-
- Files
- rest_ocsvm_gt.py: REST API for detection. It is called by Logstash.
- signature_detection.py: Signature-based detection program. It is called by rest_ocsvm_gt.py.
- machine_learning.py: Machine learning detection program. It is called by rest_ocsvm_gt.py.
- send_alert.py: Program for sending alert mail. It is called by rest_ocsvm_gt.py.
- ocsvm_gt_XXXX.pkl files: Model files. They are created by Goldenticket_One-class_SVM.ipynb
- data_dummies_XXXX.csv: One-Hot encoding dummy files. They are created by Goldenticket_One-class_SVM.ipynb
- Location: Deploy on Detection Server
- How to use: launch rest_ocsvm_gt.py
- Notes: REST API is running on Flask.
- Files
-
Configuration files for Logstash
- Files
- logstash_winlogbeat.conf: Configuration file of Logstash. Logs are sent through the pipline of Logstash. Logstash extract data for detection from logs and call the REST API "rest_ocsvm_gt.py".
This file should be located in Log Server where Logstash is running.
- logstash_winlogbeat.conf: Configuration file of Logstash. Logs are sent through the pipline of Logstash. Logstash extract data for detection from logs and call the REST API "rest_ocsvm_gt.py".
- Location: Deploy on Log Server
- How to use:
- Launch Logstash by specifing the conf file.
e.g.)logstash -f /etc/logstash/conf.d/logstash_winlogbeat.conf &
- Launch Logstash by specifing the conf file.
- Files
-
Configuration files for Winlogbeat
- Files
- winlogbeat.yml: Configuration file of Winlogbeat. This file should be located in Domain Controller where Winlogbeat is running.
- Location: Place in the install directory of Winlogbeat on Domain Controller
- How to use:
- Star Winlogbeat on Domain Controller
- Files
-
-
Files
- ADLogParserForML: Java programs to prepare for creating input for Goldenticket_One-class_SVM.ipynb. This programs extract data from Event Logs exported as CSV files.
We tested this program on Java 1.8 . - Goldenticket_One-class_SVM.ipynb : A Python program runnung on the Jupyter Notebook to create model and calculate detection rate.
- ADLogParserForML: Java programs to prepare for creating input for Goldenticket_One-class_SVM.ipynb. This programs extract data from Event Logs exported as CSV files.
-
Location: Deploy on Detection Server
-
How to use:
-
Export Domain Controller Event logs as CSV file format using built-in Windows function (Rigiht click Event Logs and save as csv file).
-
Execute ADLogParserForML using the above Event Logs as inputs. Then parsed csv file (eventlog.csv) will be created.
# cd ADLogParserForML/bin # java logparse/AuthLogParser /Users/Documents/tmp/input /Users/marikof/Documents/tmp/output /Users/Documents/tmp/input/command.txt /Users/marikof/Documents/tmp/input/adminlist.txt
-
Execute Goldenticket_One-class_SVM_create_model.ipynb.
You will get model files (ocsvm_gt_XXXX.pkl) and One-Hot encoding dummy files (data_dummies_XXXX.csv). Please move or copy these file to "detectionTools" directory. -
If you want to see detection result, please check X_train_result4674.csv and X_train_result4688.csv files.The rightmost column shows result, "1" means normal and "-1" means outlier.
-
-
(Optional) If you want to evaluate with logs generated by attack, please refer below to create dataset. However created model files don't work, they are used for just check the result.:
-
Export Domain Controller Event logs as CSV file format using built-in Windows function (Rigiht click Event Logs and save as csv file).
-
Execute ADLogParserForML using the above Event Logs as inputs. Then parsed csv file (eventlog.csv) will be created.
# cd ADLogParserForML/bin # java logparse/AuthLogParser /Users/Documents/tmp/input /Users/marikof/Documents/tmp/output /Users/Documents/tmp/input/command.txt /Users/marikof/Documents/tmp/input/adminlist.txt
-
Open eventlog.csv and organize the value of "target" column as follows.
- train
- test
- outlier
"train" data is training data and should be in normal states. Machine learning learns these data.
"test" data means normal data. Machine lerning doe's not learn these data, they are used only for evaluation. Please change some target value from "train" to "test".
"outlier" data means outlier data. Machine lerning doe's not learn these data, they are used only for evaluation. Please set target value "outlier" for logs of attack behavior. -
Execute One-class_SVM.ipynb. You should specify the file path of eventlog.csv.
You will get model files (ocsvm_gt_XXXX.pkl) and One-Hot encoding dummy files (data_dummies_XXXX.csv). -
If you want to see detection result, please check X_outliers_resultXXXX.csv, X_test_resultXXXX.csv and X_ourlier_resultXXXX.csv files.The rightmost column shows result, "1" means normal and "-1" means outlier.
-
-