-
Couldn't load subscription status.
- Fork 11
Filter Anomaly
Hugo Soszynski edited this page Sep 18, 2019
·
20 revisions
It's a filter that apply algorithms on connection data, and find anomalies in this data.
0x414D4C59
- armadillo 9.400 or above
- mlpack 3.0.1 or above
Example of darwin configuration for this filter :
{
"anomaly_1": {
"exec_path": "/root/darwin/build/darwin_anomaly",
"config_file":"",
"output": "LOG",
"next_filter": "",
"nb_thread": 1,
"log_level": "DEBUG",
"cache_size": 0
}
}No config file needed.
[
[
["<net_src_ip>",<nb_dst_port_udp>,<nb_host_udp>,<nb_dst_port_tcp>,<nb_host_tcp>,<nb_host_icmp>],
[..]
],
[..]
]
Each array provided need at least 10 lines of data.
Here is an example of a body:
[
[
["223.186.196.122",0,0,1,1,0],
["217.253.70.51",0,0,1,1,0],
["217.180.33.37",0,0,1,1,0],
["217.146.29.75",0,0,1,1,0],
["217.138.51.66",0,0,1,1,0],
["217.138.44.116",0,0,1,1,0],
["217.122.13.56",0,0,1,1,0],
["217.89.109.174",0,0,1,1,0],
["217.67.225.176",0,0,1,1,0],
["217.43.251.0",0,0,1,1,0],
["217.41.34.46",0,0,1,1,0],
["217.35.214.195",0,0,1,1,0],
["217.33.223.186",0,0,1,1,0]
],
[
["188.200.17.185",0,0,1,1,0],
["188.154.16.134",0,0,1,1,0],
["188.92.238.131",0,0,1,1,0],
["188.88.0.111",0,0,1,1,0],
["188.39.86.226",0,0,1,1,0],
["188.29.165.239",0,0,1,1,0],
["188.29.164.121",0,0,1,1,0],
["188.29.164.1",0,0,1,1,0],
["185.253.37.234",0,0,1,1,0],
["185.244.25.86",0,0,1,1,0],
["185.222.209.42",0,0,1,1,0],
["185.189.23.100",0,0,1,1,0]
],
]Send back certitude 0 or 100. 100 for anomaly found in the data cluster, 0 else.
For example we can have [0, 100] for the body precised upside.
If the LOG output is precised in the darwin configuration, the body send by the filter will be for example :
{
"evt_id": "<header's_evt_id>",
"time": "2019-07-31UTC12:54:15+0000",
"anomaly": {
"ip": "10.5.22.144",
"udp_nb_host": 16.000000,
"udp_nb_port": 2.000000,
"tcp_nb_host": 520.000000,
"tcp_nb_port": 4.000000,
"icmp_nb_host": 0.000000,
"distance": 624.351380
}
}