mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-12-25 18:55:12 +01:00
Weighted neural and bayesian networks correlation
This commit is contained in:
parent
e17bbfd91e
commit
c095514f94
4 changed files with 63 additions and 5 deletions
23
bayesian.c
23
bayesian.c
|
@ -53,6 +53,20 @@ typedef struct {
|
||||||
PRIVATE AI_bayesian_correlation *bayesian_cache = NULL;
|
PRIVATE AI_bayesian_correlation *bayesian_cache = NULL;
|
||||||
PRIVATE double k_exp_value = 0.0;
|
PRIVATE double k_exp_value = 0.0;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Get the current weight of the bayesian correlation index using a hyperbolic tangent function with a parameter expressed in function of the current number of alerts in the history file
|
||||||
|
* \return The weight of the correlation index ( 0 <= weight < 1 )
|
||||||
|
*/
|
||||||
|
|
||||||
|
double
|
||||||
|
AI_bayesian_correlation_weight ()
|
||||||
|
{
|
||||||
|
double x = (double) AI_get_history_alert_number(),
|
||||||
|
k = (double) config->alert_correlation_weight / HYPERBOLIC_TANGENT_SOLUTION;
|
||||||
|
|
||||||
|
return (( exp(x/k) - exp(-x/k) ) / ( exp(x/k) + exp(-x/k) ));
|
||||||
|
} /* ----- end of function AI_bayesian_correlation_weight ----- */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Function used for computing the correlation probability A->B of two alerts (A,B) given their timestamps: f(ta, tb) = exp ( -(tb - ta)^2 / k )
|
* \brief Function used for computing the correlation probability A->B of two alerts (A,B) given their timestamps: f(ta, tb) = exp ( -(tb - ta)^2 / k )
|
||||||
* \param ta Timestamp of A
|
* \param ta Timestamp of A
|
||||||
|
@ -142,8 +156,13 @@ AI_alert_bayesian_correlation ( const AI_snort_alert *a, const AI_snort_alert *b
|
||||||
corr_count_a++;
|
corr_count_a++;
|
||||||
}
|
}
|
||||||
|
|
||||||
corr /= (double) corr_count;
|
if ( !corr_count )
|
||||||
corr -= ( events_a->count - corr_count_a ) / events_a->count;
|
{
|
||||||
|
corr = 0.0;
|
||||||
|
} else {
|
||||||
|
corr /= (double) corr_count;
|
||||||
|
corr -= ( events_a->count - corr_count_a ) / events_a->count;
|
||||||
|
}
|
||||||
|
|
||||||
if ( found )
|
if ( found )
|
||||||
{
|
{
|
||||||
|
|
|
@ -1361,7 +1361,8 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
/* Use the correlation indexes for which we have a value */
|
/* Use the correlation indexes for which we have a value */
|
||||||
if ( bayesian_correlation != 0.0 && config->bayesianCorrelationInterval != 0 )
|
if ( bayesian_correlation != 0.0 && config->bayesianCorrelationInterval != 0 )
|
||||||
{
|
{
|
||||||
corr->correlation += bayesian_correlation;
|
corr->correlation += AI_bayesian_correlation_weight() * bayesian_correlation;
|
||||||
|
_dpd.logMsg ( "bayesian probability: %f\n", bayesian_correlation );
|
||||||
n_correlations++;
|
n_correlations++;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -1373,7 +1374,7 @@ AI_alert_correlation_thread ( void *arg )
|
||||||
|
|
||||||
if ( neural_correlation != 0.0 && config->neuralNetworkTrainingInterval != 0 )
|
if ( neural_correlation != 0.0 && config->neuralNetworkTrainingInterval != 0 )
|
||||||
{
|
{
|
||||||
corr->correlation += neural_correlation;
|
corr->correlation += AI_neural_correlation_weight() * neural_correlation;
|
||||||
n_correlations++;
|
n_correlations++;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
35
neural.c
35
neural.c
|
@ -53,6 +53,39 @@ PRIVATE time_t latest_serialization_time = ( time_t ) 0;
|
||||||
PRIVATE som_network_t *net = NULL;
|
PRIVATE som_network_t *net = NULL;
|
||||||
PRIVATE pthread_mutex_t neural_mutex;
|
