From 9f0f12ed28357ae167cb9aab3a614da0f8cd4bab Mon Sep 17 00:00:00 2001 From: 姜萍 Date: Sun, 29 May 2022 17:59:26 +0800 Subject: init --- .DS_Store | Bin 0 -> 8196 bytes Facetime.pcap | Bin 0 -> 3992 bytes README.md | 43 + model/.DS_Store | Bin 0 -> 8196 bytes model/DBhelper.py | 163 + model/DT.model | Bin 0 -> 1943 bytes model/GNB.model | Bin 0 -> 1005 bytes model/KN.model | Bin 0 -> 63821136 bytes model/LR.model | Bin 0 -> 940 bytes model/LightGBM.model | Bin 0 -> 116204 bytes model/RF.model | Bin 0 -> 21554 bytes model/SVM.model | Bin 0 -> 1553 bytes model/__pycache__/DBhelper.cpython-36.pyc | Bin 0 -> 5127 bytes .../benign_packetpredict.cpython-36.pyc | Bin 0 -> 6172 bytes model/__pycache__/packet_predict.cpython-36.pyc | Bin 0 -> 9435 bytes model/__pycache__/packetpredict.cpython-36.pyc | Bin 0 -> 11150 bytes model/__pycache__/packetpredict_db.cpython-36.pyc | Bin 0 -> 11921 bytes model/benign_packetpredict.py | 75 + model/feature_dict.npy | Bin 0 -> 1144 bytes model/lgbm_packetin_model.pkl | Bin 0 -> 72567 bytes model/lstm_packetpre.h5 | Bin 0 -> 1801632 bytes model/mlp_packetin_model.h5 | Bin 0 -> 790096 bytes model/packet_predict.py | 138 + model/packetpredict.py | 161 + ms_topo_4s.py | 108 + product.py | 19 + ryu_predict.py | 249 + sdnData/.DS_Store | Bin 0 -> 8196 bytes sdnData/.idea/deployment.xml | 21 + .../.idea/inspectionProfiles/profiles_settings.xml | 6 + sdnData/.idea/misc.xml | 7 + sdnData/.idea/modules.xml | 8 + sdnData/.idea/sdnData.iml | 30 + sdnData/.idea/workspace.xml | 199 + sdnData/__pycache__/manage.cpython-36.pyc | Bin 0 -> 771 bytes sdnData/db.sqlite3 | 0 sdnData/empty_queue.py | 20 + sdnData/fronted/index.html | 1 + .../css/app.07c67668b64ebb23ee45e7d43f702599.css | 2 + .../app.07c67668b64ebb23ee45e7d43f702599.css.map | 1 + .../css/app.4815b7c3a4f80bf42f96fd467ffc24d9.css | 2 + .../app.4815b7c3a4f80bf42f96fd467ffc24d9.css.map | 1 + .../static/fonts/element-icons.535877f.woff | Bin 0 -> 28200 bytes .../fronted/static/fonts/element-icons.732389d.ttf | Bin 0 -> 55956 bytes .../fronted/static/js/app.26466f4f0100f3982b23.js | 2 + .../static/js/app.26466f4f0100f3982b23.js.map | 1 + .../fronted/static/js/app.89c23420525650863e47.js | 2 + .../static/js/app.89c23420525650863e47.js.map | 1 + .../fronted/static/js/app.8ffe780b02f10627a5a9.js | 2 + .../static/js/app.8ffe780b02f10627a5a9.js.map | 1 + .../fronted/static/js/app.a8ce80b9fd33490a6759.js | 2 + .../static/js/app.a8ce80b9fd33490a6759.js.map | 1 + .../fronted/static/js/app.abf98c9558435dd46930.js | 2 + .../static/js/app.abf98c9558435dd46930.js.map | 1 + .../fronted/static/js/app.af1183b3ee472f11f7b4.js | 2 + .../static/js/app.af1183b3ee472f11f7b4.js.map | 1 + .../fronted/static/js/app.b4b72dfc32782ea363c1.js | 2 + .../static/js/app.b4b72dfc32782ea363c1.js.map | 1 + .../static/js/manifest.3ad1d5771e9b13dbdad2.js | 2 + .../static/js/manifest.3ad1d5771e9b13dbdad2.js.map | 1 + .../static/js/vendor.7ca9674089226e98f741.js | 65 + .../static/js/vendor.7ca9674089226e98f741.js.map | 1 + sdnData/fronted/static/msicon.ico | Bin 0 -> 779 bytes sdnData/manage.py | 21 + sdnData/ryu_predict.py | 245 + sdnData/sdnData/__init__.py | 0 .../sdnData/__pycache__/__init__.cpython-36.pyc | Bin 0 -> 130 bytes sdnData/sdnData/__pycache__/product.cpython-36.pyc | Bin 0 -> 468 bytes .../sdnData/__pycache__/settings.cpython-36.pyc | Bin 0 -> 2800 bytes sdnData/sdnData/__pycache__/urls.cpython-36.pyc | Bin 0 -> 1402 bytes sdnData/sdnData/__pycache__/views.cpython-36.pyc | Bin 0 -> 4799 bytes sdnData/sdnData/__pycache__/wsgi.cpython-36.pyc | Bin 0 -> 533 bytes sdnData/sdnData/product.py | 19 + sdnData/sdnData/settings.py | 163 + sdnData/sdnData/urls.py | 40 + sdnData/sdnData/util/__init__.py | 0 .../util/__pycache__/__init__.cpython-36.pyc | Bin 0 -> 135 bytes .../util/__pycache__/redis_pool.cpython-36.pyc | Bin 0 -> 246 bytes sdnData/sdnData/util/redis_pool.py | 2 + sdnData/sdnData/views.py | 167 + sdnData/sdnData/wsgi.py | 16 + send.py | 16 + sflow-rt/.DS_Store | Bin 0 -> 6148 bytes sflow-rt/app/browse-metrics/LICENSE | 21 + sflow-rt/app/browse-metrics/README.md | 10 + sflow-rt/app/browse-metrics/html/index.html | 80 + sflow-rt/app/browse-metrics/html/js/app.js | 226 + sflow-rt/app/flow-trend/LICENSE | 21 + sflow-rt/app/flow-trend/README.md | 15 + sflow-rt/app/flow-trend/html/css/app.css | 66 + sflow-rt/app/flow-trend/html/index.html | 129 + sflow-rt/app/flow-trend/html/js/app.js | 431 + sflow-rt/app/flow-trend/scripts/inc/trend.js | 49 + sflow-rt/app/flow-trend/scripts/top.js | 159 + sflow-rt/extras/README | 14 + sflow-rt/extras/sflow.py | 96 + sflow-rt/extras/tail_flows.py | 20 + sflow-rt/extras/tail_log.py | 20 + sflow-rt/extras/topflows.py | 114 + sflow-rt/get-app.sh | 22 + sflow-rt/lib/jackson-annotations.jar | Bin 0 -> 68175 bytes sflow-rt/lib/jackson-core.jar | Bin 0 -> 351529 bytes sflow-rt/lib/jackson-databind.jar | Bin 0 -> 1418028 bytes sflow-rt/lib/jetty-http.jar | Bin 0 -> 213244 bytes sflow-rt/lib/jetty-io.jar | Bin 0 -> 161526 bytes sflow-rt/lib/jetty-rewrite.jar | Bin 0 -> 43739 bytes sflow-rt/lib/jetty-security.jar | Bin 0 -> 117941 bytes sflow-rt/lib/jetty-server.jar | Bin 0 -> 700887 bytes sflow-rt/lib/jetty-servlet.jar | Bin 0 -> 131754 bytes sflow-rt/lib/jetty-servlets.jar | Bin 0 -> 101478 bytes sflow-rt/lib/jetty-util.jar | Bin 0 -> 552441 bytes sflow-rt/lib/jgrapht-core.jar | Bin 0 -> 852319 bytes sflow-rt/lib/maxmind-db.jar | Bin 0 -> 23184 bytes sflow-rt/lib/netty.jar | Bin 0 -> 4213710 bytes sflow-rt/lib/org.json.jar | Bin 0 -> 65966 bytes sflow-rt/lib/org.yaml.snakeyaml.jar | Bin 0 -> 309001 bytes sflow-rt/lib/rhino.jar | Bin 0 -> 1095937 bytes sflow-rt/lib/servlet-api.jar | Bin 0 -> 95806 bytes sflow-rt/lib/sflowrt.jar | Bin 0 -> 478677 bytes sflow-rt/lib/snmp4j.jar | Bin 0 -> 520994 bytes sflow-rt/resources/.DS_Store | Bin 0 -> 6148 bytes sflow-rt/resources/api/api.yml | 1897 ++ sflow-rt/resources/api/favicon-16x16.png | Bin 0 -> 665 bytes sflow-rt/resources/api/favicon-32x32.png | Bin 0 -> 628 bytes sflow-rt/resources/api/favicon.png | Bin 0 -> 1156 bytes sflow-rt/resources/api/index.html | 71 + sflow-rt/resources/api/oauth2-redirect.html | 68 + sflow-rt/resources/api/swagger-ui-bundle.js | 134 + sflow-rt/resources/api/swagger-ui-bundle.js.map | 1 + .../resources/api/swagger-ui-standalone-preset.js | 22 + .../api/swagger-ui-standalone-preset.js.map | 1 + sflow-rt/resources/api/swagger-ui.css | 4 + sflow-rt/resources/api/swagger-ui.css.map | 1 + sflow-rt/resources/api/swagger-ui.js | 9 + sflow-rt/resources/api/swagger-ui.js.map | 1 + sflow-rt/resources/config/GeoLite2-ASN.mmdb | Bin 0 -> 6791431 bytes sflow-rt/resources/config/GeoLite2-Country.mmdb | Bin 0 -> 3896583 bytes sflow-rt/resources/config/logging.properties | 8 + sflow-rt/resources/config/oui.txt | 28383 +++++++++++++++++++ sflow-rt/resources/html/css/app.css | 4 + sflow-rt/resources/html/index.html | 157 + sflow-rt/resources/html/js/app.js | 193 + .../inc/DataTables/css/dataTables.bootstrap4.css | 206 + .../inc/DataTables/css/dataTables.jqueryui.css | 481 + .../inc/DataTables/images/Sorting icons.psd | Bin 0 -> 27490 bytes .../inc/DataTables/images/back_disabled.png | Bin 0 -> 1361 bytes .../inc/DataTables/images/back_enabled.png | Bin 0 -> 1379 bytes .../inc/DataTables/images/back_enabled_hover.png | Bin 0 -> 1375 bytes .../inc/DataTables/images/details_close.png | Bin 0 -> 841 bytes .../inc/DataTables/images/details_open.png | Bin 0 -> 881 bytes .../resources/inc/DataTables/images/favicon.ico | Bin 0 -> 894 bytes .../inc/DataTables/images/forward_disabled.png | Bin 0 -> 1363 bytes .../inc/DataTables/images/forward_enabled.png | Bin 0 -> 1380 bytes .../DataTables/images/forward_enabled_hover.png | Bin 0 -> 1379 bytes .../resources/inc/DataTables/images/sort_asc.png | Bin 0 -> 160 bytes .../inc/DataTables/images/sort_asc_disabled.png | Bin 0 -> 148 bytes .../resources/inc/DataTables/images/sort_both.png | Bin 0 -> 201 bytes .../resources/inc/DataTables/images/sort_desc.png | Bin 0 -> 158 bytes .../inc/DataTables/images/sort_desc_disabled.png | Bin 0 -> 146 bytes .../inc/DataTables/js/dataTables.bootstrap4.min.js | 11 + .../inc/DataTables/js/dataTables.jqueryui.min.js | 12 + .../inc/DataTables/js/jquery.dataTables.min.js | 180 + sflow-rt/resources/inc/base.css | 48 + sflow-rt/resources/inc/bootstrap.min.css | 7 + sflow-rt/resources/inc/bootstrap.min.css.map | 1 + sflow-rt/resources/inc/bootstrap.min.js | 7 + sflow-rt/resources/inc/bootstrap.min.js.map | 1 + sflow-rt/resources/inc/flow.css | 11 + sflow-rt/resources/inc/gauge.css | 29 + sflow-rt/resources/inc/img/favicon.png | Bin 0 -> 1156 bytes sflow-rt/resources/inc/img/fieldsetbg.gif | Bin 0 -> 158 bytes sflow-rt/resources/inc/img/inmon.svg | 28 + sflow-rt/resources/inc/inmsf/li.gif | Bin 0 -> 97 bytes sflow-rt/resources/inc/inmsf/li1.gif | Bin 0 -> 97 bytes sflow-rt/resources/inc/inmsf/lihelp.gif | Bin 0 -> 97 bytes sflow-rt/resources/inc/inmsf/lihelp1.gif | Bin 0 -> 364 bytes sflow-rt/resources/inc/inmsf/loginedge.gif | Bin 0 -> 56 bytes sflow-rt/resources/inc/inmsf/logo.png | Bin 0 -> 8741 bytes sflow-rt/resources/inc/inmsf/main.css | 29 + .../images/ui-bg_flat_0_aaaaaa_40x100.png | Bin 0 -> 212 bytes .../images/ui-bg_flat_75_ffffff_40x100.png | Bin 0 -> 208 bytes .../images/ui-bg_glass_55_fbf9ee_1x400.png | Bin 0 -> 393 bytes .../images/ui-bg_glass_65_ffffff_1x400.png | Bin 0 -> 265 bytes .../images/ui-bg_glass_75_dadada_1x400.png | Bin 0 -> 323 bytes .../images/ui-bg_glass_75_e6e6e6_1x400.png | Bin 0 -> 324 bytes .../images/ui-bg_glass_95_fef1ec_1x400.png | Bin 0 -> 390 bytes .../ui-bg_highlight-soft_75_cccccc_1x100.png | Bin 0 -> 325 bytes .../jquery-ui/images/ui-icons_222222_256x240.png | Bin 0 -> 7025 bytes .../jquery-ui/images/ui-icons_2e83ff_256x240.png | Bin 0 -> 4676 bytes .../jquery-ui/images/ui-icons_454545_256x240.png | Bin 0 -> 7090 bytes .../jquery-ui/images/ui-icons_888888_256x240.png | Bin 