/// <summary>
/// Extract FlowFeatures from a trace file. Once the extract number of flow features are obtained, it should stop
/// </summary>
/// <param name="nmc"></param>
/// <param name="traceFileName"></param>
/// <param name="requiredCount">if the number is less than 0, extract all flows from the trace file.</param>
/// <returns></returns>
private IEnumerable <FlowFeature> GetFlowFeaturesFromTraceFile(NMParser nmc, string traceFileName, int requiredCount)
{
List <FlowFeature> features = new List <FlowFeature>();
//The Network Flows are extract from the tracefile by the time window.
//The GetNetworkFlows() function uses yield return.
IEnumerable <Flow2> temp = nmc.GetNetworkFlows(traceFileName, _malFlowDetector.TimeWindow);
var rows = new List <String>();
foreach (Flow2 f in temp)
//foreach(Flow f in nmc.GetNetworkFlows())
{
FlowFeature feature = f.GenerateFeatuesInTimeWindow();
if (feature != null)
{
feature.LoggerIp = "Offline";
rows.Add(feature.featuresToString());
features.Add(feature);
}
if (features.Count >= requiredCount && requiredCount > 0)
{
break;
}
}
//using (System.IO.StreamWriter file = new System.IO.StreamWriter(@"C:\Users\ebiglarb\Desktop\signature.csv"))
//{
// RuntimeConfig config = new RuntimeConfig();
// String featuresNameList = config.featuresList();
// file.WriteLine(featuresNameList);
// foreach (string line in rows)
// {
// file.WriteLine(line);
// }
//}
return(features);
}
private void OfflineDetectionThread()
{
string traceFile = null;
try
{
traceFile = _openOfflineDetectionDlg.FileName;
if (File.Exists(traceFile) == false)
{
throw new FileNotFoundException("Trace file " + traceFile + " doesn't exist.");
}
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString());
}
_flowFeatureProducerConsumer = new ProducerConsumer <FlowFeature>(consumeFeature, false, true, true);
_parser = new NMParser(traceFile, _malFlowDetector.TimeWindow, _flowFeatureProducerConsumer);
System.Diagnostics.Debug.WriteLine("Created new parser");
//Get all the flows from the trace file
System.Diagnostics.Debug.WriteLine("Extracting features from tracefile");
_featureProducer = new Thread(new ThreadStart(_parser.EnqueueNetworkFlowFeatures));
///// inja print konnnnnnnnnnnnnnnnnnnnnnnnnn
_featureProducer.Start();
_featureProducer.Join();
menuOfflineDetection.Text = "Start Offline Detection";
_parser = null;
_flowFeatureProducerConsumer.Stop();
_featureProducer.Abort();
_featureProducer = null;
_flowFeatureProducerConsumer = null;
if (traceFile != null)
{
MessageBox.Show("Finished Processing " + traceFile + " trace file...");
}
}
private ContextMenu CreateContextMenu()
{
List <MenuItem> items = new List <MenuItem>();
//add context menu items here.
MenuItem miLastError = new MenuItem("Display Last Error");
miLastError.Click += new EventHandler(
(o, e) =>
{
MessageBox.Show(
string.IsNullOrEmpty(_lastErrorMsg) ? "There is no error message."
: _lastErrorMsg
, "Last Error Message", MessageBoxButtons.OK);
}
);
items.Add(miLastError);
// Change Decision Tree Signature menu item
// this can be done through the xml configuration file
/*
* MenuItem miChangeSignature = new MenuItem("Change Detection Signature");
* miChangeSignature.Click += new EventHandler(OnChangeSignatureFile);
* items.Add(miChangeSignature);
*/
// Training Signature menu item
menuTraining = new MenuItem();
menuTraining.Text = Properties.Resources.StartTrainingText;
menuTraining.Click += new EventHandler(
(o, e) =>
{
if (menuTraining.Text.Equals(Properties.Resources.CancelTrainingText) &&
_trainingThread.ThreadState == System.Threading.ThreadState.Running)
{
_trainingThread.Abort();
menuTraining.Text = Properties.Resources.StartTrainingText;
_trainingThread = null;
return;
}
if (_openTrainingSetDlg.ShowDialog() != DialogResult.OK)
{
return;
}
if (_trainingThread == null ||
_trainingThread.ThreadState == System.Threading.ThreadState.Stopped)
{
_trainingThread = new Thread(new ThreadStart(this.TrainingThread));
_trainingThread.SetApartmentState(ApartmentState.STA);
_trainingThread.Name = "Training Thread";
_trainingThread.Start();
