diff options
| author | Luca Deri <deri@ntop.org> | 2019-12-09 00:11:32 +0100 |
|---|---|---|
| committer | Luca Deri <deri@ntop.org> | 2019-12-09 00:11:32 +0100 |
| commit | 23b0b8625d1f20596b2b20a149fb28c38046f4e1 (patch) | |
| tree | 18fd529aa36a7fadf27fadc17a6d445a32b65043 | |
| parent | 558983c99c274c122f0deb6f2e29d5eb0594a373 (diff) | |
Minor changes to the IDS score calculation
| -rw-r--r-- | example/Makefile.in | 2 | ||||
| -rw-r--r-- | example/intrusion_detection.c | 833 | ||||
| -rw-r--r-- | example/intrusion_detection.h | 42 | ||||
| -rw-r--r-- | example/ndpiReader.c | 15 |
4 files changed, 472 insertions, 420 deletions
diff --git a/example/Makefile.in b/example/Makefile.in index 2b3432591..225e5681c 100644 --- a/example/Makefile.in +++ b/example/Makefile.in @@ -3,7 +3,7 @@ CXX=@CXX@ CFLAGS=-g -I../src/include @CFLAGS@ LIBNDPI=../src/lib/libndpi.a LDFLAGS=$(LIBNDPI) @PCAP_LIB@ -lpthread -lm @LDFLAGS@ -OBJS=ndpiReader.o reader_util.o +OBJS=ndpiReader.o reader_util.o intrusion_detection.o PREFIX?=@prefix@ all: ndpiReader @DPDK_TARGET@ diff --git a/example/intrusion_detection.c b/example/intrusion_detection.c index 216432e8f..5c83b5b8e 100644 --- a/example/intrusion_detection.c +++ b/example/intrusion_detection.c @@ -1,28 +1,51 @@ +/* + * intrusion_detection.c + * + * Copyright (C) 2011-19 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + #include "intrusion_detection.h" double normalize(ndpi_norm_value* tresholds){ - if(tresholds->upper_bound != tresholds->lower_bound){ + if(tresholds->upper_bound != tresholds->lower_bound){ tresholds->norm_value = (tresholds->value - tresholds->lower_bound) / (tresholds->upper_bound - tresholds->lower_bound); + }else{ + if(tresholds->value > tresholds->upper_bound){ + tresholds->norm_value = 1 + (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound; }else{ - if(tresholds->value > tresholds->upper_bound){ - tresholds->norm_value = 1 + (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound; - }else{ - tresholds->norm_value = 1 - (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound; - } - - } - if(tresholds->norm_value >= 0){ - return tresholds->norm_value * tresholds->weight; - } - else{ - return (1 - tresholds->norm_value) * tresholds->weight; + tresholds->norm_value = 1 - (tresholds->value - tresholds->lower_bound) / tresholds->upper_bound; } + + } + if(tresholds->norm_value >= 0){ + return tresholds->norm_value * tresholds->weight; + } + else{ + return (1 - tresholds->norm_value) * tresholds->weight; + } } double get_flow_score(ndpi_norm_value* scores, int n_metrics){ double flow_score = 0; for(int i=0; i<n_metrics; i++){ - flow_score += normalize(&scores[i]); + flow_score += normalize(&scores[i]); } return flow_score; } @@ -30,416 +53,416 @@ double get_flow_score(ndpi_norm_value* scores, int n_metrics){ /* ********************************** */ double Ddos_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* pktlen_c_to_s_avg */ - int i = 0; - scores[i].lower_bound = 70.0; - scores[i].upper_bound = 263.4799999999999; - scores[i].weight = 0.21257330032661592; - scores[i].value = ndpi_data_average(flow->pktlen_c_to_s); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 2974.0; - scores[i].weight = 0.21073785073559176; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 72.7; - scores[i].upper_bound = 1130.4199999999996; - scores[i].weight = 0.21257330032661592; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 906.0; - scores[i].weight = 0.20990954527912953; - scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); - - /* fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.07710300166602348; - scores[i].value = flow->fin_count; - - /* s_to_c_fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.07710300166602348; - scores[i].value = flow->dst2src_fin_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* pktlen_c_to_s_avg */ + int i = 0; + scores[i].lower_bound = 70.0; + scores[i].upper_bound = 263.4799999999999; + scores[i].weight = 0.21257330032661592; + scores[i].value = ndpi_data_average(flow->pktlen_c_to_s); + + /* pktlen_s_to_c_max */ + i++; + scores[i].lower_bound = 90.0; + scores[i].upper_bound = 2974.0; + scores[i].weight = 0.21073785073559176; + scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_avg */ + i++; + scores[i].lower_bound = 72.7; + scores[i].upper_bound = 1130.4199999999996; + scores[i].weight = 0.21257330032661592; + scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_stddev */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 906.0; + scores[i].weight = 0.20990954527912953; + scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); + + /* fin */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.07710300166602348; + scores[i].value = flow->fin_count; + + /* s_to_c_fin */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.07710300166602348; + scores[i].value = flow->dst2src_fin_count; + + // sum = 1.0 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } double Dos_goldeneye_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* pktlen_s_to_c_max */ - int i = 0; - scores[i].lower_bound = 74.0; - scores[i].upper_bound = 3292.6699999999764; - scores[i].weight = 0.3123007140611667; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 68.7; - scores[i].upper_bound = 1354.0569999999987; - scores[i].weight = 0.23802038891633356; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 959.4469999999993; - scores[i].weight = 0.3111779763775991; - scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); - - /* syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0464364305923564; - scores[i].value = flow->syn_count; - - /* c_to_s_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 1.0; - scores[i].weight = 0.04562805946018772; - scores[i].value = flow->src2dst_syn_count; - - /* s_to_c_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0464364305923564; - scores[i].value = flow->dst2src_syn_count; - - // sum = 0.9999999999999998 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* pktlen_s_to_c_max */ + int i = 0; + scores[i].lower_bound = 74.0; + scores[i].upper_bound = 3292.6699999999764; + scores[i].weight = 0.3123007140611667; + scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); + /* pktlen_s_to_c_avg */ + i++; + scores[i].lower_bound = 68.7; + scores[i].upper_bound = 1354.0569999999987; + scores[i].weight = 0.23802038891633356; + scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_stddev */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 959.4469999999993; + scores[i].weight = 0.3111779763775991; + scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); + + /* syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.0464364305923564; + scores[i].value = flow->syn_count; + + /* c_to_s_syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 1.0; + scores[i].weight = 0.04562805946018772; + scores[i].value = flow->src2dst_syn_count; + + /* s_to_c_syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.0464364305923564; + scores[i].value = flow->dst2src_syn_count; + + // sum = 0.9999999999999998 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } double Dos_hulk_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* duration */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 539.40668006422; - scores[i].weight = 0.16666666666666666; - scores[i].value = (l - f); - - /* src2dst_packets */ - i++; - scores[i].lower_bound = 2.0; - scores[i].upper_bound = 41.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->src2dst_packets; - - /* dst2src_packets */ - i++; - scores[i].lower_bound = 2.0; - scores[i].upper_bound = 45.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->dst2src_packets; - - /* src2dst_bytes */ - i++; - scores[i].lower_bound = 146.0; - scores[i].upper_bound = 6306.300000000001; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->src2dst_bytes; - - /* ack */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 82.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->ack_count; - - /* syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = flow->syn_count; - - // sum = 0.9999999999999999 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* duration */ + int i = 0; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 539.40668006422; + scores[i].weight = 0.16666666666666666; + scores[i].value = (l - f); + + /* src2dst_packets */ + i++; + scores[i].lower_bound = 2.0; + scores[i].upper_bound = 41.0; + scores[i].weight = 0.16666666666666666; + scores[i].value = flow->src2dst_packets; + + /* dst2src_packets */ + i++; + scores[i].lower_bound = 2.0; + scores[i].upper_bound = 45.0; + scores[i].weight = 0.16666666666666666; + scores[i].value = flow->dst2src_packets; + + /* src2dst_bytes */ + i++; + scores[i].lower_bound = 146.0; + scores[i].upper_bound = 6306.300000000001; + scores[i].weight = 0.16666666666666666; + scores[i].value = flow->src2dst_bytes; + + /* ack */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 82.0; + scores[i].weight = 0.16666666666666666; + scores[i].value = flow->ack_count; + + /* syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.16666666666666666; + scores[i].value = flow->syn_count; + + // sum = 0.9999999999999999 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } double Dos_slow_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* pktlen_s_to_c_max */ - int i = 0; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 3135.0; - scores[i].weight = 0.1760747755022144; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 80.37100000000001; - scores[i].upper_bound = 1292.5900000000008; - scores[i].weight = 0.17600137023171597; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* dst2src_bytes */ - i++; - scores[i].lower_bound = 262.0; - scores[i].upper_bound = 53227.80000000002; - scores[i].weight = 0.16919914849886225; - scores[i].value = flow->dst2src_bytes; - - /* syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.168000195747388; - scores[i].value = flow->syn_count; - - /* c_to_s_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 1.0; - scores[i].weight = 0.14272431427243143; - scores[i].value = flow->src2dst_syn_count; - - /* s_to_c_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.168000195747388; - scores[i].value = flow->dst2src_syn_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* pktlen_s_to_c_max */ + int i = 0; + scores[i].lower_bound = 90.0; + scores[i].upper_bound = 3135.0; + scores[i].weight = 0.1760747755022144; + scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_avg */ + i++; + scores[i].lower_bound = 80.37100000000001; + scores[i].upper_bound = 1292.5900000000008; + scores[i].weight = 0.17600137023171597; + scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); + + /* dst2src_bytes */ + i++; + scores[i].lower_bound = 262.0; + scores[i].upper_bound = 53227.80000000002; + scores[i].weight = 0.16919914849886225; + scores[i].value = flow->dst2src_bytes; + + /* syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.168000195747388; + scores[i].value = flow->syn_count; + + /* c_to_s_syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 1.0; + scores[i].weight = 0.14272431427243143; + scores[i].value = flow->src2dst_syn_count; + + /* s_to_c_syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.168000195747388; + scores[i].value = flow->dst2src_syn_count; + + // sum = 1.0 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } double Ftp_patator_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* iat_flow_min */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 24.0; - scores[i].weight = 0.002732919254658385; - scores[i].value = ndpi_data_min(flow->iat_flow); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 3393.0; - scores[i].weight = 0.007453416149068323; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 81.3; - scores[i].upper_bound = 1315.021; - scores[i].weight = 0.9833540372670807; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* dst2src_bytes */ - i++; - scores[i].lower_bound = 256.0; - scores[i].upper_bound = 56434.0; - scores[i].weight = 0.0034782608695652175; - scores[i].value = flow->dst2src_bytes; - - /* fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0014906832298136647; - scores[i].value = flow->fin_count; - - /* rst */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0014906832298136647; - scores[i].value = flow->rst_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* iat_flow_min */ + int i = 0; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 24.0; + scores[i].weight = 0.002732919254658385; + scores[i].value = ndpi_data_min(flow->iat_flow); + + /* pktlen_s_to_c_max */ + i++; + scores[i].lower_bound = 90.0; + scores[i].upper_bound = 3393.0; + scores[i].weight = 0.007453416149068323; + scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_avg */ + i++; + scores[i].lower_bound = 81.3; + scores[i].upper_bound = 1315.021; + scores[i].weight = 0.9833540372670807; + scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); + + /* dst2src_bytes */ + i++; + scores[i].lower_bound = 256.0; + scores[i].upper_bound = 56434.0; + scores[i].weight = 0.0034782608695652175; + scores[i].value = flow->dst2src_bytes; + + /* fin */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.0014906832298136647; + scores[i].value = flow->fin_count; + + /* rst */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.0014906832298136647; + scores[i].value = flow->rst_count; + + // sum = 1.0 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } double Hearthbleed_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* iat_flow_max */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 595213.3999999999; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_max(flow->iat_flow); - - /* iat_flow_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 245377.74799999973; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_stddev(flow->iat_flow); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 74.0; - scores[i].upper_bound = 3380.0; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 70.0; - scores[i].upper_bound = 1344.6399999999996; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_stddev */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 944.6399999999996; - scores[i].weight = 0.16666666666666666; - scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); - - /* duration */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 711.6677598000391; - scores[i].weight = 0.16666666666666666; - scores[i].value = (l - f); - - // sum = 0.9999999999999999 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* iat_flow_max */ + int i = 0; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 595213.3999999999; + scores[i].weight = 0.16666666666666666; + scores[i].value = ndpi_data_max(flow->iat_flow); + + /* iat_flow_stddev */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 245377.74799999973; + scores[i].weight = 0.16666666666666666; + scores[i].value = ndpi_data_stddev(flow->iat_flow); + + /* pktlen_s_to_c_max */ + i++; + scores[i].lower_bound = 74.0; + scores[i].upper_bound = 3380.0; + scores[i].weight = 0.16666666666666666; + scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_avg */ + i++; + scores[i].lower_bound = 70.0; + scores[i].upper_bound = 1344.6399999999996; + scores[i].weight = 0.16666666666666666; + scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_stddev */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 944.6399999999996; + scores[i].weight = 0.16666666666666666; + scores[i].value = ndpi_data_stddev(flow->pktlen_s_to_c); + + /* duration */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 711.6677598000391; + scores[i].weight = 0.16666666666666666; + scores[i].value = (l - f); + + // sum = 0.9999999999999999 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } double Infiltration_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* pktlen_c_to_s_max */ - int i = 0; - scores[i].lower_bound = 72.0; - scores[i].upper_bound = 1840.739999999998; - scores[i].weight = 0.11937557392102846; - scores[i].value = ndpi_data_max(flow->pktlen_c_to_s); - - /* pktlen_c_to_s_avg */ - i++; - scores[i].lower_bound = 70.0; - scores[i].upper_bound = 296.56599999999816; - scores[i].weight = 0.12526782981328435; - scores[i].value = ndpi_data_average(flow->pktlen_c_to_s); - - /* pktlen_s_to_c_max */ - i++; - scores[i].lower_bound = 90.0; - scores[i].upper_bound = 3496.1399999999776; - scores[i].weight = 0.13927150290786652; - scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); - - /* pktlen_s_to_c_avg */ - i++; - scores[i].lower_bound = 72.6; - scores[i].upper_bound = 1367.7959999999991; - scores[i].weight = 0.12182430364248545; - scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); - - /* src2dst_bytes */ - i++; - scores[i].lower_bound = 144.0; - scores[i].upper_bound = 7847.69999999999; - scores[i].weight = 0.12059993878175697; - scores[i].value = flow->src2dst_bytes; - - /* dst2src_bytes */ - i++; - scores[i].lower_bound = 236.0; - scores[i].upper_bound = 74486.7799999998; - scores[i].weight = 0.3736608509335782; - scores[i].value = flow->dst2src_bytes; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* pktlen_c_to_s_max */ + int i = 0; + scores[i].lower_bound = 72.0; + scores[i].upper_bound = 1840.739999999998; + scores[i].weight = 0.11937557392102846; + scores[i].value = ndpi_data_max(flow->pktlen_c_to_s); + + /* pktlen_c_to_s_avg */ + i++; + scores[i].lower_bound = 70.0; + scores[i].upper_bound = 296.56599999999816; + scores[i].weight = 0.12526782981328435; + scores[i].value = ndpi_data_average(flow->pktlen_c_to_s); + + /* pktlen_s_to_c_max */ + i++; + scores[i].lower_bound = 90.0; + scores[i].upper_bound = 3496.1399999999776; + scores[i].weight = 0.13927150290786652; + scores[i].value = ndpi_data_max(flow->pktlen_s_to_c); + + /* pktlen_s_to_c_avg */ + i++; + scores[i].lower_bound = 72.6; + scores[i].upper_bound = 1367.7959999999991; + scores[i].weight = 0.12182430364248545; + scores[i].value = ndpi_data_average(flow->pktlen_s_to_c); + + /* src2dst_bytes */ + i++; + scores[i].lower_bound = 144.0; + scores[i].upper_bound = 7847.69999999999; + scores[i].weight = 0.12059993878175697; + scores[i].value = flow->src2dst_bytes; + + /* dst2src_bytes */ + i++; + scores[i].lower_bound = 236.0; + scores[i].upper_bound = 74486.7799999998; + scores[i].weight = 0.3736608509335782; + scores[i].value = flow->dst2src_bytes; + + // sum = 1.0 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } double Ssh_patator_score(struct ndpi_flow_info* flow){ - double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; - int n_metrics = 6; - ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); - /* fin */ - int i = 0; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0033738191632928477; - scores[i].value = flow->fin_count; - - /* psh */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 30.0; - scores[i].weight = 0.33076923076923076; - scores[i].value = flow->psh_count; - - /* c_to_s_syn */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 1.0; - scores[i].weight = 0.0004048582995951417; - scores[i].value = flow->src2dst_syn_count; - - /* c_to_s_psh */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 12.0; - scores[i].weight = 0.33130904183535764; - scores[i].value = flow->src2dst_psh_count; - - /* s_to_c_fin */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 2.0; - scores[i].weight = 0.0033738191632928477; - scores[i].value = flow->dst2src_fin_count; - - /* s_to_c_psh */ - i++; - scores[i].lower_bound = 0.0; - scores[i].upper_bound = 30.0; - scores[i].weight = 0.33076923076923076; - scores[i].value = flow->dst2src_psh_count; - - // sum = 1.0 - double flow_score = get_flow_score(scores, n_metrics); - free(scores); - return flow_score; + double f = (double)flow->first_seen/1000.0, l = (double)flow->last_seen/1000.0; + int n_metrics = 6; + ndpi_norm_value* scores = malloc(n_metrics * sizeof(ndpi_norm_value)); + /* fin */ + int i = 0; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.0033738191632928477; + scores[i].value = flow->fin_count; + + /* psh */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 30.0; + scores[i].weight = 0.33076923076923076; + scores[i].value = flow->psh_count; + + /* c_to_s_syn */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 1.0; + scores[i].weight = 0.0004048582995951417; + scores[i].value = flow->src2dst_syn_count; + + /* c_to_s_psh */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 12.0; + scores[i].weight = 0.33130904183535764; + scores[i].value = flow->src2dst_psh_count; + + /* s_to_c_fin */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 2.0; + scores[i].weight = 0.0033738191632928477; + scores[i].value = flow->dst2src_fin_count; + + /* s_to_c_psh */ + i++; + scores[i].lower_bound = 0.0; + scores[i].upper_bound = 30.0; + scores[i].weight = 0.33076923076923076; + scores[i].value = flow->dst2src_psh_count; + + // sum = 1.0 + double flow_score = get_flow_score(scores, n_metrics); + free(scores); + return flow_score; } diff --git a/example/intrusion_detection.h b/example/intrusion_detection.h index b31890c96..f78095e67 100644 --- a/example/intrusion_detection.h +++ b/example/intrusion_detection.h @@ -1,14 +1,44 @@ +/* + * intrusion_detection.h + * + * Copyright (C) 2011-19 - ntop.org + * + * This file is part of nDPI, an open source deep packet inspection + * library based on the OpenDPI and PACE technology by ipoque GmbH + * + * nDPI is free software: you can redistribute it and/or modify + * it under the terms of the GNU Lesser General Public License as published by + * the Free Software Foundation, either version 3 of the License, or + * (at your option) any later version. + * + * nDPI is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with nDPI. If not, see <http://www.gnu.org/licenses/>. + * + */ + +/* + Code to detect attacks reported in + + https://www.unb.ca/cic/datasets/ids-2017.html + https://www.unb.ca/cic/datasets/ids-2018.html +*/ + #include <stdio.h> #include <stdlib.h> #include "reader_util.h" #include "ndpi_api.h" typedef struct norm_values{ - double upper_bound; - double lower_bound; - double weight; - double value; - double norm_value; + double upper_bound; + double lower_bound; + double weight; + double value; + double norm_value; }ndpi_norm_value; double normalize(ndpi_norm_value* tresholds); @@ -31,4 +61,4 @@ double Hearthbleed_score(struct ndpi_flow_info* flow); double Infiltration_score(struct ndpi_flow_info* flow); -double Ssh_patator_score(struct ndpi_flow_info* flow);
\ No newline at end of file +double Ssh_patator_score(struct ndpi_flow_info* flow); diff --git a/example/ndpiReader.c b/example/ndpiReader.c index bbc78bf02..0193f5ce3 100644 --- a/example/ndpiReader.c +++ b/example/ndpiReader.c @@ -242,7 +242,7 @@ static void reduceBDbits(uint32_t *bd, unsigned int len) { static void flowGetBDMeanandVariance(struct ndpi_flow_info* flow) { FILE *out = results_file ? results_file : stdout; - + const uint32_t *array = NULL; uint32_t tmp[256], i; unsigned int num_bytes; @@ -1008,8 +1008,7 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa ssh_patator_score = Ssh_patator_score(flow); inf_score = Infiltration_score(flow); - - + double benign_score = dos_ge_score < 1 && dos_slow_score < 1 && \ dos_hulk_score < 1 && ddos_score < 1 && hearthbleed_score < 1 && \ ftp_patator_score < 1 && ssh_patator_score < 1 && inf_score < 1 ? 1.1 : 0; @@ -1028,11 +1027,11 @@ static void printFlow(u_int16_t id, struct ndpi_flow_info *flow, u_int16_t threa ndpi_protocol2name(ndpi_thread_info[thread_id].workflow->ndpi_struct, flow->detected_protocol, buf, sizeof(buf))); - fprintf(csv_fp, "%.9lf,%.9lf,%.9lf,%.9lf,%.9lf,%.9lf,%.9lf,%.9lf,%9.lf,", \ - benign_score, dos_slow_score, dos_ge_score, dos_hulk_score, \ - ddos_score, hearthbleed_score, ftp_patator_score, \ - ssh_patator_score, inf_score); - + fprintf(csv_fp, "%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,%.4lf,", \ + benign_score, dos_slow_score, dos_ge_score, dos_hulk_score, \ + ddos_score, hearthbleed_score, ftp_patator_score, \ + ssh_patator_score, inf_score); + fprintf(csv_fp, "%u,%llu,%llu,", flow->src2dst_packets, (long long unsigned int) flow->src2dst_bytes, (long long unsigned int) flow->src2dst_goodput_bytes); fprintf(csv_fp, "%u,%llu,%llu,", flow->dst2src_packets, |