-
Notifications
You must be signed in to change notification settings - Fork 17
ids_example
Martin Grimmer edited this page Apr 27, 2023
·
5 revisions
- See file https://github.com/LID-DS/LID-DS/blob/master/algorithms/example_main.py
- Here we will go through and explain this file.
At first, some imports we need here:
from pprint import pprint
from datetime import datetime
from algorithms.decision_engines.stide import Stide
from algorithms.features.impl.stream_sum import StreamSum
from algorithms.features.impl.max_score_threshold import MaxScoreThreshold
from algorithms.features.impl.int_embedding import IntEmbedding
from algorithms.features.impl.ngram import Ngram
from algorithms.ids import IDS
from dataloader.dataloader_factory import dataloader_factory
Now some code to help us load the CVE-2017-7529 scenario of LID-DS-2021
if __name__ == '__main__':
# TODO: change this to your base path
lid_ds_base_path = "/path/to/your/data"
lid_ds_version = "LID-DS-2021"
scenario_name = "CVE-2017-7529"
scenario_path = f"{lid_ds_base_path}/{lid_ds_version}/{scenario_name}"
dataloader = dataloader_factory(scenario_path, direction=Direction.CLOSE) # just load < closing system calls for this example
Now the features and algorithms we want to use:
- We want to build 7-grams of system call names
- Then we want to use the STIDE algorithm for intrusion detection
### Features (for more information see Paper: "Improving Host-based Intrusion Detection Using Thread Information", International Symposium on Emerging Information Security and Applications (EISA), 2021)
thread_aware = False
window_length = 100
ngram_length = 7
### Building blocks
# First: map each system call to an integer
int_embedding = IntEmbedding()
# Now build ngrams from these integers
ngram = Ngram([int_embedding], thread_aware, ngram_length)
# Finally calculate the STIDE algorithm using these ngrams
stide = Stide(ngram)
# Calculate the StreamSum with a window size of 500
stream_sum = StreamSum(stide, False, window_length, True)
# Define the MaxScoreThreshold decider
my_decider = MaxScoreThreshold(stream_sum)
Now we create an IDS object and tell it to do the intrusion detection
### The IDS
ids = IDS(data_loader=dataloader,
resulting_building_block=my_decider,
create_alarms=False,
plot_switch=False)
print("at evaluation:")
# Threshold
ids.determine_threshold()
# Detection
ids.detect()
The intrusion detection is done, we can print the results
### Print results and plot the anomaly scores
results = ids.performance.get_result()
pprint(results)
Using the above configuration should lead to the following result. (consecutive alarms are also described in the paper "Improving Host-based Intrusion Detection Using Thread Information", International Symposium on Emerging Information Security and Applications (EISA), 2021)
{'consecutive_false_positives_exploits': 0, # number of CFA from files with exploits
'consecutive_false_positives_normal': 5, # number of CFA from files without exploits
'correct_alarm_count': 119, # number of files with exploit and marked as intrusion
'detection_rate': 1.0,
'exploit_count': 119,
'f1_cfa': 0.9794238683127572, # f1 score based of consecutive alarms
'false_negatives': 13746,
'false_positives': 466,
'precision_with_cfa': 0.9596774193548387, # precision using consecutive alarms
'precision_with_syscalls': 0.20341880341880342, # precision using system calls
'recall': 1.0,
'true_negatives': 847527,
'true_positives': 201535}