PRIVATE pthread_mutex_t neural_mutex;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \brief Get the current weight of the neural correlation index using a hyperbolic tangent function with a parameter expressed in function of the current number of alerts in the database
|
||||||
|
* \return The weight of the correlation index ( 0 <= weight < 1 )
|
||||||
|
*/
|
||||||
|
|
||||||
|
double
|
||||||
|
AI_neural_correlation_weight ()
|
||||||
|
{
|
||||||
|
DB_result res;
|
||||||
|
DB_row row;
|
||||||
|
char query[1024] = { 0 };
|
||||||
|
double x = 0,
|
||||||
|
k = (double) config->alert_correlation_weight / HYPERBOLIC_TANGENT_SOLUTION;
|
||||||
|
|
||||||
|
snprintf ( query, sizeof ( query ), "SELECT count(*) FROM %s", outdb_config[ALERTS_TABLE] );
|
||||||
|
|
||||||
|
if ( !DB_out_init() )
|
||||||
|
{
|
||||||
|
AI_fatal_err ( "Unable to connect to the database specified in module configuration", __FILE__, __LINE__ );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( !( res = (DB_result) DB_out_query ( query )))
|
||||||
|
{
|
||||||
|
AI_fatal_err ( "AIPreproc: Query error", __FILE__, __LINE__ );
|
||||||
|
}
|
||||||
|
|
||||||
|
row = (DB_row) DB_fetch_row ( res );
|
||||||
|
x = strtod ( row[0], NULL );
|
||||||
|
DB_free_result ( res );
|
||||||
|
|
||||||
|
return (( exp(x/k) - exp(-x/k) ) / ( exp(x/k) + exp(-x/k) ));
|
||||||
|
} /* ----- end of function AI_neural_correlation_weight ----- */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Convert an alert row fetched from db to a vector suitable for being elaborated by the SOM neural network
|
* \brief Convert an alert row fetched from db to a vector suitable for being elaborated by the SOM neural network
|
||||||
* \param alert AI_som_alert_tuple object identifying the alert tuple
|
* \param alert AI_som_alert_tuple object identifying the alert tuple
|
||||||
|
@ -185,7 +218,7 @@ __AI_som_train ()
|
||||||
char query[1024] = { 0 };
|
char query[1024] = { 0 };
|
||||||
|
|
||||||
size_t i = 0,
|
size_t i = 0,
|
||||||
num_rows = 0;
|
num_rows = 0;
|
||||||
|
|
||||||
DB_result res;
|
DB_result res;
|
||||||
DB_row row;
|
DB_row row;
|
||||||
|
|
5
spp_ai.h
5
spp_ai.h
|
@ -105,6 +105,9 @@
|
||||||
/** Cutoff y value in the exponential decay for considering two alerts not correlated */
|
/** Cutoff y value in the exponential decay for considering two alerts not correlated */
|
||||||
#define CUTOFF_Y_VALUE 0.01
|
#define CUTOFF_Y_VALUE 0.01
|
||||||
|
|
||||||
|
/** Approximated solution of the equation tanh(x) = 0.95 */
|
||||||
|
#define HYPERBOLIC_TANGENT_SOLUTION 1.83178
|
||||||
|
|
||||||
/****************************/
|
/****************************/
|
||||||
/* Database support */
|
/* Database support */
|
||||||
#ifdef HAVE_LIBMYSQLCLIENT
|
#ifdef HAVE_LIBMYSQLCLIENT
|
||||||
|
@ -497,6 +500,8 @@ const AI_alert_event* AI_get_alert_events_by_key ( AI_alert_event_key );
|
||||||
unsigned int AI_get_history_alert_number ();
|
unsigned int AI_get_history_alert_number ();
|
||||||
double AI_alert_bayesian_correlation ( const AI_snort_alert*, const AI_snort_alert* );
|
double AI_alert_bayesian_correlation ( const AI_snort_alert*, const AI_snort_alert* );
|
||||||
double AI_alert_neural_som_correlation ( const AI_snort_alert*, const AI_snort_alert* );
|
double AI_alert_neural_som_correlation ( const AI_snort_alert*, const AI_snort_alert* );
|
||||||
|
double AI_neural_correlation_weight ();
|
||||||
|
double AI_bayesian_correlation_weight ();
|
||||||
|
|
||||||
void AI_outdb_mutex_initialize ();
|
void AI_outdb_mutex_initialize ();
|
||||||
void* AI_store_alert_to_db_thread ( void* );
|
void* AI_store_alert_to_db_thread ( void* );
|
||||||
|
|
Loading…
Reference in a new issue