-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
* Improve readme with usage and models * Link license to readme * Link Thomas' original thesis
- Loading branch information
1 parent
067dcca
commit 080a482
Showing
1 changed file
with
46 additions
and
8 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,17 +1,55 @@ | ||
| # Attacker IP Prioritization (AIP) Tool | ||
| The Attacker IP Prioritization (AIP) is a tool to generate IP blocklists based on network traffic captured from honeypot networks. Originally designed to create the blocklists for the [Stratosphere Blocklist Generation project](https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/), it aims to generate an IoT-friendly blocklist. With the advent of 5G, IoT devices will be directly connected to the Internet instead of being protected by a router's firewall. Therefore we need blocklists that are small and portable and designed to block those IPs that are targeting IoT devices. The main models used to this end are the Prioritize Consistent and the Prioritize New. | ||
| The Attacker IP Prioritization (AIP) is a tool to generate efficient and economic IP blocklists based on network traffic captured from honeypot networks. | ||
|
|
||
| With the advent of 5G, IoT devices are directly connected often without firewall protection. Therefore we need blocklists that are small, efficient and economic. The AIP structure is shown below. | ||
|
|
||
| Eventually, the project evolved, aiming to test new blocklists generation models beyond the PN and PC. The actual codebase allows a fast developing and testing of those new models, providing a common interface to access the attacks from several sensors deployed on the Public Internet, and a common set of metrics to compare the output of the models. | ||
|  | ||
|
|
||
| ## AIP Models | ||
|
|
||
| Given a honeypot network in your organization, it should be easy to use AIP to generate your own local blocklists based on the traffic reaching the honeypots. | ||
| Each AIP model generates its own blocklist based on a specific criteria. The main models are: | ||
|
|
||
|  | ||
| 1. **Prioritize New (PN)** | ||
| - Focuses on IPs that are new or have not been seen frequently in previous data. | ||
| - Useful to identify emerging attackers that are starting to target a network. | ||
| 2. **Prioritize Consistent (PC)** | ||
| - Focuses on IPs that have consistently attacked over time in previous data. | ||
| - Useful to identify persistent attackers that continuously target a network. | ||
| 3. **Alpha** | ||
| - Provides a baseline identifying all attackers seen in the last 24 hours. | ||
| - Useful to compare the effectiveness of other models. | ||
| 4. **Alpha7** | ||
| - Provides a baseline identifying all attackers seen in the last 7 days. | ||
| - Useful to further compare the effectiveness of other models. | ||
| 5. **Random Forest** | ||
| - Focuses on IPs that are more likely to attack in the future. | ||
| - A more experimental approach to increase blocklist efficiency. | ||
|
|
||
|
|
||
| ## AIP Docker | ||
|
|
||
| The best way to run AIP right now is using [Docker](etc/docker/README.md). | ||
|
|
||
| ## Usage | ||
|
|
||
| AIP will automatically attempt to run all the models using the available data. Assuming the Zeek data is located in its usual location: | ||
|
|
||
| ```bash | ||
| :~$ cd AIP | ||
| :~$ docker run --rm -v /opt/zeek/logs/:/home/aip/AIP/data/raw:ro -v ${PWD}/data/:/home/aip/AIP/data/:rw --name aip stratosphereips/aip:latest bin/aip | ||
| ``` | ||
|
|
||
| To run AIP for a specific day: | ||
| ```bash | ||
| :~$ cd AIP | ||
| :~$ docker run --rm -v /opt/zeek/logs/:/home/aip/AIP/data/raw:ro -v ${PWD}/data/:/home/aip/AIP/data/:rw --name aip stratosphereips/aip:latest bin/aip YYYY-MM-DD | ||
| ``` | ||
|
|
||
| ## License | ||
|
|
||
| ## Docker | ||
| The Stratosphere AIP tool is licensed under [GNU General Public License v3.0](https://github.com/stratosphereips/AIP/blob/main/LICENSE). | ||
|
|
||
| Check the instructions on how to run the AIP using [Docker](etc/docker/README.md). | ||
| ## About | ||
| This tool was developed at the Stratosphere Laboratory at the Czech Technical University in Prague. This is part of the [Stratosphere blocklist generation project](https://mcfp.felk.cvut.cz/publicDatasets/CTU-AIPP-BlackList/). | ||
|
|
||
| # About | ||
| This tool was developed at the Stratosphere Laboratory at the Czech Technical University in Prague. | ||
| This tool was originally born from the bachelor thesis of Thomas O'Hara, [The Attacker IP Prioritizer: An IoT Optimized Blacklisting Algorithm (2021)](https://dspace.cvut.cz/handle/10467/96722). |