Data

Tools

Indexes

Applications

Experiments

Open Source Science

heifip

heiFIP: A tool to convert network traffic into images for ML use cases

https://github.com/stefandeveloper/heifip

Science Score: 49.0%

This score indicates how likely this project is to be science-related based on various indicators:

  • CITATION.cff file
  • codemeta.json file
    Found codemeta.json file
  • .zenodo.json file
    Found .zenodo.json file
  • DOI references
    Found 4 DOI reference(s) in README
  • Academic publication links
    Links to: zenodo.org
  • Academic email domains
  • Institutional organization owner
  • JOSS paper metadata
  • Scientific vocabulary similarity
    Low similarity (15.6%) to scientific vocabulary

Keywords

cybersecurity dataset-generation image-generator machine-learning netflow network-classification packet-analyser pcap pcap-parser python
Last synced: 6 months ago · JSON representation

Repository

heiFIP: A tool to convert network traffic into images for ML use cases

Basic Info
  • Host: GitHub
  • Owner: stefanDeveloper
  • License: eupl-1.2
  • Language: C++
  • Default Branch: main
  • Homepage:
  • Size: 32.1 MB
Statistics
  • Stars: 26
  • Watchers: 1
  • Forks: 4
  • Open Issues: 0
  • Releases: 3
Topics
cybersecurity dataset-generation image-generator machine-learning netflow network-classification packet-analyser pcap pcap-parser python
Created over 3 years ago · Last pushed 8 months ago
Metadata Files
Readme License Citation

README.md

heiFIP Logo

heiFIP stands for Heidelberg Flow Image Processor. It is a tool designed to extract essential parts of packets and convert them into images for deep learning purposes. heiFIP supports different formats and orientations. Currently, we only support offline network data analysis. However, we plan to adapt our library to support online network data too to enable live-probing of models.

Latest Release Version 1.0
Project License License
Citation Citation
Continuous Integration Linux WorkFlows MacOS WorkFlows

Table of Contents

Motivation

The idea to create heiFIP came from working with Deep Learning approaches to classify malware traffic on images. Many papers use image representation of network traffic, but reproducing their results was quite cumbersome. As a result, we found that there is currently no official library that supports reproducible images of network traffic. For this reason, we developed heiFIP to easily create images of network traffic and reproduce ML/DL results. Researchers can use this library as a baseline for their work to enable other researchers to easily recreate their findings.

Main Features

  • Different Images: Currently, we support plain packet to byte representation, and flow to byte representation with one channel each. An image is created with same width and height for a quadratic representation.
    • Flow Images converts a set of packets into an image. It supports the following modifications:
    • Max images dimension allows you to specify the maximum image dimension. If the packet is larger than the specified size, it will cut the remaining pixel.
    • Min image dimesion allows you to specify the minimum image dimension. If the packet is smaller than the specified size, it fills the remaining pixel with 0.
    • Remove duplicates allows you to automatically remove same traffic.
    • Append each flow to each other or write each packet to a new row.
    • Tiled each flow is tiled into a square image representation.
    • Min packets per flow allows you to specify the minimum number of packets per flow. If the total number of packets is too small, no image will be created.
    • Max packets per flow allows you to specify the maximum number of packets per flow. If the total number of packets is too great, the remaining images are discarded.
    • Packet Image converts a single packet into an image.
    • Markov Transition Matrix Image: converts a packet or a flow into a Markov representation.
  • Header processing allows you to customize header fields of different protocols. It aims to remove biasing fields.
  • Remove Payload options allows you to only work on header data.
  • Fast and flexible: The main image precessing is in raw bytes inside the image classes while for the header preprocessing is PcapPlusPlus is used.
  • Machine learning orientation: heiFIP aims to make Deep Learning approaches using network data as images reproducible and deployable. Using heiFIP as a common framework enables researches to test and verify their models.