0 -> 7111 bytes .../jquery-ui/images/ui-icons_cd0a0a_256x240.png | Bin 0 -> 4676 bytes sflow-rt/resources/inc/jquery-ui/jquery-ui.min.js | 13 + .../inc/jquery-ui/jquery-ui.structure.min.css | 5 + .../resources/inc/jquery-ui/jquery-ui.theme.css | 443 + sflow-rt/resources/inc/jquery.flow.js | 397 + sflow-rt/resources/inc/jquery.gauge.js | 122 + sflow-rt/resources/inc/jquery.min.js | 2 + sflow-rt/resources/inc/jquery.min.map | 1 + sflow-rt/resources/inc/jquery.stripchart.js | 616 + sflow-rt/resources/inc/jquery.widget.js | 6 + sflow-rt/resources/inc/popper.min.js | 5 + sflow-rt/resources/inc/popper.min.js.map | 1 + sflow-rt/resources/inc/stripchart.css | 20 + sflow-rt/resources/inc/stripchart.js | 172 + sflow-rt/start.sh | 13 + test-1.pcap | Bin 0 -> 25598 bytes 207 files changed, 37347 insertions(+) create mode 100644 .DS_Store create mode 100644 Facetime.pcap create mode 100644 README.md create mode 100644 model/.DS_Store create mode 100644 model/DBhelper.py create mode 100644 model/DT.model create mode 100644 model/GNB.model create mode 100644 model/KN.model create mode 100644 model/LR.model create mode 100644 model/LightGBM.model create mode 100644 model/RF.model create mode 100644 model/SVM.model create mode 100644 model/__pycache__/DBhelper.cpython-36.pyc create mode 100644 model/__pycache__/benign_packetpredict.cpython-36.pyc create mode 100644 model/__pycache__/packet_predict.cpython-36.pyc create mode 100644 model/__pycache__/packetpredict.cpython-36.pyc create mode 100644 model/__pycache__/packetpredict_db.cpython-36.pyc create mode 100644 model/benign_packetpredict.py create mode 100644 model/feature_dict.npy create mode 100644 model/lgbm_packetin_model.pkl create mode 100644 model/lstm_packetpre.h5 create mode 100644 model/mlp_packetin_model.h5 create mode 100644 model/packet_predict.py create mode 100644 model/packetpredict.py create mode 100644 ms_topo_4s.py create mode 100644 product.py create mode 100644 ryu_predict.py create mode 100644 sdnData/.DS_Store create mode 100644 sdnData/.idea/deployment.xml create mode 100644 sdnData/.idea/inspectionProfiles/profiles_settings.xml create mode 100644 sdnData/.idea/misc.xml create mode 100644 sdnData/.idea/modules.xml create mode 100644 sdnData/.idea/sdnData.iml create mode 100644 sdnData/.idea/workspace.xml create mode 100644 sdnData/__pycache__/manage.cpython-36.pyc create mode 100644 sdnData/db.sqlite3 create mode 100644 sdnData/empty_queue.py create mode 100644 sdnData/fronted/index.html create mode 100644 sdnData/fronted/static/css/app.07c67668b64ebb23ee45e7d43f702599.css create mode 100644 sdnData/fronted/static/css/app.07c67668b64ebb23ee45e7d43f702599.css.map create mode 100644 sdnData/fronted/static/css/app.4815b7c3a4f80bf42f96fd467ffc24d9.css create mode 100644 sdnData/fronted/static/css/app.4815b7c3a4f80bf42f96fd467ffc24d9.css.map create mode 100644 sdnData/fronted/static/fonts/element-icons.535877f.woff create mode 100644 sdnData/fronted/static/fonts/element-icons.732389d.ttf create mode 100644 sdnData/fronted/static/js/app.26466f4f0100f3982b23.js create mode 100644 sdnData/fronted/static/js/app.26466f4f0100f3982b23.js.map create mode 100644 sdnData/fronted/static/js/app.89c23420525650863e47.js create mode 100644 sdnData/fronted/static/js/app.89c23420525650863e47.js.map create mode 100644 sdnData/fronted/static/js/app.8ffe780b02f10627a5a9.js create mode 100644 sdnData/fronted/static/js/app.8ffe780b02f10627a5a9.js.map create mode 100644 sdnData/fronted/static/js/app.a8ce80b9fd33490a6759.js create mode 100644 sdnData/fronted/static/js/app.a8ce80b9fd33490a6759.js.map create mode 100644 sdnData/fronted/static/js/app.abf98c9558435dd46930.js create mode 100644 sdnData/fronted/static/js/app.abf98c9558435dd46930.js.map create mode 100644 sdnData/fronted/static/js/app.af1183b3ee472f11f7b4.js create mode 100644 sdnData/fronted/static/js/app.af1183b3ee472f11f7b4.js.map create mode 100644 sdnData/fronted/static/js/app.b4b72dfc32782ea363c1.js create mode 100644 sdnData/fronted/static/js/app.b4b72dfc32782ea363c1.js.map create mode 100644 sdnData/fronted/static/js/manifest.3ad1d5771e9b13dbdad2.js create mode 100644 sdnData/fronted/static/js/manifest.3ad1d5771e9b13dbdad2.js.map create mode 100644 sdnData/fronted/static/js/vendor.7ca9674089226e98f741.js create mode 100644 sdnData/fronted/static/js/vendor.7ca9674089226e98f741.js.map create mode 100644 sdnData/fronted/static/msicon.ico create mode 100644 sdnData/manage.py create mode 100644 sdnData/ryu_predict.py create mode 100644 sdnData/sdnData/__init__.py create mode 100644 sdnData/sdnData/__pycache__/__init__.cpython-36.pyc create mode 100644 sdnData/sdnData/__pycache__/product.cpython-36.pyc create mode 100644 sdnData/sdnData/__pycache__/settings.cpython-36.pyc create mode 100644 sdnData/sdnData/__pycache__/urls.cpython-36.pyc create mode 100644 sdnData/sdnData/__pycache__/views.cpython-36.pyc create mode 100644 sdnData/sdnData/__pycache__/wsgi.cpython-36.pyc create mode 100644 sdnData/sdnData/product.py create mode 100644 sdnData/sdnData/settings.py create mode 100644 sdnData/sdnData/urls.py create mode 100644 sdnData/sdnData/util/__init__.py create mode 100644 sdnData/sdnData/util/__pycache__/__init__.cpython-36.pyc create mode 100644 sdnData/sdnData/util/__pycache__/redis_pool.cpython-36.pyc create mode 100644 sdnData/sdnData/util/redis_pool.py create mode 100644 sdnData/sdnData/views.py create mode 100644 sdnData/sdnData/wsgi.py create mode 100644 send.py create mode 100644 sflow-rt/.DS_Store create mode 100644 sflow-rt/app/browse-metrics/LICENSE create mode 100644 sflow-rt/app/browse-metrics/README.md create mode 100644 sflow-rt/app/browse-metrics/html/index.html create mode 100644 sflow-rt/app/browse-metrics/html/js/app.js create mode 100644 sflow-rt/app/flow-trend/LICENSE create mode 100644 sflow-rt/app/flow-trend/README.md create mode 100644 sflow-rt/app/flow-trend/html/css/app.css create mode 100644 sflow-rt/app/flow-trend/html/index.html create mode 100644 sflow-rt/app/flow-trend/html/js/app.js create mode 100644 sflow-rt/app/flow-trend/scripts/inc/trend.js create mode 100644 sflow-rt/app/flow-trend/scripts/top.js create mode 100644 sflow-rt/extras/README create mode 100644 sflow-rt/extras/sflow.py create mode 100755 sflow-rt/extras/tail_flows.py create mode 100755 sflow-rt/extras/tail_log.py create mode 100755 sflow-rt/extras/topflows.py create mode 100755 sflow-rt/get-app.sh create mode 100644 sflow-rt/lib/jackson-annotations.jar create mode 100644 sflow-rt/lib/jackson-core.jar create mode 100644 sflow-rt/lib/jackson-databind.jar create mode 100644 sflow-rt/lib/jetty-http.jar create mode 100644 sflow-rt/lib/jetty-io.jar create mode 100644 sflow-rt/lib/jetty-rewrite.jar create mode 100644 sflow-rt/lib/jetty-security.jar create mode 100644 sflow-rt/lib/jetty-server.jar create mode 100644 sflow-rt/lib/jetty-servlet.jar create mode 100644 sflow-rt/lib/jetty-servlets.jar create mode 100644 sflow-rt/lib/jetty-util.jar create mode 100644 sflow-rt/lib/jgrapht-core.jar create mode 100644 sflow-rt/lib/maxmind-db.jar create mode 100644 sflow-rt/lib/netty.jar create mode 100644 sflow-rt/lib/org.json.jar create mode 100644 sflow-rt/lib/org.yaml.snakeyaml.jar create mode 100644 sflow-rt/lib/rhino.jar create mode 100644 sflow-rt/lib/servlet-api.jar create mode 100644 sflow-rt/lib/sflowrt.jar create mode 100644 sflow-rt/lib/snmp4j.jar create mode 100644 sflow-rt/resources/.DS_Store create mode 100644 sflow-rt/resources/api/api.yml create mode 100644 sflow-rt/resources/api/favicon-16x16.png create mode 100644 sflow-rt/resources/api/favicon-32x32.png create mode 100644 sflow-rt/resources/api/favicon.png create mode 100644 sflow-rt/resources/api/index.html create mode 100644 sflow-rt/resources/api/oauth2-redirect.html create mode 100644 sflow-rt/resources/api/swagger-ui-bundle.js create mode 100644 sflow-rt/resources/api/swagger-ui-bundle.js.map create mode 100644 sflow-rt/resources/api/swagger-ui-standalone-preset.js create mode 100644 sflow-rt/resources/api/swagger-ui-standalone-preset.js.map create mode 100644 sflow-rt/resources/api/swagger-ui.css create mode 100644 sflow-rt/resources/api/swagger-ui.css.map create mode 100644 sflow-rt/resources/api/swagger-ui.js create mode 100644 sflow-rt/resources/api/swagger-ui.js.map create mode 100644 sflow-rt/resources/config/GeoLite2-ASN.mmdb create mode 100644 sflow-rt/resources/config/GeoLite2-Country.mmdb create mode 100644 sflow-rt/resources/config/logging.properties create mode 100644 sflow-rt/resources/config/oui.txt create mode 100644 sflow-rt/resources/html/css/app.css create mode 100644 sflow-rt/resources/html/index.html create mode 100644 sflow-rt/resources/html/js/app.js create mode 100644 sflow-rt/resources/inc/DataTables/css/dataTables.bootstrap4.css create mode 100644 sflow-rt/resources/inc/DataTables/css/dataTables.jqueryui.css create mode 100644 sflow-rt/resources/inc/DataTables/images/Sorting icons.psd create mode 100644 sflow-rt/resources/inc/DataTables/images/back_disabled.png create mode 100644 sflow-rt/resources/inc/DataTables/images/back_enabled.png create mode 100644 sflow-rt/resources/inc/DataTables/images/back_enabled_hover.png create mode 100644 sflow-rt/resources/inc/DataTables/images/details_close.png create mode 100644 sflow-rt/resources/inc/DataTables/images/details_open.png create mode 100644 sflow-rt/resources/inc/DataTables/images/favicon.ico create mode 100644 sflow-rt/resources/inc/DataTables/images/forward_disabled.png create mode 100644 sflow-rt/resources/inc/DataTables/images/forward_enabled.png create mode 100644 sflow-rt/resources/inc/DataTables/images/forward_enabled_hover.png create mode 100644 sflow-rt/resources/inc/DataTables/images/sort_asc.png create mode 100644 sflow-rt/resources/inc/DataTables/images/sort_asc_disabled.png create mode 100644 sflow-rt/resources/inc/DataTables/images/sort_both.png create mode 100644 sflow-rt/resources/inc/DataTables/images/sort_desc.png create mode 100644 sflow-rt/resources/inc/DataTables/images/sort_desc_disabled.png create mode 100644 sflow-rt/resources/inc/DataTables/js/dataTables.bootstrap4.min.js create mode 100644 sflow-rt/resources/inc/DataTables/js/dataTables.jqueryui.min.js create mode 100644 sflow-rt/resources/inc/DataTables/js/jquery.dataTables.min.js create mode 100644 sflow-rt/resources/inc/base.css create mode 100644 sflow-rt/resources/inc/bootstrap.min.css create mode 100644 sflow-rt/resources/inc/bootstrap.min.css.map create mode 100644 sflow-rt/resources/inc/bootstrap.min.js create mode 100644 sflow-rt/resources/inc/bootstrap.min.js.map create mode 100644 sflow-rt/resources/inc/flow.css create mode 100644 sflow-rt/resources/inc/gauge.css create mode 100644 sflow-rt/resources/inc/img/favicon.png create mode 100644 sflow-rt/resources/inc/img/fieldsetbg.gif create mode 100644 sflow-rt/resources/inc/img/inmon.svg create mode 100644 sflow-rt/resources/inc/inmsf/li.gif create mode 100644 sflow-rt/resources/inc/inmsf/li1.gif create mode 100644 sflow-rt/resources/inc/inmsf/lihelp.gif create mode 100644 sflow-rt/resources/inc/inmsf/lihelp1.gif create mode 100644 sflow-rt/resources/inc/inmsf/loginedge.gif create mode 100644 sflow-rt/resources/inc/inmsf/logo.png create mode 100644 sflow-rt/resources/inc/inmsf/main.css create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_flat_0_aaaaaa_40x100.