simple library for detecting suspicious connections using TensorFlow
This model is very simple and looks at features such as:
- Time of day (hour)
- General Long / Lat
- Country Code
NOTE: THE DEFAULT DATA-SETS ARE NOT STATISTICALLY SOUND
While not meant to be perfect, meant to demonstrate how you might look at suspicious connections and build a VERY SIMPLE machine learning model around those features.
https://github.com/csirtgadgets/csirtg-ipsml-py (SKLearn based Only) https://csirtgadgets.com/commits/2018/4/20/predicting-attacks-with-python-and-sklearn https://csirtgadgets.com/commits/2018/3/8/hunting-for-suspicious-domains-using-python-and-sklearn https://csirtgadgets.com/commits/2018/3/30/hunting-for-threats-like-a-quant
$ sudo [apt-get|brew|yum] install geoipupdate # ubuntu16 or later, should use if you can python3 $ sudo geoipupdate -v $ pip install -r dev_requirements.txt $ python setup.py develop $ bash helpers/build.sh $ csirtg-ipsml-tf -i 18.104.22.168,6 # indicator, hour-detected 0.50 - 22.214.171.124,6 # 50% probabiltiy $ csirtg-ipsml-tf -i 126.96.36.199 # indicator, hour-detected 0.31 - 188.8.131.52 # 31% probability
COPYRIGHT AND LICENSE
Copyright (C) 2018 the CSIRT Gadgets
Free use of this software is granted under the terms of the Mozilla Public License (MPLv2).