Examples

| Image Type | Description | Example | |------------|-------------|---------| | Packet | Converts a single packet into a square image. Size depends on the total length | SMB Connection | | Flow | Converts a flow packet into a square image | SMB Connection | | Markov Transition Matrix Packet | Converts a packet into a Markov Transition Matrix. Size is fixed to 16x16. | SMB Connection | | Markov Transition Matrix Flow | Converts a flow into a Markov Transition Matrix. It squares the image based on the number of packets | SMB Connection |

Requirements

  • C++ Compiler: GCC 9.0, Clang 10, or MSVC 2019 with C++17 support.
  • CMake: Version 3.14
  • PcapPlusPlus: Installed systemwide or built locally. (https://github.com/seladb/PcapPlusPlus)
  • OpenSSL: For SHA256 hashing (libcrypto).
  • OpenCV: Version 4.0 for image handling and saving (e.g., cv::imwrite).
  • pthread: POSIX threads (Linux/macOS). Windows users require linking against -lws2_32 and -lIPHLPAPI.
  • libpcap: PCAP Support (Linux/macOS)

Optional:

  • getopt_long: For CLI parsing (provided by libc on Linux/macOS). Windows may need getopt replacement.

Building from source

```bash

Clone this repo

git clone https://github.com/yourusername/heiFIPCpp.git cd heiFIP/heiFIP/

Create build directory

mkdir build && cd build

cmake ..

We highly recommend that locating necessary dependencies is done manually since espically

Pcap Plus Plus is often not installed in standard locations. While we do use scripts to automatically detect

the necessary dependencies if those scripts fail you can specify the paths to the include directories of the header

files aswell as the paths to libaries manually like so. Also do not forget to specify all three of Pcap Plus Plus's

libaries libCommon++, libPacket++, libPcap++. For OpenCV doing this manually while possible, due to number of links

necessary, is very difficult. Since OpenCV is configured for Cmake anyway this is unnecessary anyway. When using macOS

you need to be very careful that the linked libraries are not Intel (x86_64) bottles, since if this happens the code

will still be compiled as ARM64 but dynamically linking against x86_64 .dylib. This forces macOS to convert

back to ARM64 at runtime using Rosetta 2 which encures significant overhead. So if possible use a Linux distribution

cmake .. \ -DCMAKEBUILDTYPE=Release \ -DUSEMANUALPCAPPLUSPLUS=ON \ -DPcapPlusPlusINCLUDEDIRS="/opt/homebrew/Cellar/pcapplusplus/25.05/include" \ -DPcapPlusPlusLIBRARIES="/opt/homebrew/Cellar/pcapplusplus/25.05/lib/libCommon++.a\;/opt/homebrew/Cellar/pcapplusplus/25.05/lib/libPacket++.a\;/opt/homebrew/Cellar/pcapplusplus/25.05/lib/libPcap++.a" \ -DUSEMANUALOPENSSL=ON \ -DOPENSSLINCLUDEDIR="/opt/homebrew/opt/openssl@3/include" \ -DOPENSSLCRYPTO_LIBRARY="/opt/homebrew/opt/openssl@3/lib/libcrypto.a"

Compile

make -j$(nproc)

or

cmake --build build

The executable 'heiFIPCpp' will be produced in build/

```

Getting Started

After installation the command line interface can be used to extract images from pcap files witht he following command bash ./heiFIPCpp \ --name HelloHeiFIP --input /path/to/capture.pcap \ --output /path/to/outdir \ --threads 4 \ --processor HEADER \ --mode FlowImageTiledAuto \ --dim 16 \ --apppend \ --fill 0 \ --min-dim 10 \ --max-dim 2000 \ --min-pkts 10 \ --max-pkts 100 \ --remove-dup