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_flat_75_ffffff_40x100.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_glass_55_fbf9ee_1x400.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_glass_65_ffffff_1x400.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_glass_75_dadada_1x400.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_glass_75_e6e6e6_1x400.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_glass_95_fef1ec_1x400.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-bg_highlight-soft_75_cccccc_1x100.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-icons_222222_256x240.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-icons_2e83ff_256x240.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-icons_454545_256x240.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-icons_888888_256x240.png create mode 100644 sflow-rt/resources/inc/jquery-ui/images/ui-icons_cd0a0a_256x240.png create mode 100644 sflow-rt/resources/inc/jquery-ui/jquery-ui.min.js create mode 100644 sflow-rt/resources/inc/jquery-ui/jquery-ui.structure.min.css create mode 100644 sflow-rt/resources/inc/jquery-ui/jquery-ui.theme.css create mode 100644 sflow-rt/resources/inc/jquery.flow.js create mode 100644 sflow-rt/resources/inc/jquery.gauge.js create mode 100644 sflow-rt/resources/inc/jquery.min.js create mode 100644 sflow-rt/resources/inc/jquery.min.map create mode 100644 sflow-rt/resources/inc/jquery.stripchart.js create mode 100644 sflow-rt/resources/inc/jquery.widget.js create mode 100644 sflow-rt/resources/inc/popper.min.js create mode 100644 sflow-rt/resources/inc/popper.min.js.map create mode 100644 sflow-rt/resources/inc/stripchart.css create mode 100644 sflow-rt/resources/inc/stripchart.js create mode 100755 sflow-rt/start.sh create mode 100644 test-1.pcap diff --git a/.DS_Store b/.DS_Store new file mode 100644 index 0000000..ee8dc01 Binary files /dev/null and b/.DS_Store differ diff --git a/Facetime.pcap b/Facetime.pcap new file mode 100644 index 0000000..566440d Binary files /dev/null and b/Facetime.pcap differ diff --git a/README.md b/README.md new file mode 100644 index 0000000..c980552 --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ + +# MSFlow:SDN流量防御和分流辅助器 +## 1.功能: + a)恶意软件流量识别,Cridex、Geodo、Htbot、Miuref、Neris、Nsis-ay、Shifu、Tinba、Virut、Zeus + b)正常应用流量识别,Facetime、Weibo、BitTorrent、FTP、Gmail、MySQL、Outlook、Skype、SMB、WordOfWarcraft + c)QoS + d)DDoS缓解 + +## 2.代码说明 +# model/:分类器模型 + model/datahelper/: 数据清洗 + model/train/: 模型训练 + model/packet_predict.py: 二分类器,正常流量和恶意流量区分 + model/xxx.model: 二分类器模型训练保存结果 + model/DBhelper.py: 二分类器所需的数据库存取操作 + model/benign_packetpredict.py: 十分类器,十种正常应用流量识别 + +# sdnData/: 界面启动目录 +# sflow-rt: sflow工具 +# ms_topo_4s.py: mininet拓扑构建脚本 +# send.py: 发包测试脚本 +# ryu_predict.py: ryu控制器app +# product.py: 控制器和界面的交互接口 + +## 3.运行说明 + 注:环境中需要有ryu、mininet、mysql、python3、tensorflow、pandas等等,请按运行的错误提示自行补全安装。 + 其中,tensorflow要求2.2版本以上,实验中用的2.3.0;django版本2.2(2版本和3版本不兼容); + 1)开启系统,进入sdnData/文件夹:python3 manage.py runserver 8081,打开浏览器访问127.0.0.1:8081查看界面是否开启; + 2)运行控制器:(假设已安装ryu),进入../ryu/ryu/app文件夹,将ryu_predict.py以及model/文件夹,放在该app/文件夹下;运行控制器:ryu-manager ryu_predict.py; + 3)运行sflow工具,进入sflow_rt/文件夹:sudo ./start.sh,在浏览器访问127.0.0.1:8008查看sflow服务端是否正常开启(具体的sflow配置可参考链接:https://blog.csdn.net/AsNeverBefore/article/details/79098971); + 4)好啦,这里我们可以用发包脚本发包来看一看程序运行的样子了:sudo python send.py(脚本内的待发送数据包可以自行修改,默认发送本文件夹下的test.pcap) + + 6)常见问题: + (1)环境没有配置好,缺少东西 + (2)自定义的类以及函数,在import过程中,不同的环境所需的路径不通,请按报错信息自行修改 + (3)发包时出现数据包超过MTU值,通过命令修改mtu:ifconfig h1 mtu 9000 + (4)使用sflow监听mininet中的流量,mininet中交换机端口本身没有IP,需要设置IP后才能作为监听端口,步骤如下 + 启动minninet网络 + sudo ifconfig ens33 0 up + sudo ovs-vsctl add-port s1 ens33 + sudo ifconfig s1 10.0.1.10 netmask 255.255.254.0 + sudo route add default gw 10.0.1.1 + sudo ovs-vsctl -- --id=@sflow create sflow agent=s1 target=\"10.0.1.10\" header=128 sampling=10 polling=1 -- set bridge s1 sflow=@sflow diff --git a/model/.DS_Store b/model/.DS_Store new file mode 100644 index 0000000..48c8a60 Binary files /dev/null and b/model/.DS_Store differ diff --git a/model/DBhelper.py b/model/DBhelper.py new file mode 100644 index 0000000..476e5c2 --- /dev/null +++ b/model/DBhelper.py @@ -0,0 +1,163 @@ +import mysql.connector +import sys + + +class DBhelper(object): + """ + 可能的问题: + 每次进行连接会不会造成时延呢? + 这里没有进行关闭喔 + 一条数据一条数据的更新效率可能不高 + """ + def __init__(self, host='localhost', port=3306, user='root', + database="test"): # 构造函数 + self.tablename = 'flow_feature' + try: + self.conn = mysql.connector.connect(user='root', host='localhost',password='password', + database='packetin_flow',buffered=True) + + self.cursor = self.conn.cursor() + print('Connected', self.conn) + self.cursor.execute("SHOW TABLES") + except Exception as e: + print(e) + print('gg!') + + def create_table(self): + print('Init table', self.tablename) + self.cursor.execute("DROP TABLE IF exists %s" % self.tablename) + self.cursor.execute("""CREATE TABLE %s ( + `id` INT unsigned NOT NULL AUTO_INCREMENT, + `ipSet` varchar(128) NOT NULL, + `dst_port` INT NOT NULL, + `src_port` INT NOT NULL, + `flags` INT NOT NULL, + `window_size` INT NOT NULL, + `reason` INT NOT NULL, + `in_port` INT NOT NULL, + `min_len` INT NOT NULL, + `max_len` INT NOT NULL, + `means_len` FLOAT NOT NULL, + `pcapnum` INT NOT NULL, + `tagY` INT NOT NULL, + PRIMARY KEY (`id`) + ) ENGINE=InnoDB DEFAULT CHARSET=utf8""" % self.tablename) + return 1 + + def delete_table(self): + print('Delete table', self.tablename) + self.cursor.execute("DROP TABLE IF EXISTS %s" % self.tablename) + return 1 + + def execute(self, sql): + self.cursor.execute(sql) + rowcount = self.cursor.rowcount + return rowcount + + def get_ipset_value(self, ipSet): + """ + 查询函数 + :param ipSet: 传入的是一个tuple类型的ipset + :return: 返回对应的dict,如果有多条记录只返回一条,如果查询失败返回0 + """ + ipSet_str = ' '.join(ipSet) + sql = """select * from %s where ipSet='%s' limit 1""" % (self.tablename, ipSet_str) + try: + # 执行SQL语句 + self.cursor.execute(sql) + # 使用 fetchone() 方法获取单条数据. + data = self.cursor.fetchone() + except: + # 发生错误时回滚 + print('select error, now rollback...') + self.conn.rollback() + return 0 + this_feature = list(data) + this_feature.pop(0) # 把id和ipSet删了 + this_feature.pop(0) + return {ipSet: this_feature} + + def judgeIPset(self, ipSet): + # select 1 from tablename where col = 'col' limit 1 + # select isnull((select top(1) 1 from %s where `ipSet`=%s), 0) + ipSet_str = ' '.join(ipSet) + sql = """ + select * from %s where ipSet = '%s' limit 1 + """ % (self.tablename, ipSet_str) + out = self.cursor.execute(sql) + out = self.cursor.rowcount # 不知为何用execute的out不行 + if out: + print('ipSet in database.') + else: + print('Not in database, now insert...') + return out + + def insert(self, ipSet, feature_list): + """ + 插入数据进mysql + :param ipSet: + :param feature_list: 传入的数据是处理好pcapnum和tagY的 + :return: 0失败 1成功 + """ + ipSet_str = ' '.join(ipSet) + sql = """ + INSERT INTO {0} + (ipSet, dst_port, src_port, flags, window_size, + reason, in_port, min_len, max_len, means_len, pcapnum, tagY) + VALUES + (%s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s, %s) + """.format(self.tablename) + values = (ipSet_str,) + tuple(feature_list) + try: + self.cursor.execute(sql, values) + self.conn.commit() + print(self.cursor.rowcount, 'Insert successful', self.cursor.lastrowid) + # self.cursor.close() + # self.conn.close() + return self.cursor.lastrowid + except: + # Rollback in case there is any error + print('Insert error, now rollback...') + self.conn.rollback() + return 0 + + def update(self, feature_list, ipSet): + """ + 数据库中本身存在,更新预测结果 + :param feature_list: 传入一个list,已经更新好的喔 + :param ipSet + :return: + """ + ipSet_str = ' '.join(ipSet) + sql = """ + UPDATE {0} SET + `ipSet` = %s, `dst_port` = %s, `src_port` = %s, `flags` = %s, `window_size` = %s, + `reason` = %s, `in_port` = %s, `min_len` = %s, `max_len` = %s, `means_len` = %s, + `pcapnum` = %s, `tagY` = %s + where ipSet='{1}' + """.format(self.tablename, ipSet_str) + values = (ipSet_str,) + tuple(feature_list) + try: + self.cursor.execute(sql, values) + self.conn.commit() + return 1 + except: + # Rollback in case there is any error + print('更新失败,要哭了') + self.conn.rollback() + return 0 + + +if __name__ == '__main__': + """ + 需要先打开mysql服务,并确保有database名为packetin_flow + 在执行packetinpredict的时候,需要先建表 + mydb.create_table() + """ + mydb = DBhelper() + mydb.create_table() + out = mydb.execute(""" + select * from flow_feature where ipSet = '188.42.254.65 