CSIRTG IP Machine Learning Framework using TensorFlow
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
csirtg_ipsml_tf
data
helpers
test
.coveragerc
.gitattributes
.gitignore
.travis.yml
LICENSE
MANIFEST.in
README.md
Vagrantfile
dev_requirements.txt
requirements.txt
setup.cfg
setup.py
versioneer.py

README.md

csirtg-ipsml-tf

simple library for detecting suspicious connections using TensorFlow

This model is very simple and looks at features such as:

  • Time of day (hour)
  • General Long / Lat
  • TimeZone
  • Country Code
  • ASN

NOTE: THE DEFAULT DATA-SETS ARE NOT STATISTICALLY SOUND

While not meant to be perfect, meant to demonstrate how you might look at suspicious connections and build a VERY SIMPLE machine learning model around those features.

https://github.com/csirtgadgets/csirtg-ipsml-py (SKLearn based Only) https://csirtgadgets.com/commits/2018/4/20/predicting-attacks-with-python-and-sklearn https://csirtgadgets.com/commits/2018/3/8/hunting-for-suspicious-domains-using-python-and-sklearn https://csirtgadgets.com/commits/2018/3/30/hunting-for-threats-like-a-quant

$ sudo [apt-get|brew|yum] install geoipupdate  # ubuntu16 or later, should use if you can python3
$ sudo geoipupdate -v
$ pip install -r dev_requirements.txt
$ python setup.py develop
$ bash helpers/build.sh

$ csirtg-ipsml-tf -i 122.2.223.242,6  # indicator, hour-detected
0.50 - 122.2.223.242,6 # 50% probabiltiy

$ csirtg-ipsml-tf -i 141.142.164.33  # indicator, hour-detected
0.31 - 141.142.164.33 # 31% probability

COPYRIGHT AND LICENSE

Copyright (C) 2018 the CSIRT Gadgets

Free use of this software is granted under the terms of the Mozilla Public License (MPLv2).