Options

| Flag | Description | | ------------------- | -------------------------------------------------------------- | | -i, --input | Input PCAP file path | | -o, --output | Output directory | | -t, --threads | Number of worker threads (default: 1) | | -p, --processor | Preprocessing: NONE or HEADER | | -m, --mode | Image type: PacketImage, FlowImage, FlowImageTiledFixed, | | | FlowImageTiledAuto, MarkovTransitionMatrixFlow, | | | MarkovTransitionMatrixPacket | | --dim | Base dimension for image (e.g. width/height in pixels) | | --fill | Fill or padding value (0255) | | --cols | Number of columns (for tiled/fixed or Markov flow) | | --auto-dim | Enable autodimension selection (bool) | | --append | Enable autodimension selection (bool) | | --min-dim | Minimum allowed image dimension | | --max-dim | Maximum allowed image dimension | | --min-pkts | Minimum packets per flow (for tiled/flow modes) | | --max-pkts | Maximum packets per flow | | --remove-dup | Remove duplicate flows/packets by hash | | --name | Filname of processed image | | -h, --help | Show this help message |

Extending

To add a new image type:

  1. Define a new ImageArgs struct in extractor.cpp.
  2. Extend the ImageType enum.
  3. Implement the conversion in PacketProcessor::createImageFromPacket().
  4. Update the CLI --mode parser to include your new type.

Publications that use heiFIP

  • S. Machmeier, M. Hoecker, V. Heuveline, "Explainable Artificial Intelligence for Improving a Session-Based Malware Traffic Classification with Deep Learning", in 2023 IEEE Symposium Series on Computational Intelligence (SSCI), Mexico-City, Mexico, 2023. https://doi.org/10.1109/SSCI52147.2023.10371980
  • S. Machmeier, M. Trageser, M. Buchwald, and V. Heuveline, "A generalizable approach for network flow image representation for deep learning", in 2023 7th Cyber Security in Networking Conference (CSNet), Montral, Canada, 2023. https://doi.org/10.1109/CSNet59123.2023.10339761

Authors

The following people contributed to heiFIP:

License

This project is licensed under the EUPL-1.2 License - see the License file for details

Owner

  • Name: Stefan Machmeier
  • Login: stefanDeveloper
  • Kind: user
  • Location: Germany

Doctoral Student at University Heidelberg

GitHub Events

Total
  • Watch event: 8
  • Member event: 1
  • Issue comment event: 3
  • Push event: 19
  • Pull request event: 4
  • Fork event: 1
  • Create event: 2
Last Year
  • Watch event: 8
  • Member event: 1
  • Issue comment event: 3
  • Push event: 19
  • Pull request event: 4
  • Fork event: 1
  • Create event: 2

Issues and Pull Requests

Last synced: 6 months ago

All Time
  • Total issues: 2
  • Total pull requests: 2
  • Average time to close issues: N/A
  • Average time to close pull requests: 10 days
  • Total issue authors: 2
  • Total pull request authors: 2
  • Average comments per issue: 1.5
  • Average comments per pull request: 0.5
  • Merged pull requests: 1
  • Bot issues: 0
  • Bot pull requests: 0
Past Year
  • Issues: 2
  • Pull requests: 1
  • Average time to close issues: N/A
  • Average time to close pull requests: 15 days
  • Issue authors: 2
  • Pull request authors: 1
  • Average comments per issue: 1.5
  • Average comments per pull request: 0.0
  • Merged pull requests: 0
  • Bot issues: 0
  • Bot pull requests: 0
View more stats
Top Authors
Issue Authors
  • stefanDeveloper (1)
  • Corgile (1)
Pull Request Authors
  • stefanDeveloper (3)
  • maxi99manuel99 (1)
Top Labels
Issue Labels
bug (1)
Pull Request Labels
enhancement (3)

Packages

  • Total packages: 1
  • Total downloads:
    • pypi 27 last-month
  • Total dependent packages: 0
  • Total dependent repositories: 0
  • Total versions: 4
  • Total maintainers: 1
pypi.org: heifip

A tool to convert network traffic into images for ML use cases.

