forked from oreilly-mlsec/book-resources
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
2 changed files
with
72 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| import time | ||
|
|
||
| # duration over which to look for anomalies | ||
| anomaly_window_seconds = 3600 | ||
|
|
||
| # threshold for simple anomaly detection | ||
| query_threshold = 10 | ||
|
|
||
| # global variable to store each user's recent history | ||
| recent_history = {} | ||
|
|
||
| def process_event(user, recent_history): | ||
| '''call this function to update history when an event occurs''' | ||
| cur_time = int(time.time()) | ||
| if user not in recent_history: | ||
| recent_history[user] = [] | ||
|
|
||
| recent_history[user].append(cur_time) | ||
| recent_history[user] = [x for x in recent_history[user] if cur_time - x < anomaly_window_seconds] | ||
| return recent_history | ||
|
|
||
| def is_anomaly(user, recent_history): | ||
| '''call this function whenever an event occurs for which you want | ||
| to detect anomalies''' | ||
| if user not in recent_history: | ||
| return False | ||
| if len(recent_history[user]) > query_threshold: | ||
| return True | ||
| else: | ||
| return False | ||
|
|
||
| if __name__ == '__main__': | ||
| '''testing code''' | ||
| for i in range(12): | ||
| process_event('a', recent_history) | ||
| for i in range(6): | ||
| process_event('b', recent_history) | ||
| for i in range(3): | ||
| process_event('c', recent_history) | ||
| process_event('d', recent_history) | ||
| from ids_heuristics_b import * | ||
|
|
||
| print(hourly_threshold_update(recent_history)) | ||
| print(day_history) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,28 @@ | ||
| import time | ||
| import collections | ||
|
|
||
| # duration over which to look for anomalies | ||
| anomaly_window_seconds = 3600 | ||
|
|
||
| # threshold for simple anomaly detection | ||
| query_threshold = 10 | ||
|
|
||
| # multiplier to determine how many times the average to set the threshold | ||
| avg_multiplier = 5 | ||
|
|
||
| # global variable to keep the average number of user queries in each hour | ||
| day_history = collections.deque(24*[query_threshold / avg_multiplier], 24) | ||
|
|
||
| def hourly_threshold_update(recent_history): | ||
| '''set the threshold for anomaly detection to be a multiple of the average queries per user in recent history''' | ||
| cur_time = int(time.time()) | ||
| total_num_queries = 0 | ||
| if not recent_history: | ||
| return query_threshold | ||
|
|
||
| total_num_queries = sum([len(x) for x in recent_history.values()]) | ||
| avg_queries_this_hour = float(total_num_queries) / len(recent_history) | ||
| day_history.appendleft(avg_queries_this_hour) | ||
|
|
||
| avg_hourly_avg = float(sum(day_history)) / len(day_history) | ||
| return int(avg_multiplier * avg_hourly_avg) |