mirror of
https://github.com/BlackLight/Snort_AIPreproc.git
synced 2024-12-25 02:35:12 +01:00
Weighted neural and bayesian networks correlation
This commit is contained in:
parent
e17bbfd91e
commit
c095514f94
4 changed files with 63 additions and 5 deletions
19
bayesian.c
19
bayesian.c
|
@ -53,6 +53,20 @@ typedef struct {
|
|||
PRIVATE AI_bayesian_correlation *bayesian_cache = NULL;
|
||||
PRIVATE double k_exp_value = 0.0;
|
||||
|
||||
/**
|
||||
* \brief Get the current weight of the bayesian correlation index using a hyperbolic tangent function with a parameter expressed in function of the current number of alerts in the history file
|
||||
* \return The weight of the correlation index ( 0 <= weight < 1 )
|
||||
*/
|
||||
|
||||
double
|
||||
AI_bayesian_correlation_weight ()
|
||||
{
|
||||
double x = (double) AI_get_history_alert_number(),
|
||||
k = (double) config->alert_correlation_weight / HYPERBOLIC_TANGENT_SOLUTION;
|
||||
|
||||
return (( exp(x/k) - exp(-x/k) ) / ( exp(x/k) + exp(-x/k) ));
|
||||
} /* ----- end of function AI_bayesian_correlation_weight ----- */
|
||||
|
||||
/**
|
||||
* \brief Function used for computing the correlation probability A->B of two alerts (A,B) given their timestamps: f(ta, tb) = exp ( -(tb - ta)^2 / k )
|
||||
* \param ta Timestamp of A
|
||||
|
@ -142,8 +156,13 @@ AI_alert_bayesian_correlation ( const AI_snort_alert *a, const AI_snort_alert *b
|
|||
corr_count_a++;
|
||||
}
|
||||
|
||||
if ( !corr_count )
|
||||
{
|
||||
corr = 0.0;
|
||||
} else {
|
||||
corr /= (double) corr_count;
|
||||
corr -= ( events_a->count - corr_count_a ) / events_a->count;
|
||||
}
|
||||
|
||||
if ( found )
|
||||
{
|
||||
|
|
|
@ -1361,7 +1361,8 @@ AI_alert_correlation_thread ( void *arg )
|
|||
/* Use the correlation indexes for which we have a value */
|
||||
if ( bayesian_correlation != 0.0 && config->bayesianCorrelationInterval != 0 )
|
||||
{
|
||||
corr->correlation += bayesian_correlation;
|
||||
corr->correlation += AI_bayesian_correlation_weight() * bayesian_correlation;
|
||||
_dpd.logMsg ( "bayesian probability: %f\n", bayesian_correlation );
|
||||
n_correlations++;
|
||||
}
|
||||
|
||||
|
@ -1373,7 +1374,7 @@ AI_alert_correlation_thread ( void *arg )
|
|||
|
||||
if ( neural_correlation != 0.0 && config->neuralNetworkTrainingInterval != 0 )
|
||||
{
|
||||
corr->correlation += neural_correlation;
|
||||
corr->correlation += AI_neural_correlation_weight() * neural_correlation;
|
||||
n_correlations++;
|
||||
}
|
||||
|
||||
|
|
33
neural.c
33
neural.c
|
@ -53,6 +53,39 @@ PRIVATE time_t latest_serialization_time = ( time_t ) 0;
|
|||
PRIVATE som_network_t *net = NULL;
|
||||
PRIVATE pthread_mutex_t neural_mutex;
|
||||
|
||||
/**
|
||||
* \brief Get the current weight of the neural correlation index using a hyperbolic tangent function with a parameter expressed in function of the current number of alerts in the database
|
||||
* \return The weight of the correlation index ( 0 <= weight < 1 )
|
||||
*/
|
||||
|
||||
double
|
||||
AI_neural_correlation_weight ()
|
||||
{
|
||||
DB_result res;
|
||||
DB_row row;
|
||||
char query[1024] = { 0 };
|
||||
double x = 0,
|
||||
k = (double) config->alert_correlation_weight / HYPERBOLIC_TANGENT_SOLUTION;
|
||||
|
||||
snprintf ( query, sizeof ( query ), "SELECT count(*) FROM %s", outdb_config[ALERTS_TABLE] );
|
||||
|
||||
if ( !DB_out_init() )
|
||||
{
|
||||
AI_fatal_err ( "Unable to connect to the database specified in module configuration", __FILE__, __LINE__ );
|
||||
}
|
||||
|
||||
if ( !( res = (DB_result) DB_out_query ( query )))
|
||||
{
|
||||
AI_fatal_err ( "AIPreproc: Query error", __FILE__, __LINE__ );
|
||||
}
|
||||
|
||||
row = (DB_row) DB_fetch_row ( res );
|
||||
x = strtod ( row[0], NULL );
|
||||
DB_free_result ( res );
|
||||
|
||||
return (( exp(x/k) - exp(-x/k) ) / ( exp(x/k) + exp(-x/k) ));
|
||||
} /* ----- end of function AI_neural_correlation_weight ----- */
|
||||
|
||||
/**
|
||||
* \brief Convert an alert row fetched from db to a vector suitable for being elaborated by the SOM neural network
|
||||
* \param alert AI_som_alert_tuple object identifying the alert tuple
|
||||
|
|
5
spp_ai.h
5
spp_ai.h
|
@ -105,6 +105,9 @@
|
|||
/** Cutoff y value in the exponential decay for considering two alerts not correlated */
|
||||
#define CUTOFF_Y_VALUE 0.01
|
||||
|
||||
/** Approximated solution of the equation tanh(x) = 0.95 */
|
||||
#define HYPERBOLIC_TANGENT_SOLUTION 1.83178
|
||||
|
||||
/****************************/
|
||||
/* Database support */
|
||||
#ifdef HAVE_LIBMYSQLCLIENT
|
||||
|
@ -497,6 +500,8 @@ const AI_alert_event* AI_get_alert_events_by_key ( AI_alert_event_key );
|
|||
unsigned int AI_get_history_alert_number ();
|
||||
double AI_alert_bayesian_correlation ( const AI_snort_alert*, const AI_snort_alert* );
|
||||
double AI_alert_neural_som_correlation ( const AI_snort_alert*, const AI_snort_alert* );
|
||||
double AI_neural_correlation_weight ();
|
||||
double AI_bayesian_correlation_weight ();
|
||||
|
||||
void AI_outdb_mutex_initialize ();
|
||||
void* AI_store_alert_to_db_thread ( void* );
|
||||
|
|
Loading…
Reference in a new issue