  • Homepage: https://github.com/stefanDeveloper/heiFIP
  • Documentation: https://heifip.readthedocs.io/
  • License: EUROPEAN UNION PUBLIC LICENCE v. 1.2 EUPL © the European Union 2007, 2016 This European Union Public Licence (the ‘EUPL’) applies to the Work (as defined below) which is provided under the terms of this Licence. Any use of the Work, other than as authorised under this Licence is prohibited (to the extent such use is covered by a right of the copyright holder of the Work). The Work is provided under the terms of this Licence when the Licensor (as defined below) has placed the following notice immediately following the copyright notice for the Work: Licensed under the EUPL or has expressed by any other means his willingness to license under the EUPL. 1.Definitions In this Licence, the following terms have the following meaning: — ‘The Licence’:this Licence. — ‘The Original Work’:the work or software distributed or communicated by the Licensor under this Licence, available as Source Code and also as Executable Code as the case may be. — ‘Derivative Works’:the works or software that could be created by the Licensee, based upon the Original Work or modifications thereof. This Licence does not define the extent of modification or dependence on the Original Work required in order to classify a work as a Derivative Work; this extent is determined by copyright law applicable in the country mentioned in Article 15. — ‘The Work’:the Original Work or its Derivative Works. — ‘The Source Code’:the human-readable form of the Work which is the most convenient for people to study and modify. — ‘The Executable Code’:any code which has generally been compiled and which is meant to be interpreted by a computer as a program. — ‘The Licensor’:the natural or legal person that distributes or communicates the Work under the Licence. — ‘Contributor(s)’:any natural or legal person who modifies the Work under the Licence, or otherwise contributes to the creation of a Derivative Work. — ‘The Licensee’ or ‘You’:any natural or legal person who makes any usage of the Work under the terms of the Licence. — ‘Distribution’ or ‘Communication’:any act of selling, giving, lending, renting, distributing, communicating, transmitting, or otherwise making available, online or offline, copies of the Work or providing access to its essential functionalities at the disposal of any other natural or legal person. 2.Scope of the rights granted by the Licence The Licensor hereby grants You a worldwide, royalty-free, non-exclusive, sublicensable licence to do the following, for the duration of copyright vested in the Original Work: — use the Work in any circumstance and for all usage, — reproduce the Work, — modify the Work, and make Derivative Works based upon the Work, — communicate to the public, including the right to make available or display the Work or copies thereof to the public and perform publicly, as the case may be, the Work, — distribute the Work or copies thereof, — lend and rent the Work or copies thereof, — sublicense rights in the Work or copies thereof. Those rights can be exercised on any media, supports and formats, whether now known or later invented, as far as the applicable law permits so. In the countries where moral rights apply, the Licensor waives his right to exercise his moral right to the extent allowed by law in order to make effective the licence of the economic rights here above listed. The Licensor grants to the Licensee royalty-free, non-exclusive usage rights to any patents held by the Licensor, to the extent necessary to make use of the rights granted on the Work under this Licence. 3.Communication of the Source Code The Licensor may provide the Work either in its Source Code form, or as Executable Code. If the Work is provided as Executable Code, the Licensor provides in addition a machine-readable copy of the Source Code of the Work along with each copy of the Work that the Licensor distributes or indicates, in a notice following the copyright notice attached to the Work, a repository where the Source Code is easily and freely accessible for as long as the Licensor continues to distribute or communicate the Work. 4.Limitations on copyright Nothing in this Licence is intended to deprive the Licensee of the benefits from any exception or limitation to the exclusive rights of the rights owners in the Work, of the exhaustion of those rights or of other applicable limitations thereto. 