10.0.2.107' limit 1 + """) + print('rowcount: ', mydb.cursor.rowcount) + # mydb.delete_table() diff --git a/model/DT.model b/model/DT.model new file mode 100644 index 0000000..040d4cd Binary files /dev/null and b/model/DT.model differ diff --git a/model/GNB.model b/model/GNB.model new file mode 100644 index 0000000..070dbfa Binary files /dev/null and b/model/GNB.model differ diff --git a/model/KN.model b/model/KN.model new file mode 100644 index 0000000..80ef4bc Binary files /dev/null and b/model/KN.model differ diff --git a/model/LR.model b/model/LR.model new file mode 100644 index 0000000..f46ac0b Binary files /dev/null and b/model/LR.model differ diff --git a/model/LightGBM.model b/model/LightGBM.model new file mode 100644 index 0000000..e88b3c0 Binary files /dev/null and b/model/LightGBM.model differ diff --git a/model/RF.model b/model/RF.model new file mode 100644 index 0000000..3227608 Binary files /dev/null and b/model/RF.model differ diff --git a/model/SVM.model b/model/SVM.model new file mode 100644 index 0000000..00a21c8 Binary files /dev/null and b/model/SVM.model differ diff --git a/model/__pycache__/DBhelper.cpython-36.pyc b/model/__pycache__/DBhelper.cpython-36.pyc new file mode 100644 index 0000000..a7f9c88 Binary files /dev/null and b/model/__pycache__/DBhelper.cpython-36.pyc differ diff --git a/model/__pycache__/benign_packetpredict.cpython-36.pyc b/model/__pycache__/benign_packetpredict.cpython-36.pyc new file mode 100644 index 0000000..3f9caa5 Binary files /dev/null and b/model/__pycache__/benign_packetpredict.cpython-36.pyc differ diff --git a/model/__pycache__/packet_predict.cpython-36.pyc b/model/__pycache__/packet_predict.cpython-36.pyc new file mode 100644 index 0000000..9e06fff Binary files /dev/null and b/model/__pycache__/packet_predict.cpython-36.pyc differ diff --git a/model/__pycache__/packetpredict.cpython-36.pyc b/model/__pycache__/packetpredict.cpython-36.pyc new file mode 100644 index 0000000..f883aa0 Binary files /dev/null and b/model/__pycache__/packetpredict.cpython-36.pyc differ diff --git a/model/__pycache__/packetpredict_db.cpython-36.pyc b/model/__pycache__/packetpredict_db.cpython-36.pyc new file mode 100644 index 0000000..fec8018 Binary files /dev/null and b/model/__pycache__/packetpredict_db.cpython-36.pyc differ diff --git a/model/benign_packetpredict.py b/model/benign_packetpredict.py new file mode 100644 index 0000000..ff5e4d2 --- /dev/null +++ b/model/benign_packetpredict.py @@ -0,0 +1,75 @@ +# -*- coding: utf-8 -*- +from keras.models import load_model +from keras.preprocessing.sequence import pad_sequences +import numpy as np +import sys +import os + +os.environ['KMP_DUPLICATE_LIB_OK'] = 'True' + +max_len = 100 + +lstm_model = 'model/lstm_packetpre.h5' # lstm参数更多,准确率更高 +mlp_model = 'model/mlp_packetin_model.h5' # mlp参数少一点,速度更快 + + +class BenignPacketData(object): + """ + 目的:用单个包(不是流)对10种良性应用进行分类,只能针对这10种 + 注意:调用的时候如果与预期不符,则多半是编码问题。检测self.data看看与输入是否一致 + 对应关系如下 + 0 Facetime + 1 BitTorrent + 2 WorldOfWarcraft + 3 FTP + 4 MySQL + 5 Skype + 6 SMB + 7 Gmail + 8 Weibo + 9 Outlook + """ + def __init__(self, msg, modelpath=mlp_model): + self.data = self.getdata(msg) + self.model = load_model(modelpath) + self.lable_list = ['Facetime', 'BitTorrent', 'WorldOfWarcraft', 'FTP', 'MySQL', + 'Skype', 'SMB', 'Gmail', 'Weibo', 'Outlook'] + + def getdata(self, msg): + # s = str(msg.split(",")[6].encode('utf-8')).split("=")[1].strip("'").strip('"') + msg = str(msg.encode('raw_unicode_escape')).strip('b\'') + s = msg.split(",")[6].split("=")[1].strip("'").strip('"') + data = [int(hex(x), 16) for x in bytes(s, encoding="utf-8")] + return data + + def predict(self): + x_data = np.array(self.data) + x_data = x_data.flatten()[None] # 变成这样[[]] + x_train = pad_sequences(x_data, maxlen=max_len) + # x_train = pad_sequences(x_data, maxlen=max_len, padding='post', truncating='post') + predict = self.model.predict(x_train) + # predict_classes = self.model.predict_classes(x_train) + # print('classes: ', predict_classes) + predict = np.argmax(predict) + return predict + + def predict_classes(self): + num = self.predict() + return self.lable_list[int(num)] + + +if __name__ == '__main__': + # Outlook: 9 + line1 = "version=0x4,msg_type=0xa,msg_len=0x5ed,xid=0x0,OFPPacketIn(buffer_id=4294967295,cookie=0,data='\x02\x1a\xc5\x01\x00\x00\x02\x1a\xc5\x02\x00\x00\x08\x00E\x00\x05\xb1\xc3\x00@\x00 \x06Lw\x01\x025*\x01\x01\x0e\xa3\x01\xbb\x85\xe5ur\xfb\xce \xea71\x80\x18T\xd8\xd4\xd6\x00\x00\x01\x01\x08\n\x1e\xb5QU\r=\x07\x8a\x17\x03\x00\x05x^\xaa^a\xdb\x89v\xa9p\x80\x01\x82\x04j\xe9{4\x18w\xfaf\xfd\xe6\xe2sh;F\x07\xa0a`\xf4\x14\xab!\xa2Vg\xd8\xb0_9$vMD4\xd96\xea\x1d\x08hf\xc9\xe6\x90\xaenwE\xb6Km/\xad\x17\xee]\xaf\xb8\x19\x1fla\x10\x99*a\xc4!#\x14}\xedV\xd3\xf8\xffy\xe5\xddG\'\x05\xb6\x85\xf2\x86X\xd8.\x96\x97\x10O\xd8\xda\xbcPJW\x19k\x08\xad\xeco\xd5\xbb|X\xb6\x90\xab,\xc3\\\x0c[\xd2\x15\x83\xf2-\xe2(8\x1fq\xf6Ovj\'>\xedV( \x93\x93\x80t\x1c{\xcd\xecj\x98\x8e\x863\x17.@65=\xa9\x100\x91\x06\xfc\xea\xab\xbb\x12L\\q d\x1d\xd9\xb1\xd5\xcb\xc1\xae\xab\xe1p\xb6\xb2\xaf\xf9\xd4}$\x16\xc8n}\xccs\xfe\x10\x00\x7f\xba\xd4\xea\xd4\xa6\x83m@7\xc0+\xe9\xc5\x8bb<5\x9f\x92\xce\xae\x1b2j^P\x8e\xa6\x9a\x14O\xf3\xbc\x12p\xf1""\xd5u\xa9/_\x13\xc2\xf1\xb3\xa3R\x8d\xbd(Q}d@\xa6+\xd7\x85\x91H\xb2l\x0e\x1a\xb5(\xefj?6\xf1\xf4\x81n:\x94\xedn0\x94+\x03L\x82\x06\xb9\x8d\xaa\x08&\x03m\xa4!G\xc5\x80\x1bQv\x03n+\xd1\x98)\xe4\xb7\xd1\xadm\x15w\xbe5A\xa0_Uer)k\xcfS\x02\xf3n\x0b\xfbs\xe1B\xf0i\xf3\xabu\x16\xb6F""\xd2\xee\xf90\xe5\x133\xa4\xdd\x81\xf1wr\x94\xfc%1d\xaf]\xa0E\x99G\x8a\xe4\x9e\x0e\x1b\xe7""\xa57\xf7\xdd[\xe1V$\xf7\xd8\xf8\xe3\x82\xf3\xd8\xbd\xfdT\xbf\x94\xaa\xae\x97\xa1\x1d\xcb\xf9\'\xce\x82x\xc3\x81\xa0\xa7X1\x1b\xacVW\xcc\xfd\xc44\x96\xf5\x15R\xf1}_\t\xc4\xc20*2\xa9\xcf\xad\x7f\xfd\xb5\x83\xcf\xeaB\x05\xf2\xacq\xfft\xfe|L(U\xcc\xe6Lq\xd5\x9fCe\x1ec\x8b\xbc\xdbzr:\xab\xa2;\x1a\xa7\xe8\x9e\xdcf1Ig\xfe\x86%\xf6)\x80\x9c\xbb\xa7|(f\x13\xa0\xbc\x9d\xe7\xc3lf\xd3\xf7\xdc\xb2O\xba\xd0\x81\xf3\xeb]&\xa5BK:\xc0@eW\t]%\xa1\t\xf0LQ\'\x9c\xf9bj\x01\xaag5*W\xb7&g\xe2\xb8\xd8g\xf6\xc8/55Av\xe0\xa5\x81\x1b\xe7\x99vH_\xadon\x98\xe8\x070\x9f\xb7\xbd\xfa\xe3:\x7f\x02\x10V\xa7\xb2o\xaa-\xfa\x9d\x96\x1f\x80V\xd4\xbd\xfb\x91\x10\xdam;\x9e\xe4\x04\x8b\x87L\xfd\xbcR\x86\xccK\xe1e\x06Y\x93\x18\xf4\x05\x8d\xe1q\xdav\xa2]\xb7\x00\xaem\xa2\xe8\xee\x1fL\xc8l\x95\x8apx\x1d\xd6\x8f\xd3\xce\x8c\xf3\xf3\xf55\xb3\x0b\xa5\xc1\xc9>\x95\x9c\xc0\xd5\xf4\xf4\xe5\x90\xee\xcc\x8c\xbc\x1a\xa6\xacX\x05\xc1\xbe\xe4*\x8cr\x7f\xa2\xaeY \xa4\x1de\xb5\x00\x8fvmr^R\xady\x8e\x00\\h\xec\xa8\xb7\x9a;\xe2\x8fQ""\x1bx\xce>\x12\xaf\xc9\x92O\xd3>\xfc\x89\xe4\xa4""4S\xeey7D\xf9!\xcf)\xcf\x04^\xd6\xb8XC\x9f\x13\xeehP\xbc@0\xf7\xb8<\xdb\xa9\rHX\x95\xf9.2\xabd\xdek\xac4\x89\xa2\x90\r\xdb#\x10\x15\x88\xc0\xb5`\xeb+\x12\x16G\x96\x97\x1f\xe9)X\xaa\xf5\xc3\xb7\xb3T\xbc cS\xeeY\xc5U\x1c~\x18;\xabqZ:\rL\n\x1cX0\x03\x12\xd5\x9dE\x8b\xd9E\xaf\xb2\xd4u\x8d\x05\xc2\xe0\x83d\x1f\x96\x13r\x91\x89McG\xa1\xf5\x8c`\xa9\xf1t\x9f\xe96m\xcd\xa2\xfc\xbfw\xde\x06\xb9\x0fE\xa7K\xec\x17\xef2~i@[\x9d\xfa;\xf7\x9d\xa8P=\xc5s\x0cWX-\x02 1\xfd\xcd\x85\xb1\xaf\xf2yN\xdc\xf3\xd7\xc4\x86\x91\xd3\xf9\xb5\xa2\xde@wO\x0bLA\xb2MD:\x17)H\xe6>\x92\\\xed\xe5\xab\xaa\xf3\xda\x98\x16^>Lg\x96\xd2\xdc\x9b\xa9\xad\x85\x9b\xf4\x1e""\x9a\xa8\xeb\xdc\tT$*\xb2\x1c_\xe3\xbe\xe5U\xf2T\xcc\xcd\x99\xeb\xa9\xeeS=t\x80\xce\x0c\xf8T\x0b\xaf\xfb\xd7\xf5\xa3H\xc5\x82\xb3|\';,\x93\x14\x0ci\x0c\x06\x82gc\xf8c\x82`\x96\xcdB\x02_\xe4\xc9\xa8\xff\xcc\xa6W\x9aQ\xb6K\xae~%\x9f\x9a[W3Kr\xd1Wc\xb7L\x81X=-:\x9f|Is\x80z\xbf\x1f\x84\xcc\xff\xa1\xca\xad\x14\xaa\x08\x8bt\x99=\\\tgD\xcc=b\x12.\x9d\xcd\xa0,}\\\x1f\x8f\xafG\xda&E\x7f\xfb\xf8\x937\x93\xceX\xd1\x14\xd5\x0f\xb4\xd0\xf3N\xf1/\xcc\x95\x18\x1e\xcdP\xb4\x91<\xa3x\x81\xe7d\xfd\x80\xcf\xeb\xd4\x1a0\xeb\xf5[\xee\xe4J\xac*5\xc9\xffI\x9dO\x12\xa3\xd3\\\x18\x8chcc\x11fz\xb4\xc7sM=c\x97\r\x0e\x84\x81\xd1\x8a\xe74&\x91\x17_\xbe\t\xd5\xf2\x06O\x05\x9a\xec\x08T\xf0\x1d\x88=\xffh\xcb\xcd\x93\xd5""\xbcF\xc1\x15\xc4N\x8aT\xe0\xd4\xb6:\x08z\xcf\x1d\xeb\x97\x92\x1d\t\xea\x970\xf9)\xdb\x83^\xfb\xe5\xdfE\xcf\x88\xe8K\xc7\x1f0f+\xc9\xdaKf\xdbr\xc8R\x87\xf5\xc9\x86p\xc1\xea\x1bD\xee\xd3\xcdg\x8c\x06c\x00\xf1\xe5~/U\x9f\x1d\xa5\x0e\xd4n\x9a\x0e\x99\x0c\xce\x8b\xee\x82\x94\xf1\x96\xe6\xfe\x02g)\xe2X\x90H;\xdc\xd0',match=OFPMatch(oxm_fields={'in_port': 1}),reason=0,table_id=0,total_len=1475)" + thispacket1 = BenignPacketData(line1) + print('测试1:', thispacket1.predict(), thispacket1.predict_classes()) + + # WorldOfWarcraft: 2 + line1 = "version=0x4,msg_type=0xa,msg_len=0x74,xid=0x0,OFPPacketIn(buffer_id=4294967295,cookie=0,data='\x02\x1a\xc5\x02\x00\x00\x02\x1a\xc5\x01\x00\x00\x08\x00E\x00\x008\xda\x19@\x00 \x06\xc8\xc5\x01\x01$\xae\x01\x02\x910\x96\xcd\x0e\x8c\xe5\xfb\xa3\x94\x00\x00\x00\x00\x90\x02\x16\xa0?\x12\x00\x00\x02\x04\x05\xb4\x01\x01\x08\n\xf5m-$\x00\x00\x00\x00\x89\xc8 \xd5',match=OFPMatch(oxm_fields={'in_port': 1}),reason=0,table_id=0,total_len=74)" + thispacket2 = BenignPacketData(line1) + print('测试2:', thispacket2.predict(), thispacket2.predict_classes()) + + # Skype: 5 + line1 = "version=0x4,msg_type=0xa,msg_len=0x2ca,xid=0x0,OFPPacketIn(buffer_id=4294967295,cookie=0,data='\x02\x1a\xc5\x01\x00\x00\x02\x1a\xc5\x02\x00\x00\x08\x00E\x00\x02\x8e\xc6\x87@\x00 \x06Ja\x01\x02l\xea\x01\x01\xd8\x94\x01\xbbq\xa6f\xc6H|\xe6\xe5\xecZ\x80\x18I\x88G\xc0\x00\x00\x01\x01\x08\n!\xa0\x9b\xf7\x02\xf8\xd5\xbe\x16\x03\x00\x007\x02\x00\x003\x03\x00W\x94I\x0e_\xa4\x15I_X\x15S\xdfS\x15L_\xa4\x15k\xdf\x84\x15p_\xa4\x15y_\xa4\x15\x98\x00\xc0\x14\x00\x00\x0b\xff\x01\x00\x01\x00\x00\x0b\x00\x02\x01\x00\x16\x03\x00\x01\x90\x0b\x00\x01\x8c\x00\x01\x89\x00\x01\x860\x82\x01\x820\x82\x01,\x02\x01\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x000H1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x13\x05Texas1\x110\x0f\x06\x03U\x04\x07\x13\x08ServerCA1\x160\x14\x06\x03U\x04\x03\x14\rserver_ca.int0\x1e\x17\r100204221041Z\x17\r370622221041Z0P1\x0b0\t\x06\x03U\x04\x06\x13\x02US1\x0e0\x0c\x06\x03U\x04\x08\x13\x05Texas1\x100\x0e\x06\x03U\x04\x07\x13\x07Servers1\x1f0\x1d\x06\x03U\x04\x03\x14\x16serverA_512.server.int0\\0\r\x06\t*\x86H\x86\xf7\r\x01\x01\x01\x05\x00\x03K\x000H\x02A\x00\xacY;\x9e\x8c\x1fp\xccw\x99\xb3\x07\t\x86<\x85#\x8a \x8c?