netml is a network anomaly detection tool & library written in Python.
The library contains two primary submodules:
pparser: pcap parser\
Parse pcaps to produce flow features using Scapy.\
(Additional functionality to map pcaps to pandas DataFrames.)
ndm: novelty detection modeling\
Detect novelties / anomalies, via different models, such as OCSVM.
The tool's command-line interface is documented by its built-in help flags such as -h and --help:
netml --helpThe netml library is available on PyPI:
pip install netmlOr, from a repository clone:
pip install .The CLI tool is available as a distribution "extra":
pip install netml[cli]Or:
pip install .[cli]Shell tab-completion is provided by argcomplete (through argcmdr). Completion code appropriate to your shell may be generated by register-python-argcomplete, e.g.:
register-python-argcomplete --shell=bash netmlThe results of the above should be evaluated, e.g.:
eval "$(register-python-argcomplete --shell=bash netml)"Or, to ensure the above is evaluated for every session, e.g.:
register-python-argcomplete --shell=bash netml > ~/.bash_completionFor more information, refer to argcmdr: Shell completion.
from netml.pparser.parser import PCAP
pcap = PCAP('data/demo.pcap')
pcap.pcap2pandas()
pdf = pcap.dffrom netml.pparser.parser import PCAP
from netml.utils.tool import dump_data, load_data
pcap = PCAP('data/demo.pcap', flow_ptks_thres=2)
pcap.pcap2flows()
# Extract inter-arrival time features
pcap.flow2features('IAT', fft=False, header=False)
iat_features = pcap.featuresPossible features to pass to flows2features include:
IAT: A flow is represented as a timeseries of inter-arrival times between
packets, i.e., elapsed time in seconds between any two packets in the flow.
STATS: A flow is represented as a set of statistical quantities. We choose
12 of the most common such statistics in the literature: flow duration, number of
packets sent per second, number of bytes per second, and various statistics on
packet sizes within each flow: mean, standard deviation, inter-quartile range,
minimum, and maximum. Finally, the total number of packets and total number
of bytes for each flow.
SIZE: A flow is represented as a timeseries of packet sizes in bytes, with one
sample per packet.
SAMP_NUM: A flow is partitioned into small intervals of equal length πΏπ‘, and
the number of packets in each interval is recorded; thus, a flow is
represented as a timeseries of packet counts in small time intervals, with one
sample per time interval. Here, πΏπ‘ might be viewed as a choice of sampling
rate for the timeseries, hence the nomenclature.
SAMP_SIZE: A flow is partitioned into time intervals of equal length πΏπ‘, and
the total packet size (i.e., byte count) in each interval is recorded; thus, a
flow is represented as a timeseries of byte counts in small time intervals,
with one sample per time interval.
Having trained a model to your network traffic,
the identification of anomalous traffic is as simple as providing a packet capture (PCAP)
file to the netml classify command of the CLI:
netml classify --model=model.dat < unclassified.pcapUsing the Python library, the same might be accomplished, e.g.:
from netml.pparser.parser import PCAP
from netml.utils.tool import load_data
pcap = PCAP(
'unclassified.pcap',
flow_ptks_thres=2,
random_state=42,
verbose=10,
)
# extract flows from pcap
pcap.pcap2flows(q_interval=0.9)
# extract features from each flow given feat_type
pcap.flow2features('IAT', fft=False, header=False)
(model, train_history) = load_data('model.dat')
model.predict(pcap.features)A model may be trained for outlier detection as simply as providing a PCAP file to the netml learn command:
netml learn --pcap=traffic.pcap \
--output=model.dat(Note that for clarity and consistency with the classify command, the flags --output and --model are synonymous to the learn command.)
netml learn supports a great many additional options, documented by netml learn --help, --help-algorithm and --help-param, including:
--algorithm: selection of model-training algorithms, such as One-Class Support Vector Machine (OCSVM), Kernel Density Estimation (KDE), Isolation Forest (IF) and Autoencoder (AE)--param: customization of model hyperparameters via YAML/JSON--label, --pcap-normal & --pcap-abnormal: optional labeling of traffic to enable post-training testing of the modelIn the below examples, an OCSVM model is trained by demo traffic included in the library, and tested by labels in a CSV file, (both provided by the University of New Brunswick's Intrusion Detection Systems dataset).