5.Obligations of the Licensee The grant of the rights mentioned above is subject to some restrictions and obligations imposed on the Licensee. Those obligations are the following: Attribution right: The Licensee shall keep intact all copyright, patent or trademarks notices and all notices that refer to the Licence and to the disclaimer of warranties. The Licensee must include a copy of such notices and a copy of the Licence with every copy of the Work he/she distributes or communicates. The Licensee must cause any Derivative Work to carry prominent notices stating that the Work has been modified and the date of modification. Copyleft clause: If the Licensee distributes or communicates copies of the Original Works or Derivative Works, this Distribution or Communication will be done under the terms of this Licence or of a later version of this Licence unless the Original Work is expressly distributed only under this version of the Licence — for example by communicating ‘EUPL v. 1.2 only’. The Licensee (becoming Licensor) cannot offer or impose any additional terms or conditions on the Work or Derivative Work that alter or restrict the terms of the Licence. Compatibility clause: If the Licensee Distributes or Communicates Derivative Works or copies thereof based upon both the Work and another work licensed under a Compatible Licence, this Distribution or Communication can be done under the terms of this Compatible Licence. For the sake of this clause, ‘Compatible Licence’ refers to the licences listed in the appendix attached to this Licence. Should the Licensee's obligations under the Compatible Licence conflict with his/her obligations under this Licence, the obligations of the Compatible Licence shall prevail. Provision of Source Code: When distributing or communicating copies of the Work, the Licensee will provide a machine-readable copy of the Source Code or indicate a repository where this Source will be easily and freely available for as long as the Licensee continues to distribute or communicate the Work. Legal Protection: This Licence does not grant permission to use the trade names, trademarks, service marks, or names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the copyright notice. 6.Chain of Authorship The original Licensor warrants that the copyright in the Original Work granted hereunder is owned by him/her or licensed to him/her and that he/she has the power and authority to grant the Licence. Each Contributor warrants that the copyright in the modifications he/she brings to the Work are owned by him/her or licensed to him/her and that he/she has the power and authority to grant the Licence. Each time You accept the Licence, the original Licensor and subsequent Contributors grant You a licence to their contributions to the Work, under the terms of this Licence. 7.Disclaimer of Warranty The Work is a work in progress, which is continuously improved by numerous Contributors. It is not a finished work and may therefore contain defects or ‘bugs’ inherent to this type of development. For the above reason, the Work is provided under the Licence on an ‘as is’ basis and without warranties of any kind concerning the Work, including without limitation merchantability, fitness for a particular purpose, absence of defects or errors, accuracy, non-infringement of intellectual property rights other than copyright as stated in Article 6 of this Licence. This disclaimer of warranty is an essential part of the Licence and a condition for the grant of any rights to the Work. 8.Disclaimer of Liability Except in the cases of wilful misconduct or damages directly caused to natural persons, the Licensor will in no event be liable for any direct or indirect, material or moral, damages of any kind, arising out of the Licence or of the use of the Work, including without limitation, damages for loss of goodwill, work stoppage, computer failure or malfunction, loss of data or any commercial damage, even if the Licensor has been advised of the possibility of such damage. However, the Licensor will be liable under statutory product liability laws as far such laws apply to the Work. 9.Additional agreements While distributing the Work, You may choose to conclude an additional agreement, defining obligations or services consistent with this Licence. However, if accepting obligations, You may act only on your own behalf and on your sole responsibility, not on behalf of the original Licensor or any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against such Contributor by the fact You have accepted any warranty or additional liability. 10.Acceptance of the Licence The provisions of this Licence can be accepted by clicking on an icon ‘I agree’ placed under the bottom of a window displaying the text of this Licence or by affirming consent in any other similar way, in accordance with the rules of applicable law. Clicking on that icon indicates your clear and irrevocable acceptance of this Licence and all of its terms and conditions. Similarly, you irrevocably accept this Licence and all of its terms and conditions by exercising any rights granted to You by Article 2 of this Licence, such as the use of the Work, the creation by You of a Derivative Work or the Distribution or Communication by You of the Work or copies thereof. 