\x1b\xa21\xddn\xec\x15%u\x8f\'H/\xfc\x83y""\x97\xcf\x1f\xbf\xa0Y\x88\xb05\xf7\x95""\n{\xd7|}\x15t\xb0\xaf\x9e? \xad)\x02\x03\x01\x00\x010\r\x06\t*\x86H\x86\xf7\r\x01\x01\x05\x05\x00\x03A\x00\x97\xdf\xb0\xa3\xea\x06\x9a\xd4\x19\xe1\x84tT,\xa8le\xc2W:\n\x15%\xb87~\xb3\xa2\x83\x8d\x00\x8a \xccq]\xb1\x0cU\x16\x84\xae\x02\xa0\x8e\xe1.%\xcah\x8eP\xb1(H\xd8P[\x95\xbe(\xbf\xf6\xf5\x16\x03\x00\x00{\x0c\x00\x00w\x03\x00\x131\x04_\x84\x90\x80\xd5B\xcee\x89\xf2\xc1\x90\x0f\xf1L""\xa6\xcdh\xf1\xb1\xd9\xfe\xa4\xd3\xb5:%\xea\xcb@\xd9NR\x05\x1d@\x8f\xfaS\x1c\xda\x95]\x82\x0b\xba/\x00@v\xd1Z\x15\x8d\x1d\r!\xe9C\xb3\xc2\xaeR\xddG\x8c\xe2\x9d\x89\x81V\xc0\x9b\xa4\x1d\x1a\x94\xd4\x9f\x8f2H\x96\xb1oO^{\x03\xfc(:\xc3\x10\xd2\xa7\x1b\x89P:\xd6\xcd\xb1\x7f.\x8f\xf0\x9a\x97hH\xde\\\x16\x03\x00\x00\x04\x0e\x00\x00\x00\xe2\x957\x9b',match=OFPMatch(oxm_fields={'in_port': 1}),reason=0,table_id=0,total_len=672)" + thispacket3 = BenignPacketData(line1) + print('测试3:', thispacket3.predict(), thispacket3.predict_classes()) diff --git a/model/feature_dict.npy b/model/feature_dict.npy new file mode 100644 index 0000000..d312e18 Binary files /dev/null and b/model/feature_dict.npy differ diff --git a/model/lgbm_packetin_model.pkl b/model/lgbm_packetin_model.pkl new file mode 100644 index 0000000..6f780b4 Binary files /dev/null and b/model/lgbm_packetin_model.pkl differ diff --git a/model/lstm_packetpre.h5 b/model/lstm_packetpre.h5 new file mode 100644 index 0000000..59d12bb Binary files /dev/null and b/model/lstm_packetpre.h5 differ diff --git a/model/mlp_packetin_model.h5 b/model/mlp_packetin_model.h5 new file mode 100644 index 0000000..11d8da3 Binary files /dev/null and b/model/mlp_packetin_model.h5 differ diff --git a/model/packet_predict.py b/model/packet_predict.py new file mode 100644 index 0000000..fc4254a --- /dev/null +++ b/model/packet_predict.py @@ -0,0 +1,138 @@ +# author:jph +# date:2020.09.27 + +import joblib,csv,re,os +import numpy as np +from collections import Counter + +# 一整条流的特征 +class Flow: + all_flow = {} + def __init__(self,ipSet): + self.ipSet = ipSet + self.packet_num = 0 + self.min_len = 1e9 + self.max_len = -1 + self.total_len = 0 + + def add_new_packet(self,pkt): + self.packet_num += 1 + self.min_len = min(self.min_len,pkt.len) + self.max_len = max(self.max_len,pkt.len) + self.total_len += pkt.len + self.protocol = int(pkt.protocol) + self.dst_port = int(pkt.dst_port) + self.src_port = pkt.src_port + self.flags = pkt.flags + self.window_size = pkt.window_size + self.in_port = pkt.in_port + + + def get_feature(self): + assert self.packet_num != 0 + average_len = self.total_len/self.packet_num + feature = [ + #self.protocol, + self.dst_port, + self.src_port, + self.flags, + self.window_size, + self.in_port, + self.max_len, + self.min_len, + average_len, + self.packet_num + ] + return feature + + def print_feature(self): + print(self.get_feature()) + + + +#model_list = [] +# 一个数据包的特征 +class PacketData(object): + def __init__(self,msg,pkt): + if 'TCP' in pkt: + self.protocol = 1 + self.window_size = re.search(r'window_size=\d{1,10}', pkt).group().split('=')[1] + else: + self.protocol = 0 + self.window_size = 0 + try: + self.ipSet = ":".join(re.findall(r"\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b", pkt)) + self.dst_port = re.search(r'dst_port=\d{1,5}', pkt).group().split('=')[1] + self.src_port = re.search(r'src_port=\d{1,5}', pkt).group().split('=')[1] + self.flags = re.search(r'flags=\d{1,3}', pkt).group().split('=')[1] + self.reason = re.search(r'reason=\d{1,10}', msg).group().split('=')[1] + self.in_port = re.search(r'\'in_port\': \d{1,5}', msg).group().split(': ')[1] + self.len = float(re.search(r'total_len=\d{1,5}', msg).group().split('=')[1]) + if self.ipSet not in Flow.all_flow: + Flow.all_flow[self.ipSet] = Flow(self.ipSet) + Flow.all_flow[self.ipSet].add_new_packet(self) + except: + self.ipSet = None + # do nothing + def predict(self,model_list): + if self.ipSet is None: + return 0 + ''' + if Flow.all_flow[self.ipSet].packet_num < 3: + # 如果当前流的包数量小于3,则默认返回Benign + return 0 + ''' + res = [] + print(model_list) + for model in model_list: + res_ = model.predict(np.array([Flow.all_flow[self.ipSet].get_feature()]).astype(np.float64))[0] + res.append(res_) + c = Counter(res) + #print(res) + try: + return c.most_common(1)[0][0] + except: + print(c) + return 0 + + +def read_csv(path,csv_name): + print("reading",csv_name) + #this_flow = Flow(csv_name[:-3]) + csv_name = path+'/'+csv_name + with open(csv_name, 'r') as f: + while True: + line1 = f.readline().strip() + line2 = f.readline().strip() + if not line2 or not line1: + break + #print(line1,'\n--------------\n',line2) + thispacket = PacketData(line1,line2) + print(thispacket.predict()) + + +if __name__ == "__main__": + model_namelist = ["DT.model","RF.model","LightGBM.model"] + model_dir = "model/" + for model_name in model_namelist: + model = joblib.load(model_dir+model_name) + model_list.append(model) + #read_csv("./Malware/Test/Geodo-ALL","Geodo.csv.TCP_10-0-2-103_65245_192-185-210-237_80.csv") + #read_csv("./Malware/Test/Virut-ALL","Virut.csv.TCP_24-222-0-23_25_147-32-84-165_2703.csv") + + #Flow.all_flow = {} + # 来自恶意样本Shifu + line1 = "version=0x4,msg_type=0xa,msg_len=0x6c,xid=0x0,OFPPacketIn(buffer_id=343,cookie=0,data=""RT\x00\x125\x02\x08\x00'\xc1v\xc3\x08\x00E\x00\x004\x002@\x00\x80\x063\xbb\n\x00\x02k\xbc*\xfeA\xc0\x0e\x01\xbb\xf1\x1e=2\x00\x00\x00\x00\x80\x02 \x00\x98$\x00\x00\x02\x04\x05\xb4\x01\x03\x03\x02\x01\x01\x04\x02"",match=OFPMatch(oxm_fields={'in_port': 1}),reason=0,table_id=0,total_len=66)" + line2 = "ethernet(dst='52:54:00:12:35:02',ethertype=2048,src='08:00:27:c1:76:c3'), ipv4(csum=13243,dst='188.42.254.65',flags=2,header_length=5,identification=50,offset=0,option=None,proto=6,src='10.0.2.107',tos=0,total_length=52,ttl=128,version=4), tcp(ack=0,bits=2,csum=38948,dst_port=443,offset=8,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1460), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=2), TCPOptionNoOperation(kind=1,length=1), TCPOptionNoOperation(kind=1,length=1), TCPOptionSACKPermitted(kind=4,length=2)],seq=4045290802,src_port=49166,urgent=0,window_size=8192)" + thispacket = PacketData(line1, line2) + thispacket = PacketData(line1, line2) + print('测试1:', thispacket.predict()) + #print(thispacket.predict_npy()) + + # 来自良性样本weibo + line1 = "version=0x4,msg_type=0xa,msg_len=0x618,xid=0x0,OFPPacketIn(buffer_id=4294967295,cookie=0,data='\x02\x1a\xc5\x01\x00\x00\x02\x1a\xc5\x02\x00\x00\x08\x00E\x00\x05\xdc\x7f\xf3@\x00 \x06\xcdH\x01\x02\xf3i\x01\x01\x12t\x00PL$\xee\xe1\xd1\x1d\x86\xf8\xc8\xe8\x80\x10!\xf0\x9f\x19\x00\x00\x01\x01\x08\n\x1d\x16\xdc\xd9\n\xf7\xf8\xd7ke\xda\x92^\xcag\x94\x8fB\xed\x92}\xbd)8>\x83[\xdd\x9f""|A\xd6/|O\xe3\xfb\xad#M_\x1e\xc0n\xef\xe0\xd3e\xba\xb0E\x86\xce\xc0DD\x8d2\x16\xea\xaf\x9c1\xef\x83^\xaf\xe2D\xb5\xbb\xb1\x92\xca\xf1V\xee\xdeX\xcc2$\x83p\x90\x11\x83\x9f\xad{\xac\x9f\x08-%\x18:\x95\xc0\xfa*\xd6e\xcf\xc0M>\xe5\xf7\x9dR\xe5\x089\x1f""\xd62\xa7.\x88\xd1K\xb9\xf1\x87\xc3M\x1b\xfe\x10\xebI\xb4%\x99\xa7\xb4\xd3\xaee\xb7\xb6\'\x92\xb0\x86\xca.{\xed\x07\x1f\x85z\xbe\x96\xdb\x9e28\x07\x91^\x8b\xa4~\xc8\x9av\x99\xbc\xc9\xe2mB\xe6i$y^G\x89\x06K\x12k\xa8\xb3\xfd\x9d\xb4\xeb0\xbbu\x8b\xa6#\xa6Qk\xcbx:\xb2\x9b\x95\x8feb\xe9F\x11\x8a{\x1c>\x9cCF=\xaa\xcb\r\xc4\xf3\xc5zD?\x06\xac\xe2\x00\rJ\xe0\xff\x00\xc0\x16\xa5\x1f\x08\xac\xc0#\xfbBs\xf5QW\x1c-U\xd0\xceX\xaaL\xf2\xc5\xf9%\xc7\x1fZ\xb0b\xde\xb9\x07\x18\xafF\x1f\x06\xed\x03n\xfe\xd1\x9c\xe7\xb1E\xa9G\xc2K@1\xf6\xf9\xbf\xef\x85\xae\x8faW\xb1\x9a\xc4Au<\xde y\xe7""\xa5M\xea\x8c\xc4c\x8a\xf4t\xf8Sh\x83\x1fo\x9c\xff\x00\xc0EK\xff\x00\n\xc2\xd4\xa9_\xb6\xcd\xcf\xfb""\xab\xd8N\xfb\x12\xf1\x14\xdfS\xc7\xe7\xba\x0cOPEb\xdc\xcc\x1eL\xee?\x8d{|\x9f\x07\xacd\x07\x17\xf3\x8c\xff\x00\xb0\xb5JO\x81\x9a|\x9c\xb6\xa3?\xfd\xf0\xb4K\r6\xcd#\x8b\xa6\x91\xe2s\x12\xe9\x9e\x13\xd0\xac\xb4\x9d:W\x86\xc6\xd2%\x86(\xd5F\x02\x8e\x94\xcd_\xe1>\x9f\xab\xdc\xd9\xdd}\xaeX.\xed$\xf3""\x9e5]\xc0te>\xa0\x8e\rn\xa6\xb61T\xda>i\xf8\x8bc\xaax\xb2\xfa\xebG\xd4c\xb7Y\xad\xe2Kx\xa5\x132-\xe3\x1f\x98\xb9P>PWw\x198 \xd7\xa3\xf8gD\xb0\xd0\xfc;kk\x13\xed\x10\xa0DfbO\x07\x1f\x96+\xac\xb8\xfd\x9e\xad.\xbcYw\xae\\k\xb7\xb3K3\x83\x1c\x0c\x8b\xb2\x15\x08\x17j\xfe\xa7\xf15v\xe7\xe0\x7f\x9byk,\x1e \xbb\xb5\x86\x16\xdd$)\n\x11(\xf4$\xf2?\n\x1c\xd3\xd8\xc7\xd9J\xe7\x95|Q\x97AO\x08\xca\xba\xca\xc1>\x92\xe0\xa5\xcaO\xbb\r\xc7\x00\xe0\x1c\x0e\xbc\xd7\x8a^i\x7f\x03\xbe\x1cxwG\xd2\xc5\xc0\xd2$\xd5e\xfbm\x8c\xe1\xc9*\xfb\xc6>n\xc3\x04\xd7\xdaR|\x1e\xb0\x9a\x06\x8ak\xb9&\x8d\x86\nI\x1a\x90\x7f\n\xe2|]\xfb\x1b|=\xf1\xd5\xc5\x9c\xfa\xce\x9a\x97r\xd9\x8cBLJ\x02\x0c\xe7\x00\x0e\xde\xd4)E\x15\xec\xe4|\xf5\xf03\xc3gQ\xf8\x8f\xe2\x7f\x16]\xea\xeb}{\xbc\xd9\x08\xa29O(\x1f\xdd\xb8\xf7+\x8a\xfa\x1f\xe0\xfe\xbe\xda\x97\xc5\x9dsOG\x06\x0b\x1d60\xc3\xfd\xb6\x93?\xca\xafx\x7f\xf6c\xf0\xff\x00\x855\xeb\x9dKJ\xbb\x9a\xc5nc\x11\xcbm\x12(C\x8e\x87\xd8\xe2\xbao\x00\xfc!\xb2\xf0\x17\x8a5\xcdn\x0b\xd9\xae\xeeu]\xa1\xd6U\x00F\x14\x0c\x01\x8f\xa5\x13\x94^\xc2\xa7NQ\x95\xd9\xe8\x94QEdw\x88zW\x19\xf1""k\x8b=\x1e\x1b\xbf\xf8I\x13\xc2\xfa]\xbc\xdef\xa1{\xb1ZV\x8bi\xda\x91\x96\x04\x02\\\xafbH\xc8\x1c\x9a\xec\xcfJ\xe4\xbco\xf0\xfe\xc3\xc7?\xd9f\xf6\xea\xf6\xd8\xe9\xd7B\xf2\x0f\xb3H\xa0y\xa0\x10\xac\xca\xca\xca\xd8\xc9##\x83\xcfZ\x00\xf2/\r\xf8\x8b\xc7\x9e*\xb6\x96\xca\xe7\xc4\x17Z,\xb6\x1aU\xc6\xa5\x14\xf2ZD\x97\x17h\xd7\x12\xad\xab\xcc\x85p\xbf\xba\x8dK(\x00\xe5\xb9\xc1\xe2\xb6\xed\xcd\x1f\x93\x8f0?