From 5bd4d884bdc6e86a4e3486ceddaf5ae307f2bf03 Mon Sep 17 00:00:00 2001 From: Wu Tingfeng Date: Wed, 2 Aug 2023 22:18:24 +0800 Subject: [PATCH 1/3] Run markdownlint and fix grammar/spelling. --- README.md | 58 +++++++++++++++++++++++++++++-------------------------- 1 file changed, 31 insertions(+), 27 deletions(-) diff --git a/README.md b/README.md index bf51e7d..ba2e6d6 100644 --- a/README.md +++ b/README.md @@ -3,25 +3,24 @@ Unsupervised Machine Learning web attacks detection. - -

+

Image source:https://unsplash.com/photos/i4Y9hr5dxKc (Mathew Schwartz)

## About -Webhawk/Catch helps automatically finding web attack traces in HTTP logs and abnormal OS processes without using any preset rules. Based on the usage of Unsupervised Machine Learning, Catch groups log lines into clusters, and detects the outliers that it considers as potentially attack traces. +Webhawk/Catch helps you to automatically find web attack traces in HTTP logs and abnormal OS processes without using any preset rules. Based on the usage of Unsupervised Machine Learning, Catch groups log lines into clusters, and detect the outliers that it considers as potential attack traces. -The tool is able to parse both raw HTTP log files (Apache, Nginx, ...) and files including OS statistics (generated by top command). The tool takes these files as input and returns a report with a list of findings. +The tool is able to parse both raw HTTP log files (Apache, Nginx, ...) and files including OS statistics (generated by `top` command). The tool takes these files as input and returns a report with a list of findings. -Catch uses PCA (Principal Component Analysis) technique to select the most relevant features (Example: user-agent, IP address, number of transmitted parameters, etc.. ). Then, it runs DBSCAN (Density-Based Spatial Clustering of Applications with Noise) algorithm to get all the possible log line clusters and anomalous points (potential attack traces). +Catch uses PCA (Principal Component Analysis) technique to select the most relevant features (Example: user-agent, IP address, number of transmitted parameters, etc.. ). Then, it runs DBSCAN (Density-Based Spatial Clustering of Applications with Noise) algorithm to get all the possible log line clusters and anomalous points (potential attack traces). -Advanced users can fine tune Catch based on a set of options that help optimising the clustering algorithm (Example: minimum number of points by cluster, or the maximum distance between two points within the same cluster). +Advanced users can fine tune Catch based on a set of options that help to optimise the clustering algorithm (Example: minimum number of points by cluster, or the maximum distance between two points within the same cluster). The current version of Webhawk/Catch generates an easy-to-read HTML report which includes all the findings, and the severity of each one. -Webhawk/Catch is an open-source tool. Catch is the unsupervised version of Webhawk which is a supervised machine learning based cyber-attack detection tool. In contrary to the supervised Webhawk, Catch can be used without manually pertaining a model, the thing that makes it a lightweight and flexible solution to easily identify potential attack traces. Catch is available as an independent repository in Github, it is also included as part of Webhawk which is starred 125 times and forked 68 times. +Webhawk/Catch is an open-source tool. Catch is the unsupervised version of Webhawk which is a supervised machine learning based cyber-attack detection tool. In contrary to the supervised Webhawk, Catch can be used without manually pre-training a model, which makes it a lightweight and flexible solution for identifying potential attack traces easily. Catch is available as an independent repository in Github, it is also included as part of Webhawk which has been starred 125 times and forked 68 times. ## Setup @@ -36,7 +35,7 @@ pip install -r requirements.txt ### Create a settings.conf file -Copy settings_template.conf file to settings.conf and fill it with the required parameters as the following. +Copy **settings_template.conf** file to **settings.conf** and fill it with the required parameters as the following. ```shell [FEATURES] @@ -57,7 +56,7 @@ attributes:['status', 'num_ctx_switches', 'memory_full_info', 'connections', 'cm ### Catch.py script ```shell -python catch.py -h +python catch.py -h usage: catch.py [-h] [-b] -l LOG_FILE -t LOG_TYPE [-e EPS] [-s MIN_SAMPLES] [-j LOG_LINES_LIMIT] [-p] [-o] [-r] [-z] [-y OPT_LAMDA] options: @@ -82,65 +81,70 @@ options: ``` - ### Example with HTTP logs Encoding is automatic for the unsupervised mode. You just need to run the catch.py script. Get inspired from this example: ```shell -python catch.py -l ../HTTP_LOGS_DTATSETS/SECREPO_LOGS/access.log.2021-10-22 --log_type apache --show_plots --standardize_data --report +python catch.py -l ./SAMPLE_DATA/RAW_APACHE_LOGS/access.log.2021-10-22 --log_type apache --show_plots --standardize_data --report ``` The output of this command is: -