11.Information to the public In case of any Distribution or Communication of the Work by means of electronic communication by You (for example, by offering to download the Work from a remote location) the distribution channel or media (for example, a website) must at least provide to the public the information requested by the applicable law regarding the Licensor, the Licence and the way it may be accessible, concluded, stored and reproduced by the Licensee. 12.Termination of the Licence The Licence and the rights granted hereunder will terminate automatically upon any breach by the Licensee of the terms of the Licence. Such a termination will not terminate the licences of any person who has received the Work from the Licensee under the Licence, provided such persons remain in full compliance with the Licence. 13.Miscellaneous Without prejudice of Article 9 above, the Licence represents the complete agreement between the Parties as to the Work. If any provision of the Licence is invalid or unenforceable under applicable law, this will not affect the validity or enforceability of the Licence as a whole. Such provision will be construed or reformed so as necessary to make it valid and enforceable. The European Commission may publish other linguistic versions or new versions of this Licence or updated versions of the Appendix, so far this is required and reasonable, without reducing the scope of the rights granted by the Licence. New versions of the Licence will be published with a unique version number. All linguistic versions of this Licence, approved by the European Commission, have identical value. Parties can take advantage of the linguistic version of their choice. 14.Jurisdiction Without prejudice to specific agreement between parties, — any litigation resulting from the interpretation of this License, arising between the European Union institutions, bodies, offices or agencies, as a Licensor, and any Licensee, will be subject to the jurisdiction of the Court of Justice of the European Union, as laid down in article 272 of the Treaty on the Functioning of the European Union, — any litigation arising between other parties and resulting from the interpretation of this License, will be subject to the exclusive jurisdiction of the competent court where the Licensor resides or conducts its primary business. 15.Applicable Law Without prejudice to specific agreement between parties, — this Licence shall be governed by the law of the European Union Member State where the Licensor has his seat, resides or has his registered office, — this licence shall be governed by Belgian law if the Licensor has no seat, residence or registered office inside a European Union Member State. Appendix ‘Compatible Licences’ according to Article 5 EUPL are: — GNU General Public License (GPL) v. 2, v. 3 — GNU Affero General Public License (AGPL) v. 3 — Open Software License (OSL) v. 2.1, v. 3.0 — Eclipse Public License (EPL) v. 1.0 — CeCILL v. 2.0, v. 2.1 — Mozilla Public Licence (MPL) v. 2 — GNU Lesser General Public Licence (LGPL) v. 2.1, v. 3 — Creative Commons Attribution-ShareAlike v. 3.0 Unported (CC BY-SA 3.0) for works other than software — European Union Public Licence (EUPL) v. 1.1, v. 1.2 — Québec Free and Open-Source Licence — Reciprocity (LiLiQ-R) or Strong Reciprocity (LiLiQ-R+). The European Commission may update this Appendix to later versions of the above licences without producing a new version of the EUPL, as long as they provide the rights granted in Article 2 of this Licence and protect the covered Source Code from exclusive appropriation. All other changes or additions to this Appendix require the production of a new EUPL version.
  • Latest release: 1.1.1
    published over 2 years ago
  • Versions: 4
  • Dependent Packages: 0
  • Dependent Repositories: 0
  • Downloads: 27 Last month
Rankings
Dependent packages count: 7.0%
Forks count: 23.3%
Average: 25.1%
Dependent repos count: 30.5%
Stargazers count: 39.5%
Maintainers (1)
mrx8
Last synced: 6 months ago

Dependencies

requirements.txt pypi
  • image ==1.5.33
  • numpy ==1.23.1
  • pandas ==1.4.3
  • scapy ==2.4.5
.github/workflows/build_test_linux.yml actions
  • actions/cache v3 composite
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
.github/workflows/build_test_macos.yml actions
  • actions/cache v3 composite
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
.github/workflows/build_test_windows.yml actions
  • actions/checkout v3 composite
  • actions/setup-python v4 composite
  • msys2/setup-msys2 v2 composite
.github/workflows/build_wheel_publish.yml actions
  • actions/checkout v3 composite
  • actions/setup-python v3 composite
  • pypa/gh-action-pypi-publish 27b31702a0e7fc50959f5ad993c78deac1bdfc29 composite
pyproject.toml pypi