 tcp ssl 00:01:14.004751 751 548447 184 8639 385 563859 74.004751 6.971375e+06 9436 192.168.1.125 56618 203.92.62.46 447 tcp ssl 00:01:10.099220 751 553092 151 6803 389 568664 70.099220 6.969540e+06 7799 192.168.1.125 55150 203.92.62.46 447 tcp ssl 00:01:12.834688 751 548447 182 8439 385 563859 72.834688 6.963647e+06 4557 192.168.1.125 52200 203.92.62.46 447 tcp ssl 00:01:12.101060 751 548447 167 7875 385 563859 72.101060 6.942839e+06

real 0m4.972s user 0m3.540s sys 0m0.581s ```

Installation

Docker

The zeek_anomaly_detector has a public Docker image with the latest version: bash docker run --rm -it stratosphereips/zeek_anomaly_detector:latest python3 zeek_anomaly_detector.py -f dataset/001-zeek-scenario-malicious/conn.log Mount the local datasets to the container to run the zeekanomalydetector on them:

bash docker run -v /full/path/to/logs/:/zeek_anomaly_detector/dataset --rm -it stratosphereips/zeek_anomaly_detector:latest python3 zeek_anomaly_detector.py -f dataset/001-zeek-scenario-malicious/conn.log

Source

Clone the repository with the submodules: git clone --recurse-submodules --remote-submodules https://github.com/stratosphereips/zeek_anomaly_detector

Please install the following dependencies: - pyod: PyOD is a comprehensive and scalable Python toolkit for detecting outlying objects in multivariate data.

Install with pip:

bash pip install pyod

Contribute

Create an issue or PR and we will process it.

Authors

This project was created by Sebastian Garcia and Veronica Valeros at the Stratosphere Research Laboratory, AIC, FEE, Czech Technical University in Prague.

Owner

  • Name: Stratosphere IPS
  • Login: stratosphereips
  • Kind: organization
  • Location: Prague

Cybersecurity Research Laboratory at the Czech Technical University in Prague. Creators of Slips, a free software machine learning-based behavioral IDS/IPS.

Citation (CITATION.cff) 

cff-version: 1.2.0
title: >-
  Domain Analyzer: Analyze the security of any domain by finding all the information possible.
message: 'If you use this software, please cite it as below.'
type: software
authors:
  - given-names: Sebastian
    family-names: Garcia
    email: sebastian.garcia@agents.fel.cvut.cz
    affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
    orcid: 'https://orcid.org/0000-0001-6238-9910'
  - given-names: Veronica
    family-names: Valeros
    email: valerver@fel.cvut.cz
    affiliation: >-
      Stratosphere Laboratory, AIC, FEL, Czech
      Technical University in Prague
    orcid: 'https://orcid.org/0000-0003-2554-3231'

GitHub Events

Total
  • Watch event: 10
  • Issue comment event: 2
  • Push event: 1
  • Fork event: 1
  • Create event: 2
Last Year
  • Watch event: 10
  • Issue comment event: 2
  • Push event: 1
  • Fork event: 1
  • Create event: 2

Dependencies

.github/workflows/docker-image.yml actions
  • 8398a7/action-slack v3 composite
  • actions/checkout v2 composite
  • docker/build-push-action v2 composite
  • docker/login-action v1 composite
  • docker/metadata-action v4 composite
Dockerfile docker
  • python 3.9-slim build
requirements.txt pypi
  • pyod *
  • zat *
.github/workflows/autotag.yml actions
  • actions/checkout v2 composite
  • anothrNick/github-tag-action 1.36.0 composite
.github/workflows/python-checks.yml actions
  • actions/checkout v3 composite
  • actions/setup-python v4 composite