All of the below may be wrapped up into a single command via the CLI:
netml learn --pcap=data/demo.pcap \
--label=data/demo.csv \
--output=out/OCSVM-results.datTo only extract features via the CLI:
netml learn extract \
--pcap=data/demo.pcap \
--label=data/demo.csv \
--feature=out/IAT-features.datOr in Python:
from netml.pparser.parser import PCAP
from netml.utils.tool import dump_data
pcap = PCAP(
'data/demo.pcap',
flow_ptks_thres=2,
random_state=42,
verbose=10,
)
# extract flows from pcap
pcap.pcap2flows(q_interval=0.9)
# label each flow (optional)
pcap.label_flows(label_file='data/demo.csv')
# extract features from each flow via IAT
pcap.flow2features('IAT', fft=False, header=False)
# dump data to disk
dump_data((pcap.features, pcap.labels), out_file='out/IAT-features.dat')
# stats
print(pcap.features.shape, pcap.pcap2flows.tot_time, pcap.flow2features.tot_time)To train from already-extracted features via the CLI:
netml learn train \
--feature=out/IAT-features.dat \
--output=out/OCSVM-results.datOr in Python:
from sklearn.model_selection import train_test_split
from netml.ndm.model import MODEL
from netml.ndm.ocsvm import OCSVM
from netml.utils.tool import dump_data, load_data
RANDOM_STATE = 42
# load data
(features, labels) = load_data('out/IAT-features.dat')
# split train and test sets
(
features_train,
features_test,
labels_train,
labels_test,
) = train_test_split(features, labels, test_size=0.33, random_state=RANDOM_STATE)
# create detection model
ocsvm = OCSVM(kernel='rbf', nu=0.5, random_state=RANDOM_STATE)
ocsvm.name = 'OCSVM'
ndm = MODEL(ocsvm, score_metric='auc', verbose=10, random_state=RANDOM_STATE)
# train the model from the train set
ndm.train(features_train)
# evaluate the trained model
ndm.test(features_test, labels_test)
# dump data to disk
dump_data((ocsvm, ndm.history), out_file='out/OCSVM-results.dat')
# stats
print(ndm.train.tot_time, ndm.test.tot_time, ndm.score)For more examples, see the examples/ directory in the source repository.
examples/\
example code and datasetssrc/netml/ndm/\
detection models (such as OCSVM)src/netml/pparser/\
pcap processing (feature extraction) src/netml/utils/\
common functions (such as load_data and dump_data)tests/\
test casesLICENSE.txtmanage.py\
library development & management moduleREADME.mdsetup.cfgsetup.pytox.iniFurther work includes:
pparser performance on different pcapsWe welcome any comments to make this tool more robust and easier to use!
Development dependencies may be installed via the dev extras (below assuming a source checkout):
pip install --editable .[dev](Note: the installation flag --editable is also used above to instruct pip to place the source checkout directory itself onto the Python path, to ensure that any changes to the source are reflected in Python imports.)
Development tasks are then managed via argcmdr sub-commands of manage β¦, (as defined by the repository module manage.py), e.g.:
manage version patch -m "initial release of netml" \
--build \
--releasenetml is based on the initial work of the "Outlier Detection" library odet π
This work was authored by Kun Yang under the direction of Professor Samory Kpotufe at Columbia University.
@article{yang2020comparative,
title={A Comparative Study of Network Traffic Representations for Novelty Detection},
author={Kun Yang and Samory Kpotufe and Nick Feamster},
year={2020},
eprint={2006.16993},
archivePrefix={arXiv},
primaryClass={cs.NI}
}