\x99\xd3;\xb8\xc7\xd2\x81\x9c\x15\xcf\xc4\x14\x08I\xe2',match=OFPMatch(oxm_fields={'in_port': 1}),reason=0,table_id=0,total_len=1518)" + line2 = "ethernet(dst='02:1a:c5:01:00:00',ethertype=2048,src='02:1a:c5:02:00:00'), ipv4(csum=52552,dst='1.1.18.116',flags=2,header_length=5,identification=32755,offset=0,option=None,proto=6,src='1.2.243.105',tos=0,total_length=1500,ttl=32,version=4), tcp(ack=2264451304,bits=16,csum=40729,dst_port=19492,offset=8,option=[TCPOptionNoOperation(kind=1,length=1), TCPOptionNoOperation(kind=1,length=1), TCPOptionTimestamps(kind=8,length=10,ts_ecr=184023255,ts_val=488037593)],seq=4007776541,src_port=80,urgent=0,window_size=8688), 'ke\xda\x92^\xcag\x94\x8fB\xed\x92}\xbd)8>\x83[\xdd\x9f""|A\xd6/|O\xe3\xfb\xad#M_\x1e\xc0n\xef\xe0\xd3e\xba\xb0E\x86\xce\xc0DD\x8d2\x16\xea\xaf\x9c1\xef\x83^\xaf\xe2D\xb5\xbb\xb1\x92\xca\xf1V\xee\xdeX\xcc2$\x83p\x90\x11\x83\x9f\xad{\xac\x9f\x08-%\x18:\x95\xc0\xfa*\xd6e\xcf\xc0M>\xe5\xf7\x9dR\xe5\x089\x1f""\xd62\xa7.\x88\xd1K\xb9\xf1\x87\xc3M\x1b\xfe\x10\xebI\xb4%\x99\xa7\xb4\xd3\xaee\xb7\xb6\'\x92\xb0\x86\xca.{\xed\x07\x1f\x85z\xbe\x96\xdb\x9e28\x07\x91^\x8b\xa4~\xc8\x9av\x99\xbc\xc9\xe2mB\xe6i$y^G\x89\x06K\x12k\xa8\xb3\xfd\x9d\xb4\xeb0\xbbu\x8b\xa6#\xa6Qk\xcbx:\xb2\x9b\x95\x8feb\xe9F\x11\x8a{\x1c>\x9cCF=\xaa\xcb\r\xc4\xf3\xc5zD?\x06\xac\xe2\x00\rJ\xe0\xff\x00\xc0\x16\xa5\x1f\x08\xac\xc0#\xfbBs\xf5QW\x1c-U\xd0\xceX\xaaL\xf2\xc5\xf9%\xc7\x1fZ\xb0b\xde\xb9\x07\x18\xafF\x1f\x06\xed\x03n\xfe\xd1\x9c\xe7\xb1E\xa9G\xc2K@1\xf6\xf9\xbf\xef\x85\xae\x8faW\xb1\x9a\xc4Au<\xde y\xe7""\xa5M\xea\x8c\xc4c\x8a\xf4t\xf8Sh\x83\x1fo\x9c\xff\x00\xc0EK\xff\x00\n\xc2\xd4\xa9_\xb6\xcd\xcf\xfb""\xab\xd8N\xfb\x12\xf1\x14\xdfS\xc7\xe7\xba\x0cOPEb\xdc\xcc\x1eL\xee?\x8d{|\x9f\x07\xacd\x07\x17\xf3\x8c\xff\x00\xb0\xb5JO\x81\x9a|\x9c\xb6\xa3?\xfd\xf0\xb4K\r6\xcd#\x8b\xa6\x91\xe2s\x12\xe9\x9e\x13\xd0\xac\xb4\x9d:W\x86\xc6\xd2%\x86(\xd5F\x02\x8e\x94\xcd_\xe1>\x9f\xab\xdc\xd9\xdd}\xaeX.\xed$\xf3""\x9e5]\xc0te>\xa0\x8e\rn\xa6\xb61T\xda>i\xf8\x8bc\xaax\xb2\xfa\xebG\xd4c\xb7Y\xad\xe2Kx\xa5\x132-\xe3\x1f\x98\xb9P>PWw\x198 \xd7\xa3\xf8gD\xb0\xd0\xfc;kk\x13\xed\x10\xa0DfbO\x07\x1f\x96+\xac\xb8\xfd\x9e\xad.\xbcYw\xae\\k\xb7\xb3K3\x83\x1c\x0c\x8b\xb2\x15\x08\x17j\xfe\xa7\xf15v\xe7\xe0\x7f\x9byk,\x1e \xbb\xb5\x86\x16\xdd$)\n\x11(\xf4$\xf2?\n\x1c\xd3\xd8\xc7\xd9J\xe7\x95|Q\x97AO\x08\xca\xba\xca\xc1>\x92\xe0\xa5\xcaO\xbb\r\xc7\x00\xe0\x1c\x0e\xbc\xd7\x8a^i\x7f\x03\xbe\x1cxwG\xd2\xc5\xc0\xd2$\xd5e\xfbm\x8c\xe1\xc9*\xfb\xc6>n\xc3\x04\xd7\xdaR|\x1e\xb0\x9a\x06\x8ak\xb9&\x8d\x86\nI\x1a\x90\x7f\n\xe2|]\xfb\x1b|=\xf1\xd5\xc5\x9c\xfa\xce\x9a\x97r\xd9\x8cBLJ\x02\x0c\xe7\x00\x0e\xde\xd4)E\x15\xec\xe4|\xf5\xf03\xc3gQ\xf8\x8f\xe2\x7f\x16]\xea\xeb}{\xbc\xd9\x08\xa29O(\x1f\xdd\xb8\xf7+\x8a\xfa\x1f\xe0\xfe\xbe\xda\x97\xc5\x9dsOG\x06\x0b\x1d60\xc3\xfd\xb6\x93?\xca\xafx\x7f\xf6c\xf0\xff\x00\x855\xeb\x9dKJ\xbb\x9a\xc5nc\x11\xcbm\x12(C\x8e\x87\xd8\xe2\xbao\x00\xfc!\xb2\xf0\x17\x8a5\xcdn\x0b\xd9\xae\xeeu]\xa1\xd6U\x00F\x14\x0c\x01\x8f\xa5\x13\x94^\xc2\xa7NQ\x95\xd9\xe8\x94QEdw\x88zW\x19\xf1""k\x8b=\x1e\x1b\xbf\xf8I\x13\xc2\xfa]\xbc\xdef\xa1{\xb1ZV\x8bi\xda\x91\x96\x04\x02\\\xafbH\xc8\x1c\x9a\xec\xcfJ\xe4\xbco\xf0\xfe\xc3\xc7?\xd9f\xf6\xea\xf6\xd8\xe9\xd7B\xf2\x0f\xb3H\xa0y\xa0\x10\xac\xca\xca\xca\xd8\xc9##\x83\xcfZ\x00\xf2/\r\xf8\x8b\xc7\x9e*\xb6\x96\xca\xe7\xc4\x17Z,\xb6\x1aU\xc6\xa5\x14\xf2ZD\x97\x17h\xd7\x12\xad\xab\xcc\x85p\xbf\xba\x8dK(\x00\xe5\xb9\xc1\xe2\xb6\xed\xcd\x1f\x93\x8f0?\x99\xd3;\xb8\xc7\xd2\x81\x9c\x15\xcf\xc4'" + thispacket1 = PacketData(line1, line2) + print('测试1:', thispacket1.predict()) + #print(thispacket1.predict_npy()) + diff --git a/model/packetpredict.py b/model/packetpredict.py new file mode 100644 index 0000000..5661fc4 --- /dev/null +++ b/model/packetpredict.py @@ -0,0 +1,161 @@ +import joblib +from pandas.core.frame import DataFrame +import os +import re +import numpy as np + + +class PacketData(object): + """ + 预测类: + 构造函数1:传入msg和msg处理后的data部分pkt,模型所在的pkl位置 + 构造函数2:传入一个csv文件,用不到,也没测试过 + 传msg和pkt进去的时候,最好用try,格式不对会报错 + + 主要方法: + predict:直接预测,返回结果 + predict_npy:从默认npy文件处读取一个dict,dict的key是一个tuple,里面是ip对,判断当前包是否载dict里,更新dict的内容并预测 + 如果dict[ipSet]中结果已经是0(0表示恶意,1表示良性),或者已经判断了20个包,则不更新,直接返回之前的结果 + update_helper:帮助更新的方法,不直接调用 + """ + def __init__(self, msg, pkt, modelpath='model/lgbm_packetin_model.pkl', feature_dic={}): + if feature_dic == {}: + self.flow_list = [ + int(re.search(r'dst_port=\d{1,5}', pkt).group().split('=')[1]), # 目的端口 + int(re.search(r'src_port=\d{1,5}', pkt).group().split('=')[1]), # 源端口 + int(re.search(r'flags=\d{1,3}', pkt).group().split('=')[1]), # flags + int(re.search(r'window_size=\d{1,10}', pkt).group().split('=')[1]) if 'tcp' in pkt else 0, # win_size + float(re.search(r'reason=\d{1,10}', msg).group().split('=')[1]), # reason + int(re.search(r'\'in_port\': \d{1,5}', msg).group().split(': ')[1]), # in_port + float(re.search(r'total_len=\d{1,5}', msg).group().split('=')[1]), # min_len + float(re.search(r'total_len=\d{1,5}', msg).group().split('=')[1]), # max_len + float(re.search(r'total_len=\d{1,5}', msg).group().split('=')[1]), # means_len + 1, # 包数目 + 1 # 标签,默认是1 + ] + else: self.flow_list = feature_dic + self.model = joblib.load(modelpath) + self.ipSet = tuple(re.findall(r"\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b", pkt)) + self.line1 = msg + self.line2 = pkt + + # 用不到的,从csv读取数据 + @classmethod + def from_csv(cls, csv_path, modelpath='model/lgbm_packetin_model.pkl'): + feature_dic = {} + with open(csv_path, 'r') as f: + pcapNum = 0 + while True: + pcapNum += 1 + line1 = f.readline().strip() + line2 = f.readline().strip() + if not line2 or not line1: break + if pcapNum >= 20: break + ipSet = tuple(re.findall(r"\b(?:[0-9]{1,3}\.){3}[0-9]{1,3}\b", line2)) + try: + if 'tcp' in line2: + window_size = re.search(r'window_size=\d{1,10}', line2).group().split('=')[1] + else: + window_size = 0 + + if ipSet not in feature_dic: + flow_list = [ + re.search(r'dst_port=\d{1,5}', line2).group().split('=')[1], # 目的端口 + re.search(r'src_port=\d{1,5}', line2).group().split('=')[1], # 源端口 + re.search(r'flags=\d{1,3}', line2).group().split('=')[1], # flags + window_size, + re.search(r'reason=\d{1,10}', line1).group().split('=')[1], # reason + re.search(r'\'in_port\': \d{1,5}', line1).group().split(': ')[1], # in_port + float(re.search(r'total_len=\d{1,5}', line1).group().split('=')[1]), # min_len + float(re.search(r'total_len=\d{1,5}', line1).group().split('=')[1]), # max_len + float(re.search(r'total_len=\d{1,5}', line1).group().split('=')[1]), # means_len + pcapNum, # 包数目 + ] + feature_dic[ipSet] = flow_list + else: + this_length = float(re.search(r'total_len=\d{1,5}', line1).group().split('=')[1]) + feature_dic[ipSet][-2] += 1 + feature_dic[ipSet][-3] = (feature_dic[ipSet][-3] * (feature_dic[ipSet][-2] - 1) + this_length) \ + / feature_dic[ipSet][-2] + if this_length > feature_dic[ipSet][-4]: + feature_dic[ipSet][-4] = this_length + else: + feature_dic[ipSet][-5] = this_length + except Exception as e: + pass + return cls('1', '2', feature_dic=feature_dic) + + def predict(self): + previous_out = self.flow_list.pop(-1) + pre_out = self.model.predict(DataFrame(self.flow_list).T) + pre_out = pre_out.tolist()[0] # ndarray转int + self.flow_list.append(pre_out) + return pre_out + + # 保存到一个dict,和update一样的 + def predict_save(self, feature_hash): + return self.update_helper(feature_hash) + + # 保存到npy文件 + def predict_npy(self, npypath='model/feature_dict.npy', feature_hash=None): + if os.path.exists(npypath): + dict_load = np.load(npypath, allow_pickle=True) + + feature_hash = dict_load.item() + pre_out, feature_dict = self.update_helper(feature_hash) + if pre_out == -1: # -1表示不需要写回保存的文件 + return feature_dict[self.ipSet][-1]+2 + else: + np.save(npypath, feature_dict) + return pre_out + else: + feature_hash = {self.ipSet: self.flow_list} + np.save('model/feature_dict.npy', feature_hash) + return self.predict() + + def update_helper(self, feature_hash): + ipSet = self.ipSet + if self.ipSet in feature_hash: + # 如果存在且已至为0,或者num>=20则直接返回 + if feature_hash[ipSet][-1] == 0 or feature_hash[ipSet][-2] >=20: + return -1, feature_hash + + this_length = float(re.search(r'total_len=\d{1,5}', self.line1).group().split('=')[1]) + feature_hash[ipSet][-2] += 1 + feature_hash[ipSet][-3] = (feature_hash[ipSet][-3] * (feature_hash[ipSet][-2] - 1) + this_length) \ + / feature_hash[ipSet][-2] + if this_length > feature_hash[ipSet][-4]: + feature_hash[ipSet][-4] = this_length + else: + feature_hash[ipSet][-5] = this_length + feature_hash[ipSet].pop(-1) + pre_out = self.model.predict(DataFrame(feature_hash[ipSet]).T) + pre_out = pre_out.tolist()[0] + feature_hash[ipSet].append(pre_out) + else: + # 如果不存在 + self.flow_list.pop(-1) # 先删了默认的tag + pre_out = self.model.predict(DataFrame(self.flow_list).T) + pre_out = pre_out.tolist()[0] + self.flow_list.append(pre_out) # 再加回去 + feature_hash[ipSet] = self.flow_list + return pre_out, feature_hash + + def predict_mysql(self): + pass + + +if __name__ == '__main__': + # 来自恶意样本Shifu + line1 = "version=0x4,msg_type=0xa,msg_len=0x6c,xid=0x0,OFPPacketIn(buffer_id=343,cookie=0,data=""RT\x00\x125\x02\x08\x00'\xc1v\xc3\x08\x00E\x00\x004\x002@\x00\x80\x063\xbb\n\x00\x02k\xbc*\xfeA\xc0\x0e\x01\xbb\xf1\x1e=2\x00\x00\x00\x00\x80\x02 \x00\x98$\x00\x00\x02\x04\x05\xb4\x01\x03\x03\x02\x01\x01\x04\x02"",match=OFPMatch(oxm_fields={'in_port': 1}),reason=0,table_id=0,total_len=66)" + line2 = "ethernet(dst='52:54:00:12:35:02',ethertype=2048,src='08:00:27:c1:76:c3'), ipv4(csum=13243,dst='188.42.254.65',flags=2,header_length=5,identification=50,offset=0,option=None,proto=6,src='10.0.2.107',tos=0,total_length=52,ttl=128,version=4), tcp(ack=0,bits=2,csum=38948,dst_port=443,offset=8,option=[TCPOptionMaximumSegmentSize(kind=2,length=4,max_seg_size=1460), TCPOptionNoOperation(kind=1,length=1), TCPOptionWindowScale(kind=3,length=3,shift_cnt=2), TCPOptionNoOperation(kind=1,length=1), TCPOptionNoOperation(kind=1,length=1), TCPOptionSACKPermitted(kind=4,length=2)],seq=4045290802,src_port=49166,urgent=0,window_size=8192)" + thispacket = PacketData(line1, line2) + print('测试1:', thispacket.predict()) + print(thispacket.predict_npy()) + + # 来自良性样本weibo + line1 = "version=0x4,msg_type=0xa,msg_len=0x618,xid=0x0,OFPPacketIn(buffer_id=4294967295,cookie=0,data='\x02\x1a\xc5\x01\x00\x00\x02\x1a\xc5\x02\x00\x00\x08\x00E\x00\x05\xdc\x7f\xf3@\x00 \x06\xcdH\x01\x02\xf3i\x01\x01\x12t\x00PL$\xee\xe1\xd1\x1d\x86\xf8\xc8\xe8\x80\x10!