psykoda [saikoːda]: Detect anomalous IP addresses from IDS log.
psykoda is an alert screening tool for IDS users (network security operators) based on machine learning. IDSs usually generate so many alerts that security operators cannot manually investigate all of them, but the alerts might contain potential threats of cyber attacks. This tool uses machine learning to analyze the alert log and detect most anomalous IP addresses. This mitigates alert fatigue for security operators and extracts potential cyber attacks.
This software consists of a library and an application built on it. See API Reference for library details.
See separate document for details.
- Install Python and Poetry.
- Clone this repository.
- Run
poetry install.
Run poetry run psykoda -h to see command line reference.
git clone https://github.com/FujitsuResearch/psykoda.git
cd psykoda
poetry install
poetry run psykoda -h
In Windows, if you get ImportError: Could not find the DLL(s) ‘msvcp140_1.dll’., download and install the Microsoft Visual C++ Redistributable for Visual Studio 2015, 2017 or 2019.
poetry run psykoda --config example\config.json --date_from 2020-04-04 --date_to 2020-04-07
If successful, a graphical representation of the results is displayed.
Xrepresents anomaly IP address▲represents known false positive IP address
Detailed results are outputed to the directory specified in config.json's io.output.dir.
- In this exmaple,
io.output.diris./example/result/
- Semi-supervised anomaly detection: Deep Semi-Supervised Anomaly Detection (Deep SAD)
- Explanation of anomalies: Shapley Additive Explanations (SHAP)
Any type of contributions are welcome! See contributing guidelines for details.