+

-

+

-

+

### Example with OS processes -Before running the catch.py, you need to generate a .txt file containing the OS process statistics by taking advantage of top command: + +Before running the catch.py, you need to generate a .txt file containing the OS process statistics by taking advantage of `top` command: + ```shell top > PATH/os_processes.txt ``` -You can then run the catch.py to detect potential abnormal OS processes: +You can then run the catch.py to detect potentially abnormal OS processes: + ```shell python catch.py -l PATH/os_processes.txt --log_type os_processes --show_plots --standardize_data --report ``` ## Used sample data -The data you will find in SAMPLE_DATA folder comes from
-https://www.secrepo.com. +The data located in the **SAMPLE_DATA** folder comes from +. ## Interesting data samples -https://www.kaggle.com/datasets/eliasdabbas/web-server-access-logs -https://dataverse.harvard.edu/dataset.xhtml?persistentId=doi:10.7910/DVN/3QBYB5 - + + ## TODO + Nothing for now. ## Reference -Silhouette Effeciency -
https://bioinformatics-training.github.io/intro-machine-learning-2017/clustering.html +Silhouette Efficiency + + + +Optimal Value of Epsilon + + -
Optimal Value of Epsilon -
https://towardsdatascience.com/machine-learning-clustering-dbscan-determine-the-optimal-value-for-epsilon-eps-python-example-3100091cfbc +Max curvature point -
Max curvature point -
https://towardsdatascience.com/detecting-knee-elbow-points-in-a-graph-d13fc517a63c + ## Contribution From 34be74b6d1264d5924431b096d0cd2a36b8000da Mon Sep 17 00:00:00 2001 From: Wu Tingfeng Date: Wed, 2 Aug 2023 22:19:52 +0800 Subject: [PATCH 2/3] Add settings_template.conf --- settings_template.conf | 11 +++++++++++ 1 file changed, 11 insertions(+) create mode 100644 settings_template.conf diff --git a/settings_template.conf b/settings_template.conf new file mode 100644 index 0000000..8b74e32 --- /dev/null +++ b/settings_template.conf @@ -0,0 +1,11 @@ +[FEATURES] +features:length,params_number,return_code,size,upper_cases,lower_cases,special_chars,url_depth,user_agent,http_query,ip + +[LOG] +apache:([(\d\.)]+) - - \[(.*?)\] "(.*?)" (\d+) (.+) "(.*?)" "(.*?)" +nginx:([(\d\.)]+) - - \[(.*?)\] "(.*?)" (\d+) (\d+) (.+) "(.*?)" "(.*?)" +apache_error: +nginx_error: + +[PROCESS_DETAILS] +attributes:['status', 'num_ctx_switches', 'memory_full_info', 'connections', 'cmdline', 'create_time', 'num_fds', 'cpu_percent', 'terminal', 'ppid', 'cwd', 'nice', 'username', 'cpu_times', 'memory_info', 'threads', 'open_files', 'name', 'num_threads', 'exe', 'uids', 'gids', 'memory_percent', 'environ'] From 1cb4ea4a74c8c21201c79bbf32290c2c7ca1df90 Mon Sep 17 00:00:00 2001 From: Wu Tingfeng Date: Wed, 2 Aug 2023 22:55:08 +0800 Subject: [PATCH 3/3] grammar --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index ba2e6d6..500da9f 100644 --- a/README.md +++ b/README.md @@ -118,7 +118,7 @@ You can then run the catch.py to detect potentially abnormal OS processes: python catch.py -l PATH/os_processes.txt --log_type os_processes --show_plots --standardize_data --report ``` -## Used sample data +## Using sample data The data located in the **SAMPLE_DATA** folder comes from .