\xf0\x9f\x19\x00\x00\x01\x01\x08\n\x1d\x16\xdc\xd9\n\xf7\xf8\xd7ke\xda\x92^\xcag\x94\x8fB\xed\x92}\xbd)8>\x83[\xdd\x9f""|A\xd6/|O\xe3\xfb\xad#M_\x1e\xc0n\xef\xe0\xd3e\xba\xb0E\x86\xce\xc0DD\x8d2\x16\xea\xaf\x9c1\xef\x83^\xaf\xe2D\xb5\xbb\xb1\x92\xca\xf1V\xee\xdeX\xcc2$\x83p\x90\x11\x83\x9f\xad{\xac\x9f\x08-%\x18:\x95\xc0\xfa*\xd6e\xcf\xc0M>\xe5\xf7\x9dR\xe5\x089\x1f""\xd62\xa7.\x88\xd1K\xb9\xf1\x87\xc3M\x1b\xfe\x10\xebI\xb4%\x99\xa7\xb4\xd3\xaee\xb7\xb6\'\x92\xb0\x86\xca.{\xed\x07\x1f\x85z\xbe\x96\xdb\x9e28\x07\x91^\x8b\xa4~\xc8\x9av\x99\xbc\xc9\xe2mB\xe6i$y^G\x89\x06K\x12k\xa8\xb3\xfd\x9d\xb4\xeb0\xbbu\x8b\xa6#\xa6Qk\xcbx:\xb2\x9b\x95\x8feb\xe9F\x11\x8a{\x1c>\x9cCF=\xaa\xcb\r\xc4\xf3\xc5zD?\x06\xac\xe2\x00\rJ\xe0\xff\x00\xc0\x16\xa5\x1f\x08\xac\xc0#\xfbBs\xf5QW\x1c-U\xd0\xceX\xaaL\xf2\xc5\xf9%\xc7\x1fZ\xb0b\xde\xb9\x07\x18\xafF\x1f\x06\xed\x03n\xfe\xd1\x9c\xe7\xb1E\xa9G\xc2K@1\xf6\xf9\xbf\xef\x85\xae\x8faW\xb1\x9a\xc4Au<\xde y\xe7""\xa5M\xea\x8c\xc4c\x8a\xf4t\xf8Sh\x83\x1fo\x9c\xff\x00\xc0EK\xff\x00\n\xc2\xd4\xa9_\xb6\xcd\xcf\xfb""\xab\xd8N\xfb\x12\xf1\x14\xdfS\xc7\xe7\xba\x0cOPEb\xdc\xcc\x1eL\xee?\x8d{|\x9f\x07\xacd\x07\x17\xf3\x8c\xff\x00\xb0\xb5JO\x81\x9a|\x9c\xb6\xa3?\xfd\xf0\xb4K\r6\xcd#\x8b\xa6\x91\xe2s\x12\xe9\x9e\x13\xd0\xac\xb4\x9d:W\x86\xc6\xd2%\x86(\xd5F\x02\x8e\x94\xcd_\xe1>\x9f\xab\xdc\xd9\xdd}\xaeX.\xed$\xf3""\x9e5]\xc0te>\xa0\x8e\rn\xa6\xb61T\xda>i\xf8\x8bc\xaax\xb2\xfa\xebG\xd4c\xb7Y\xad\xe2Kx\xa5\x132-\xe3\x1f\x98\xb9P>PWw\x198 \xd7\xa3\xf8gD\xb0\xd0\xfc;kk\x13\xed\x10\xa0DfbO\x07\x1f\x96+\xac\xb8\xfd\x9e\xad.\xbcYw\xae\\k\xb7\xb3K3\x83\x1c\x0c\x8b\xb2\x15\x08\x17j\xfe\xa7\xf15v\xe7\xe0\x7f\x9byk,\x1e \xbb\xb5\x86\x16\xdd$)\n\x11(\xf4$\xf2?\n\x1c\xd3\xd8\xc7\xd9J\xe7\x95|Q\x97AO\x08\xca\xba\xca\xc1>\x92\xe0\xa5\xcaO\xbb\r\xc7\x00\xe0\x1c\x0e\xbc\xd7\x8a^i\x7f\x03\xbe\x1cxwG\xd2\xc5\xc0\xd2$\xd5e\xfbm\x8c\xe1\xc9*\xfb\xc6>n\xc3\x04\xd7\xdaR|\x1e\xb0\x9a\x06\x8ak\xb9&\x8d\x86\nI\x1a\x90\x7f\n\xe2|]\xfb\x1b|=\xf1\xd5\xc5\x9c\xfa\xce\x9a\x97r\xd9\x8cBLJ\x02\x0c\xe7\x00\x0e\xde\xd4)E\x15\xec\xe4|\xf5\xf03\xc3gQ\xf8\x8f\xe2\x7f\x16]\xea\xeb}{\xbc\xd9\x08\xa29O(\x1f\xdd\xb8\xf7+\x8a\xfa\x1f\xe0\xfe\xbe\xda\x97\xc5\x9dsOG\x06\x0b\x1d60\xc3\xfd\xb6\x93?\xca\xafx\x7f\xf6c\xf0\xff\x00\x855\xeb\x9dKJ\xbb\x9a\xc5nc\x11\xcbm\x12(C\x8e\x87\xd8\xe2\xbao\x00\xfc!\xb2\xf0\x17\x8a5\xcdn\x0b\xd9\xae\xeeu]\xa1\xd6U\x00F\x14\x0c\x01\x8f\xa5\x13\x94^\xc2\xa7NQ\x95\xd9\xe8\x94QEdw\x88zW\x19\xf1""k\x8b=\x1e\x1b\xbf\xf8I\x13\xc2\xfa]\xbc\xdef\xa1{\xb1ZV\x8bi\xda\x91\x96\x04\x02\\\xafbH\xc8\x1c\x9a\xec\xcfJ\xe4\xbco\xf0\xfe\xc3\xc7?\xd9f\xf6\xea\xf6\xd8\xe9\xd7B\xf2\x0f\xb3H\xa0y\xa0\x10\xac\xca\xca\xca\xd8\xc9##\x83\xcfZ\x00\xf2/\r\xf8\x8b\xc7\x9e*\xb6\x96\xca\xe7\xc4\x17Z,\xb6\x1aU\xc6\xa5\x14\xf2ZD\x97\x17h\xd7\x12\xad\xab\xcc\x85p\xbf\xba\x8dK(\x00\xe5\xb9\xc1\xe2\xb6\xed\xcd\x1f\x93\x8f0?\x99\xd3;\xb8\xc7\xd2\x81\x9c\x15\xcf\xc4\x14\x08I\xe2',match=OFPMatch(oxm_fields={'in_port': 1}),reason=0,table_id=0,total_len=1518)" + line2 = "ethernet(dst='02:1a:c5:01:00:00',ethertype=2048,src='02:1a:c5:02:00:00'), ipv4(csum=52552,dst='1.1.18.116',flags=2,header_length=5,identification=32755,offset=0,option=None,proto=6,src='1.2.243.105',tos=0,total_length=1500,ttl=32,version=4), tcp(ack=2264451304,bits=16,csum=40729,dst_port=19492,offset=8,option=[TCPOptionNoOperation(kind=1,length=1), TCPOptionNoOperation(kind=1,length=1), TCPOptionTimestamps(kind=8,length=10,ts_ecr=184023255,ts_val=488037593)],seq=4007776541,src_port=80,urgent=0,window_size=8688), 'ke\xda\x92^\xcag\x94\x8fB\xed\x92}\xbd)8>\x83[\xdd\x9f""|A\xd6/|O\xe3\xfb\xad#M_\x1e\xc0n\xef\xe0\xd3e\xba\xb0E\x86\xce\xc0DD\x8d2\x16\xea\xaf\x9c1\xef\x83^\xaf\xe2D\xb5\xbb\xb1\x92\xca\xf1V\xee\xdeX\xcc2$\x83p\x90\x11\x83\x9f\xad{\xac\x9f\x08-%\x18:\x95\xc0\xfa*\xd6e\xcf\xc0M>\xe5\xf7\x9dR\xe5\x089\x1f""\xd62\xa7.\x88\xd1K\xb9\xf1\x87\xc3M\x1b\xfe\x10\xebI\xb4%\x99\xa7\xb4\xd3\xaee\xb7\xb6\'\x92\xb0\x86\xca.{\xed\x07\x1f\x85z\xbe\x96\xdb\x9e28\x07\x91^\x8b\xa4~\xc8\x9av\x99\xbc\xc9\xe2mB\xe6i$y^G\x89\x06K\x12k\xa8\xb3\xfd\x9d\xb4\xeb0\xbbu\x8b\xa6#\xa6Qk\xcbx:\xb2\x9b\x95\x8feb\xe9F\x11\x8a{\x1c>\x9cCF=\xaa\xcb\r\xc4\xf3\xc5zD?\x06\xac\xe2\x00\rJ\xe0\xff\x00\xc0\x16\xa5\x1f\x08\xac\xc0#\xfbBs\xf5QW\x1c-U\xd0\xceX\xaaL\xf2\xc5\xf9%\xc7\x1fZ\xb0b\xde\xb9\x07\x18\xafF\x1f\x06\xed\x03n\xfe\xd1\x9c\xe7\xb1E\xa9G\xc2K@1\xf6\xf9\xbf\xef\x85\xae\x8faW\xb1\x9a\xc4Au<\xde y\xe7""\xa5M\xea\x8c\xc4c\x8a\xf4t\xf8Sh\x83\x1fo\x9c\xff\x00\xc0EK\xff\x00\n\xc2\xd4\xa9_\xb6\xcd\xcf\xfb""\xab\xd8N\xfb\x12\xf1\x14\xdfS\xc7\xe7\xba\x0cOPEb\xdc\xcc\x1eL\xee?\x8d{|\x9f\x07\xacd\x07\x17\xf3\x8c\xff\x00\xb0\xb5JO\x81\x9a|\x9c\xb6\xa3?\xfd\xf0\xb4K\r6\xcd#\x8b\xa6\x91\xe2s\x12\xe9\x9e\x13\xd0\xac\xb4\x9d:W\x86\xc6\xd2%\x86(\xd5F\x02\x8e\x94\xcd_\xe1>\x9f\xab\xdc\xd9\xdd}\xaeX.\xed$\xf3""\x9e5]\xc0te>\xa0\x8e\rn\xa6\xb61T\xda>i\xf8\x8bc\xaax\xb2\xfa\xebG\xd4c\xb7Y\xad\xe2Kx\xa5\x132-\xe3\x1f\x98\xb9P>PWw\x198 \xd7\xa3\xf8gD\xb0\xd0\xfc;kk\x13\xed\x10\xa0DfbO\x07\x1f\x96+\xac\xb8\xfd\x9e\xad.\xbcYw\xae\\k\xb7\xb3K3\x83\x1c\x0c\x8b\xb2\x15\x08\x17j\xfe\xa7\xf15v\xe7\xe0\x7f\x9byk,\x1e \xbb\xb5\x86\x16\xdd$)\n\x11(\xf4$\xf2?\n\x1c\xd3\xd8\xc7\xd9J\xe7\x95|Q\x97AO\x08\xca\xba\xca\xc1>\x92\xe0\xa5\xcaO\xbb\r\xc7\x00\xe0\x1c\x0e\xbc\xd7\x8a^i\x7f\x03\xbe\x1cxwG\xd2\xc5\xc0\xd2$\xd5e\xfbm\x8c\xe1\xc9*\xfb\xc6>n\xc3\x04\xd7\xdaR|\x1e\xb0\x9a\x06\x8ak\xb9&\x8d\x86\nI\x1a\x90\x7f\n\xe2|]\xfb\x1b|=\xf1\xd5\xc5\x9c\xfa\xce\x9a\x97r\xd9\x8cBLJ\x02\x0c\xe7\x00\x0e\xde\xd4)E\x15\xec\xe4|\xf5\xf03\xc3gQ\xf8\x8f\xe2\x7f\x16]\xea\xeb}{\xbc\xd9\x08\xa29O(\x1f\xdd\xb8\xf7+\x8a\xfa\x1f\xe0\xfe\xbe\xda\x97\xc5\x9dsOG\x06\x0b\x1d60\xc3\xfd\xb6\x93?\xca\xafx\x7f\xf6c\xf0\xff\x00\x855\xeb\x9dKJ\xbb\x9a\xc5nc\x11\xcbm\x12(C\x8e\x87\xd8\xe2\xbao\x00\xfc!\xb2\xf0\x17\x8a5\xcdn\x0b\xd9\xae\xeeu]\xa1\xd6U\x00F\x14\x0c\x01\x8f\xa5\x13\x94^\xc2\xa7NQ\x95\xd9\xe8\x94QEdw\x88zW\x19\xf1""k\x8b=\x1e\x1b\xbf\xf8I\x13\xc2\xfa]\xbc\xdef\xa1{\xb1ZV\x8bi\xda\x91\x96\x04\x02\\\xafbH\xc8\x1c\x9a\xec\xcfJ\xe4\xbco\xf0\xfe\xc3\xc7?\xd9f\xf6\xea\xf6\xd8\xe9\xd7B\xf2\x0f\xb3H\xa0y\xa0\x10\xac\xca\xca\xca\xd8\xc9##\x83\xcfZ\x00\xf2/\r\xf8\x8b\xc7\x9e*\xb6\x96\xca\xe7\xc4\x17Z,\xb6\x1aU\xc6\xa5\x14\xf2ZD\x97\x17h\xd7\x12\xad\xab\xcc\x85p\xbf\xba\x8dK(\x00\xe5\xb9\xc1\xe2\xb6\xed\xcd\x1f\x93\x8f0?\x99\xd3;\xb8\xc7\xd2\x81\x9c\x15\xcf\xc4'" + thispacket1 = PacketData(line1, line2) + print('测试1:', thispacket1.predict()) + print(thispacket1.predict_npy()) diff --git a/ms_topo_4s.py b/ms_topo_4s.py new file mode 100644 index 0000000..f8c4637 --- /dev/null +++ b/ms_topo_4s.py @@ -0,0 +1,108 @@ +#!/usr/bin/python +from mininet.term import makeTerm +from mininet.net import Mininet +from mininet.node import Controller, RemoteController, OVSController +from mininet.node import CPULimitedHost, Host, Node +from mininet.node import OVSKernelSwitch, UserSwitch +from mininet.node import IVSSwitch +from mininet.cli import CLI +from mininet.log import setLogLevel, info +from mininet.link import TCLink, Intf +from subprocess import call +import os + +def myNetwork(): + + net = Mininet( topo=None, + build=False, + ipBase='10.0.0.0/8' + ) + + info( '*** Adding controller\n' ) + c0=net.addController(name='c0', + controller=RemoteController, + ip='127.0.0.1', + protocol='tcp', + port=6633) + + info( '*** Add switches\n') + ''' + s1 = net.addSwitch('s1', cls=OVSKernelSwitch, dpid='0000000000000001') + s2 = net.addSwitch('s2', cls=OVSKernelSwitch, dpid='0000000000000002') + s3 = net.addSwitch('s3', cls=OVSKernelSwitch, dpid='0000000000000003') + s4 = net.addSwitch('s4', cls=OVSKernelSwitch, dpid='0000000000000004') + ''' + s1 = net.addSwitch('s1', dpid='0000000000000001') + s2 = net.addSwitch('s2', dpid='0000000000000002') + s3 = net.addSwitch('s3', dpid='0000000000000003') + s4 = net.addSwitch('s4', dpid='0000000000000004') + + + info( '*** Add hosts\n') + h1 = net.addHost('h1', mac='00:00:00:00:00:01', cls=Host, ip='10.0.0.1', defaultRoute=None) + h2 = net.addHost('h2', mac='00:00:00:00:00:02', cls=Host, ip='10.0.0.2', defaultRoute=None) + h3 = net.addHost('h3', mac='00:00:00:00:00:03', cls=Host, ip='10.0.0.3', defaultRoute=None) + h4 = net.addHost('h4', mac='00:00:00:00:00:04', cls=Host, ip='10.0.0.4', defaultRoute=None) + + info( '*** Add links\n') + net.addLink(s1, h1) + net.addLink(s1, h2) + net.addLink(s1, s3) + net.addLink(s1, s4) + + net.addLink(s2, h3) + net.addLink(s2, h4) + net.addLink(s2, s3) + net.addLink(s2, s4) + + info( '*** Starting network\n') + net.build() + info( '*** Starting controllers\n') + for controller in net.controllers: + controller.start() + + info( '*** Starting switches\n') + net.get('s1').start([c0]) + net.get('s2').start([c0]) + net.get('s3').start([c0]) + net.get('s4').start([c0]) + + info( '*** Post configure switches and hosts\n') + + os.system('ovs-vsctl set bridge s1 datapath_type=netdev') + #os.system('ovs-vsctl set bridge s2 datapath_type=netdev') + os.system('ovs-vsctl set bridge s1 protocols=OpenFlow13') + #os.system('ovs-vsctl set bridge s2 protocols=OpenFlow13') + #os.system('ovs-vsctl set bridge s3 protocols=OpenFlow13') + #os.system('ovs-vsctl set bridge s4 protocols=OpenFlow13') + os.system('ovs-ofctl add-meter s1 meter=1,kbps,band=type=drop,rate=12000 -O OpenFlow13') + + os.system('ovs-ofctl add-flow s1 in_port=1,dl_src=00:00:00:00:00:01,action=meter:1,output:3 -O OpenFlow13') + os.system('ovs-ofctl add-flow s1 in_port=2,dl_src=00:00:00:00:00:02,action=meter:1,output:3 -O