# msticpy - Polling Detection

When analysing network traffic on a host to identify unusual activity, it's common that there is a large amount of traffic generated. Much of this traffic is automatically generated and highly periodic.[1] By filtering out this highly periodic polling traffic it leaves the analyst with less traffic and it is more likely to be generated by humans.

It's this human generated traffic that is likely to contain any unusual behaviour that would be of interest to an analyst. This notebook demonstrates a method of detecting events that occur with a strong periodicity, *i.e an email client contacting an SMTP server every 60 seconds to check for new mail*. In this example there would be a strong periodicity at around 60 seconds.

This model requires the **scipy** library which can be installed with

`%python -m pip install --upgrade msticpy[ml]`

Alternatively if you only plan on using the polling detection submodule from the analysis module then you can just install scipy

`%python -m pip install scipy`

In [117]:
import matplotlib.pyplot as plt
import numpy as np
import pandas as pd

from datetime import datetime
from msticpy.analysis.polling_detection import PeriodogramPollingDetector

In [11]:
df = pd.read_csv(
    "data/az_net_flows.csv",
    parse_dates=["FlowEndTime"]
)

In [132]:
five_min_counts = (
    df[["TenantId", "FlowEndTime"]].set_index("FlowEndTime")
        .resample("5T")
        .count()
        .rename({"TenantId": "count"}, axis=1)
        .reset_index()
)

In [149]:
ax.get_xticks()

array([0.        , 0.78539816, 1.57079633, 2.35619449, 3.14159265,
       3.92699082, 4.71238898, 5.49778714])

In [47]:
plt.polar(five_min_counts_time_only.index, five_min_counts_time_only["count"])

AttributeError: 'Index' object has no attribute 'timestamp'

## References

[1] Heard, N. A. and Rubin-Delanchy, P. T. G. and Lawson, D. J. (2014) Filtering automated polling traffic in computer network flow data. In proceedings of IEEE Joint Intelligence and Security Informatics Conference 2014