menuTraining.Text = Properties.Resources.CancelTrainingText;
}
/*
* else if (_trainingThread.ThreadState == System.Threading.ThreadState.Running)
* {
* _trainingThread.Abort();
* menuTraining.Text = Properties.Resources.StartTrainingText;
* }
* */
});
items.Add(menuTraining);
// Display CPU usage menu item
MenuItem menuCpuUsage = new MenuItem("CPU Usage");
menuCpuUsage.Click += new EventHandler(
(o, e) =>
{
if (_notifyIcon != null)
{
_notifyIcon.BalloonTipText = "CPU: " + CpuUsage().ToString("P1");
_notifyIcon.ShowBalloonTip(1000);
}
});
items.Add(menuCpuUsage);
/*
* // System setting menu item
* MenuItem miServerSetting = new MenuItem();
* miServerSetting.Text = Properties.Resources.ServerSettingText;
* miServerSetting.Click += new EventHandler(
* (o, e) =>
* {
* // TODO: Implement the Server menu setting
*
* }
* );
* items.Add(miServerSetting);
*/
// Offline Detection Menu Item
menuOfflineDetection = new MenuItem("Start Offline Detection");
menuOfflineDetection.Click += new EventHandler(
(o, e) =>
{
if (menuOfflineDetection.Text.Equals("Stop Offline Detection") &&
_offlineDetectionThread.ThreadState == System.Threading.ThreadState.WaitSleepJoin)
{
_offlineDetectionThread.Abort();
_offlineDetectionThread = null;
menuOfflineDetection.Text = "Start Offline Detectiont";
_featureProducer.Abort();
_featureProducer = null;
_flowFeatureProducerConsumer.Stop();
_flowFeatureProducerConsumer = null;
_parser = null;
return;
}
if (_openOfflineDetectionDlg.ShowDialog() != DialogResult.OK)
{
return;
}
if (_offlineDetectionThread == null ||
_offlineDetectionThread.ThreadState == System.Threading.ThreadState.Stopped)
{
_offlineDetectionThread = new Thread(new ThreadStart(this.OfflineDetectionThread));
_offlineDetectionThread.SetApartmentState(ApartmentState.STA);
_offlineDetectionThread.Name = "Offline Detection Thread";
_offlineDetectionThread.Start();
menuOfflineDetection.Text = "Stop Offline Detection";
}
/*
* else if (_offlineDetectionThread.ThreadState == System.Threading.ThreadState.Running)
* {
* _offlineDetectionThread.Interrupt();
*
* menuOfflineDetection.Text = "Start Offline Detectiont";
* }
*/
});
items.Add(menuOfflineDetection);
// About dialog menu
MenuItem menuAbout = new MenuItem("About");
menuAbout.Click += new EventHandler(
(o, e) =>
{
MessageBox.Show("Network Flow Detector Server application. Version: "
+ Properties.Settings.Default.Version,
"About",
MessageBoxButtons.OK);
}
);
items.Add(menuAbout);
// Exit menu item
MenuItem menuExit = new MenuItem("E&xit");
menuExit.Click += new EventHandler(MenuExit_Click);
items.Add(menuExit);
return(new ContextMenu(items.ToArray()));
}
/// <summary>
/// Thread for training the decisition tree
/// </summary>
private void TrainingThread()
{
System.Console.WriteLine("Inside the training!!!!!!!!!!!!");
List <FlowFeature> trainingFeatures;
// List<FlowFeature> trainingFeatures;
//MySqlDao dao = null;
try
{
//dao = new MySqlDao();
// set data table
//Flow.SetLabelTable(dao.GetFlowLabels());
string traceFile = _openTrainingSetDlg.FileName;
System.Console.WriteLine("the training file is:" + traceFile);
if (File.Exists(traceFile) == false)
{
throw new FileNotFoundException("Trace file " + traceFile + " doesn't exist.");
}
NMParser parser = new NMParser();
IEnumerable <FlowFeature> allFeatures = GetFlowFeaturesFromTraceFile(parser, traceFile, -1);
trainingFeatures = allFeatures.ToList();
List <Attribute> attributes = new List <Attribute>();
attributes.Add(new NumericalAttribute("PX"));
attributes.Add(new NumericalAttribute("APL"));
attributes.Add(new NumericalAttribute("PV"));
attributes.Add(new NumericalAttribute("DPL"));
attributes.Add(new NumericalAttribute("PPS"));
attributes.Add(new IdSymbolicAttribute("Protocol", new List <string>()
{
"TCP", "UDP", "Mixed"
}));
attributes.Add(new NumericalAttribute("FPS"));
attributes.Add(new NumericalAttribute("AB"));
attributes.Add(new NumericalAttribute("TBT"));
attributes.Add(new NumericalAttribute("BS"));
attributes.Add(new NumericalAttribute("PS"));
attributes.Add(new NumericalAttribute("NNP"));
attributes.Add(new NumericalAttribute("NSP"));
attributes.Add(new NumericalAttribute("PSP"));
attributes.Add(new NumericalAttribute("Duration"));
attributes.Add(new NumericalAttribute("AIT"));
attributes.Add(new NumericalAttribute("IOPR"));
attributes.Add(new NumericalAttribute("Reconnect"));
attributes.Add(new IdSymbolicAttribute("Type", Flow2.GetFlowTypeNames()));
// System.Diagnostics.Debug.WriteLine("TrainingThread1");
AttributeSet attrSet = new AttributeSet(attributes);
ItemSet itemSet = new ItemSet(attrSet);
Dictionary <int, int> maliciousFlowCounter = new Dictionary <int, int>();
int value;
foreach (FlowFeature feature in trainingFeatures)
{
List <AttributeValue> attrVals = new List <AttributeValue>();
attrVals.Add(new KnownNumericalValue(feature.PX));
attrVals.Add(new KnownNumericalValue(feature.APL));
attrVals.Add(new KnownNumericalValue(feature.PV));
attrVals.Add(new KnownNumericalValue(feature.DPL));
attrVals.Add(new KnownNumericalValue(feature.PPS));
attrVals.Add(new KnownSymbolicValue((int)feature.Protocol));
attrVals.Add(new KnownNumericalValue(feature.FPS));
attrVals.Add(new KnownNumericalValue(feature.AB));
attrVals.Add(new KnownNumericalValue(feature.TBT));
attrVals.Add(new KnownNumericalValue(feature.BS));
attrVals.Add(new KnownNumericalValue(feature.PS));
attrVals.Add(new KnownNumericalValue(feature.NNP));
attrVals.Add(new KnownNumericalValue(feature.NSP));
attrVals.Add(new KnownNumericalValue(feature.PSP));
attrVals.Add(new KnownNumericalValue(feature.Duration));
attrVals.Add(new KnownNumericalValue(feature.AIT));
attrVals.Add(new KnownNumericalValue(feature.IOPR));
attrVals.Add(new KnownNumericalValue(feature.Reconnect));
attrVals.Add(new KnownSymbolicValue(feature.Type));
// System.Diagnostics.Debug.WriteLine("TrainingThread2");
// attrVals.Add(new ((DateTime)feature.DetectionTimeStamp));
Item it = new Item(attrVals.ToArray());
if (feature.Type > 0) // if the flow is not normal, count
{
if (!maliciousFlowCounter.TryGetValue(feature.Type, out value))
{
maliciousFlowCounter.Add(feature.Type, 1);
}
else
{
maliciousFlowCounter[feature.Type]++;
}
}
itemSet.Add(it);
}
foreach (int index in maliciousFlowCounter.Keys)
{
System.Diagnostics.Debug.WriteLine("Number of Malicious Flows for type: " + Flow2.GetFlowTypeName(index) + " is: " + maliciousFlowCounter[index].ToString());
}
SymbolicAttribute goalAttribute = attrSet.FindByName("Type") as SymbolicAttribute;
List <Attribute> testAttributes = new List <Attribute>();
testAttributes.Add(attrSet.FindByName("PX"));
testAttributes.Add(attrSet.FindByName("APL"));
testAttributes.Add(attrSet.FindByName("PV"));
testAttributes.Add(attrSet.FindByName("DPL"));
testAttributes.Add(attrSet.FindByName("PPS"));
testAttributes.Add(attrSet.FindByName("Protocol"));
testAttributes.Add(attrSet.FindByName("FPS"));
// testAttributes.Add(attrSet.FindByName("Type"));
testAttributes.Add(attrSet.FindByName("AB"));
testAttributes.Add(attrSet.FindByName("TBT"));
testAttributes.Add(attrSet.FindByName("BS"));
testAttributes.Add(attrSet.FindByName("PS"));
testAttributes.Add(attrSet.FindByName("NNP"));
testAttributes.Add(attrSet.FindByName("NSP"));
testAttributes.Add(attrSet.FindByName("PSP"));
testAttributes.Add(attrSet.FindByName("Duration"));
testAttributes.Add(attrSet.FindByName("AIT"));
testAttributes.Add(attrSet.FindByName("IOPR"));
testAttributes.Add(attrSet.FindByName("Reconnect"));
// System.Diagnostics.Debug.WriteLine("TrainingThread3");
SimpleDecisionTreeBuilder builder = new SimpleDecisionTreeBuilder( /// create tree hear!
new WeightedItemSet(itemSet),
new AttributeSet(testAttributes),
goalAttribute);
builder.ScoreThreshold = 0.0001d; // 0.0001 * itemSet.Size();
System.Diagnostics.Debug.WriteLine("DT ScoreThreshold is " + builder.ScoreThreshold.ToString());
LearningDecisionTree dt = builder.Build();
TestDecisionTree tdt = new TestDecisionTree(dt);
StoreDecisionTree(tdt);
}
catch (ThreadInterruptedException)
{
;
}
catch (ThreadAbortException)
{
;
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString(), "Error");
}
finally
{
menuTraining.Text = Properties.Resources.StartTrainingText;
}
}
