/// <summary>
/// This method examines the captured network flows using the DecisionTree classification.
/// </summary>
/// <param name="flows"></param>
private void DetectNetworkFlows(List <FlowFeature> features)
{
try
{
if (_tree == null)
{
throw new Exception("No signature was found.");
}
if (features.Count > 0)
{
List <FlowFeature> malFlows = new List <FlowFeature>();
//OnErrorEvent(new Exception("Detecting on " + features.Count + " flows"));
foreach (FlowFeature feature in features)
{
List <AttributeValue> attrVals = new List <AttributeValue>();
attrVals.Add(new KnownNumericalValue(feature.PX));
attrVals.Add(new KnownNumericalValue(feature.APL));
attrVals.Add(new KnownNumericalValue(feature.PV));
attrVals.Add(new KnownNumericalValue(feature.DPL));
attrVals.Add(new KnownNumericalValue(feature.PPS));
attrVals.Add(new KnownSymbolicValue(feature.Protocol));
attrVals.Add(new KnownNumericalValue(feature.AB));
attrVals.Add(new KnownNumericalValue(feature.TBT));
attrVals.Add(new KnownNumericalValue(feature.BS));
attrVals.Add(new KnownNumericalValue(feature.PS));
attrVals.Add(new KnownNumericalValue(feature.NNP));
attrVals.Add(new KnownNumericalValue(feature.NSP));
attrVals.Add(new KnownNumericalValue(feature.Duration));
attrVals.Add(new KnownNumericalValue(feature.AIT));
attrVals.Add(new KnownNumericalValue(feature.IOPR));
attrVals.Add(new KnownNumericalValue(feature.Reconnect));
throw new Exception("inside malflowdetectmon");
//attrVals.Add(new KnownSymbolicValue((int)(feature.Type)));
Item it = new Item(attrVals.ToArray());
KnownSymbolicValue guessedVal = _tree.GuessGoalAttribute(it);
feature.Type = guessedVal.IntValue;
if (feature.Type != 0)
{
feature.DetectionTimeStamp = DateTime.UtcNow;
malFlows.Add(feature);
}
}
OnDetectMaliciousFlows(malFlows, features.Count);
}
}
catch (Exception ex)
{
OnErrorEvent(ex);
}
}
private void consumeFeature(FlowFeature feature)
{
try{
if (this._tree == null)
{
throw new Exception("No signature was found.");
}
//OnErrorEvent(new Exception("Detecting on " + features.Count + " flows"));
List <AttributeValue> attrVals = new List <AttributeValue>();
attrVals.Add(new KnownNumericalValue(feature.PX));
attrVals.Add(new KnownNumericalValue(feature.APL));
attrVals.Add(new KnownNumericalValue(feature.PV));
attrVals.Add(new KnownNumericalValue(feature.DPL));
attrVals.Add(new KnownNumericalValue(feature.PPS));
attrVals.Add(new KnownSymbolicValue(feature.Protocol));
attrVals.Add(new KnownNumericalValue(feature.FPS));
attrVals.Add(new KnownNumericalValue(feature.AB));
attrVals.Add(new KnownNumericalValue(feature.TBT));
attrVals.Add(new KnownNumericalValue(feature.BS));
attrVals.Add(new KnownNumericalValue(feature.PS));
attrVals.Add(new KnownNumericalValue(feature.NNP));
attrVals.Add(new KnownNumericalValue(feature.NSP));
attrVals.Add(new KnownNumericalValue(feature.PSP));
attrVals.Add(new KnownNumericalValue(feature.Duration));
attrVals.Add(new KnownNumericalValue(feature.AIT));
attrVals.Add(new KnownNumericalValue(feature.IOPR));
attrVals.Add(new KnownNumericalValue(feature.Reconnect));
// System.Diagnostics.Debug.WriteLine("consume feature 1");
//attrVals.Add(new KnownSymbolicValue((int)(feature.Type)));
Item it = new Item(attrVals.ToArray());
KnownSymbolicValue guessedVal = _tree.GuessGoalAttribute(it);
feature.Type = guessedVal.IntValue;
if (feature.Type != 0)
{
// feature.DetectionTimeStamp = DateTime.UtcNow;
//update malicious flows and total flows count
lock (_maliciousFlowsDetected)
{
_maliciousFlowsDetected.Add(feature);
}
}
feature = null;
it = null;
attrVals = null;
_totalNbFlowExamined += 1;
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString(), "Error");
}
}