OpenFlow13') + os.system('ovs-ofctl add-flow s1 in_port=3,dl_src=00:00:00:00:00:03,action=output:1 -O OpenFlow13') + os.system('ovs-ofctl add-flow s1 in_port=3,dl_src=00:00:00:00:00:04,action=output:2 -O OpenFlow13') + + os.system('ovs-ofctl add-flow s2 in_port=1,dl_src=00:00:00:00:00:03,action=output:3') + os.system('ovs-ofctl add-flow s2 in_port=2,dl_src=00:00:00:00:00:04,action=output:3') + os.system('ovs-ofctl add-flow s2 in_port=3,dl_src=00:00:00:00:00:01,action=output:1') + os.system('ovs-ofctl add-flow s2 in_port=3,dl_src=00:00:00:00:00:02,action=output:2') + + os.system('ovs-ofctl add-flow s3 in_port=1,action=output:2') + os.system('ovs-ofctl add-flow s3 in_port=2,action=output:1') + os.system('ovs-ofctl add-flow s4 in_port=1,action=output:2') + os.system('ovs-ofctl add-flow s4 in_port=2,action=output:1') + + + + + #CLI(net) + makeTerm(h1) + makeTerm(h1) + makeTerm(h3) + CLI(net) + net.stop() + +if __name__ == '__main__': + setLogLevel( 'info' ) + myNetwork() + diff --git a/product.py b/product.py new file mode 100644 index 0000000..55c7bb4 --- /dev/null +++ b/product.py @@ -0,0 +1,19 @@ +import redis +import json +import random + +def redis_store(link, store_data): + # redis连接 + rqueue = redis.Redis(host='localhost', port=6379 ) + # 从左往右入队到redis + #rqueue.lpush("queue_test", json.dumps(store_data)) + rqueue.lpush(link, json.dumps(store_data)) + + # 查看目标队列数据 + #print(rqueue.llen("queue_test")) + #result = rqueue.lrange("queue_test", 0, 10) + result = rqueue.lrange(link, 0, 10) + #print(result) + + rqueue.close() + diff --git a/ryu_predict.py b/ryu_predict.py new file mode 100644 index 0000000..11ee27d --- /dev/null +++ b/ryu_predict.py @@ -0,0 +1,249 @@ +from ryu.base import app_manager +from ryu.ofproto import ofproto_v1_3 +from ryu.controller import ofp_event +from ryu.controller.handler import MAIN_DISPATCHER,CONFIG_DISPATCHER +from ryu.controller.handler import set_ev_cls +from ryu.lib.packet import packet +from ryu.lib.packet import ethernet +from ryu.lib.packet import ether_types +from ryu.lib.packet import tcp,ipv4,udp,icmp,icmpv6,ipv6,arp +from ryu.lib.packet import in_proto as inet +from model.packet_predict import PacketData +from model.benign_packetpredict import BenignPacketData +from ryu.lib import pcaplib +import csv +import redis +from product import redis_store +from util.redis_pool import POOL +import http.client +import urllib.request +import re +import json +from threading import Timer +import joblib + + +class SimpleSwitch(app_manager.RyuApp): + OFP_VERSIONS = [ofproto_v1_3.OFP_VERSION] + + def __init__(self,*args,**kwargs): + super(SimpleSwitch,self).__init__(*args,**kwargs) + self.mac_to_port = {} + #self.switch_ip = input('输入Mininet主机的ip地址:') + #self.port_id = input('输入交换机s1-eth0在sflow的编号:') + self.model_list=[] + model_namelist = ["DT.model","RF.model","LightGBM.model"] + model_dir = "model/" + for model_name in model_namelist: + model = joblib.load(model_dir+model_name) + self.model_list.append(model) + + def add_flow(self,datapath,priority,hard_timeout,match,actions,remind_content): + ofproto = datapath.ofproto + ofp_parser = datapath.ofproto_parser + + inst = [ofp_parser.OFPInstructionActions(ofproto.OFPIT_APPLY_ACTIONS, + actions)] + + mod = ofp_parser.OFPFlowMod(datapath=datapath,priority=priority,hard_timeout=hard_timeout, + match=match,instructions=inst) + print("install to datapath,"+remind_content) + datapath.send_msg(mod) + + #监控当前链路流速 + def get_sflow_bandwidth(self): + port_id = '3' + switch_ip = '10.0.1.10' + port = port_id + '.ifinpkts' + url = "http://127.0.0.1:8008/metric/"+ switch_ip + '/' + port+'/json' + #http://127.0.0.1:8008/metric/10.0.1.10/3.ifinpkts/json + sflow_data = urllib.request.urlopen(url) + data = sflow_data.read() + if data: + value_dict = json.loads(data)[0] + bandwidth = value_dict.get('metricValue') + print('当前数据包速率是:%s' % bandwidth) + return bandwidth + else: + print('当前数据包速率是:none' ) + + #t = Timer(5,flow_change) + #t.start() + + @set_ev_cls(ofp_event.EventOFPSwitchFeatures,CONFIG_DISPATCHER) + def switch_features_handler(self,ev): + datapath = ev.msg.datapath + ofproto = datapath.ofproto + ofp_parser = datapath.ofproto_parser + + #交换机连上的时候,下发一条默认流表,没有匹配到其他流表的都上送到交换机 + match = ofp_parser.OFPMatch() + actions = [ofp_parser.OFPActionOutput(ofproto.OFPP_CONTROLLER,ofproto.OFPCML_NO_BUFFER)] + self.add_flow(datapath,0,0,match,actions,"default flow entry") + + @set_ev_cls(ofp_event.EventOFPPacketIn,MAIN_DISPATCHER) + def packet_in_handler(self,ev): + bandwidth = self.get_sflow_bandwidth() + if bandwidth==None: + bandwidth = 0 + msg = ev.msg + datapath = msg.datapath + ofproto = datapath.ofproto + parser = datapath.ofproto_parser + in_port = msg.match['in_port'] + + pkt = packet.Packet(msg.data) + #按协议嵌套显示数据包内容 + #for p in pkt.protocols: + # print(p) + eth_pkt = pkt.get_protocol(ethernet.ethernet) + ip_pkt = pkt.get_protocol(ipv4.ipv4) + ipv6_pkt = pkt.get_protocol(ipv6.ipv6) + icmp_pkt = pkt.get_protocol(icmp.icmp) + arp_pkt = pkt.get_protocol(arp.arp) + icmpv6_pkt = pkt.get_protocol(icmpv6.icmpv6) + tcp_pkt = pkt.get_protocol(tcp.tcp) + udp_pkt = pkt.get_protocol(udp.udp) + + if eth_pkt.ethertype == ether_types.ETH_TYPE_LLDP: + return # ignore lldp packet + #源/目的MAC + src = eth_pkt.src + dst = eth_pkt.dst + + if ip_pkt: + s_ip = ip_pkt.src + d_ip = ip_pkt.dst + protocol = "IP" + + #分类器不能处理ipv6,icmp包,所以直接忽略 + if icmp_pkt: + return + if icmpv6_pkt: + return + if ipv6_pkt: + return + if arp_pkt: + return + + if tcp_pkt: + protocol = 'TCP' + s_port = tcp_pkt.src_port + d_port = tcp_pkt.dst_port + elif udp_pkt: + protocol = 'UDP' + s_port = udp_pkt.src_port + d_port = udp_pkt.dst_port + else: + return + + dpid = datapath.id + self.mac_to_port.setdefault(dpid, {}) + #self.logger.info("packet in %s %s %s %s", dpid, src, dst, in_port) + + #输入分类器判断 + s_msg = str(msg) + s_pkt = str(pkt) + input_p = PacketData(s_msg, s_pkt) + pre_out = int(input_p.predict(self.model_list)) + print("is malware????") + print(pre_out) + + type_out = pre_out+9 + + #如果是IP及上层协议包,match字段用源/目的ip,仅是ethernet,就用MAC(match字段可以加) + if ip_pkt: + kwargs = dict(in_port=in_port, eth_type=ether_types.ETH_TYPE_IP,ipv4_src=s_ip,ipv4_dst=d_ip) + else: + kwargs = dict(in_port=in_port, eth_src=src, eth_dst=dst) + match = parser.OFPMatch(**kwargs) + + #供界面使用的数据 + ''' + store_data = { + "sIP": s_ip, + "dIP": d_ip, + "sPort": s_port, + "dPort": d_port, + "protocol": protocol, + "sMac": src, + "dMac": dst, + "type": type_out, + } + #print(store_data) + redis_store("queue_test",store_data) + ''' + conn = redis.Redis(connection_pool=POOL) + conn.set("first",bandwidth) + + out_port = 1 + + #如果是正常包 + #if pre_out == 0 or pre_out == 3: + if pre_out == 0: + ''' + self.mac_to_port[dpid][src] = in_port + if dst in self.mac_to_port[dpid]: + out_port = self.mac_to_port[dpid][dst] + else: + #out_port = ofproto.OFPP_FLOOD + out_port = 3 + ''' + input_benign = BenignPacketData(s_msg) + benign_out = input_benign.predict() + print("what's app??????") + print(benign_out) + type_out = int(benign_out) + + if conn.exists("app")&conn.exists("qos"): + QoS_app = int(conn.get("app")) + QoS_limit = int(conn.get("qos")) + if benign_out == QoS_app: #如果当前流量是用户指定需要进行QoS的应用 + if bandwidth >= QoS_limit: + out_port = 4 + else: + out_port = 3 + else: + out_port = 3 + else: + out_port = 3 + + actions = [parser.OFPActionOutput(out_port)] + #满二十次给交换机下发流表,之后的数据包就不会再上送 + if pre_out == 3: + self.add_flow(datapath, 2, 1800, match, actions, "new flow") + + #向界面返回实施流量数据 + store_data = { + "sIP": s_ip, + "dIP": d_ip, + "sPort": s_port, + "dPort": d_port, + "protocol": protocol, + "sMac": src, + "dMac": dst, + "type": type_out, + } + redis_store("queue_test",store_data) + if out_port == 3: + redis_store("s3",store_data) + elif out_port == 4: + redis_store("s4",store_data) + + #恶意包,分类器恶意包的规则是,一旦判断为恶意的,之后都认为是恶意的,不会判断20次 + #if pre_out == 0 or pre_out == 2: + if pre_out == 1: + self.mac_to_port[dpid][src] = in_port + out_port = ofproto.OFPIT_CLEAR_ACTIONS + actions = [parser.OFPActionOutput(out_port)] + self.add_flow(datapath, 3, 3600, match, actions, "drop") + + #通知交换机执行动作 + data = None + if msg.buffer_id == ofproto.OFP_NO_BUFFER: + data = msg.data + out = parser.OFPPacketOut(datapath=datapath, buffer_id=msg.buffer_id, + in_port=in_port, actions=actions, data=data) + datapath.send_msg(out) + + diff --git a/sdnData/.DS_Store b/sdnData/.DS_Store new file mode 100644 index 0000000..5fb7dc5 Binary files /dev/null and b/sdnData/.DS_Store differ diff --git a/sdnData/.idea/deployment.xml b/sdnData/.idea/deployment.xml new file mode 100644 index 0000000..a667f28 --- /dev/null +++ b/sdnData/.idea/deployment.xml @@ -0,0 +1,21 @@ + + + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/sdnData/.idea/inspectionProfiles/profiles_settings.xml b/sdnData/.idea/inspectionProfiles/profiles_settings.xml new file mode 100644 index 0000000..105ce2d --- /dev/null +++ b/sdnData/.idea/inspectionProfiles/profiles_settings.xml @@ -0,0 +1,6 @@ + + + + \ No newline at end of file diff --git a/sdnData/.idea/misc.xml b/sdnData/.idea/misc.xml new file mode 100644 index 0000000..6a4bc77 --- /dev/null +++ b/sdnData/.idea/misc.xml @@ -0,0 +1,7 @@ + + + + + + \ No newline at end of file diff --git a/sdnData/.idea/modules.xml b/sdnData/.idea/modules.xml new file mode 100644 index 0000000..cdee6ff --- /dev/null +++ b/sdnData/.idea/modules.xml @@ -0,0 +1,8 @@ + + + + + + + + \ No newline at end of file diff --git a/sdnData/.idea/sdnData.iml b/sdnData/.idea/sdnData.iml new file mode 100644 index 0000000..9b15e7b --- /dev/null +++ b/sdnData/.idea/sdnData.iml @@ -0,0 +1,30 @@ + + + + + + + + + + + + + + + + + + + \ No newline at end of file diff --git a/sdnData/.idea/workspace.xml b/sdnData/.idea/workspace.xml new file mode 100644 index 0000000..e4d6a3c --- /dev/null +++ b/sdnData/.idea/workspace.xml @@ -0,0 +1,199 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +