public override string ToString()
{
StringBuilder sb = new StringBuilder();
sb.AppendFormat("{0} {1} {2}-->{3} Owner: {4} {5}pkt ({6})",
_conn.ToString(),
Protocol == Packet2.Protocol.TCP ? "TCP" : "UDP",
StartTime.ToString("HH:mm:ss.f"),
StopTime.ToString("HH:mm:ss.f"),
ProcessName,
_pktList.Count,
Flow2.GetFlowTypeName(this.Type)
);
//sb.AppendFormat(" {0} ", Protocol == Packet.Protocol.TCP ? "TCP" : "UDP");
//sb.AppendFormat("{0} ", StartTime.ToString("HH:mm:ss.f"));
//sb.AppendFormat("End at {0} ", StopTime.ToString("HH:mm:ss.f"));
//sb.AppendFormat("Process Name: {0} ", ProcessName);
//sb.AppendFormat("Total packets: {0} packets ", _pktList.Count);
//sb.AppendFormat("Total payload: {0} bytes\n", TotalTraffic);
//sb.AppendFormat("First Packet Size: {0} bytes\n", FPS);
//sb.AppendFormat("Packet per second: {0:n2} pps\n", PPS);
//sb.AppendFormat("Average payload length: {0:n2} bytes\n", APL);
//sb.AppendFormat("Payload Variance : {0:n2} \n", PV);
return(sb.ToString());
}
/// <summary>
/// Insert/Update alert records
/// </summary>
/// <param name="features"></param>
/// <returns></returns>
public void InsertAlerts(IEnumerable <FlowFeature> features)
{
StringBuilder sbSql = null;
try
{
string flowType, srcMAC, dstMAC, protocol, timestamp;
//// long srcIP, dstIP;
string srcIP, dstIP;
foreach (FlowFeature f in features)
{
sbSql = new StringBuilder();
flowType = Flow2.GetFlowTypeName(f.Type);
// srcIP = ConvertIpToLong(f.SrcIP);
srcIP = ConvertIpToString(f.SrcIP);
srcMAC = ConvertMACAddressToString(f.SrcMAC);
// dstIP = ConvertIpToLong(f.DestIP);
dstIP = ConvertIpToString(f.DestIP);
dstMAC = ConvertMACAddressToString(f.DestMAC);
protocol = GetProtocolName(f.Protocol);
// timestamp = DateTime.UtcNow.ToString("o");//o means: 2008-06-15T21:15:07.0000000
//Just getting the milliseconds percision
timestamp = f.DetectionTimeStamp.ToString("o");
timestamp = timestamp.Substring(0, timestamp.Length - 5);
if (Double.IsInfinity(f.PPS))
{
f.PPS = 0.0d;
}
sbSql.Append(INSERT_SQL);
sbSql.AppendFormat(" (\"{0}\", \"{1}\", {2}, {3}, {4}, {5}, {6}, {7}, \"{8}\", \"{9}\", {10}, \"{11}\", \"{12}\", {13}, \"{14}\", \"{15}\", {16}, {17}, {18}, {19}, {20}, {21}, {22}, {23}, {24}, {25}, {26});",
f.LoggerIp,
//f.DetectionTimeStamp.ToString("o"),
timestamp,
f.APL,
f.PV,
f.PX,
f.PPS,
f.FPS,
f.DPL,
flowType,
srcIP,
f.SrcPort,
srcMAC,
dstIP,
f.DestPort,
dstMAC,
protocol,
f.AB,
f.TBT,
f.BS,
f.PS,
f.NNP,
f.NSP,
f.PSP,
f.Duration,
f.AIT,
f.IOPR,
f.Reconnect
);
sbSql.AppendLine();
//System.Diagnostics.Debug.WriteLine(sbSql.ToString());
//using the connection inside the loop is intentional to introduce a bit
//of delay so that we don't have overlaping timestamps for the alerts
using (MySqlConnection _dbConnection = new MySqlConnection(_connectionString))
{
_dbConnection.Open();
using (MySqlCommand cmd = new MySqlCommand(sbSql.ToString(), _dbConnection))
{
cmd.ExecuteNonQuery();
}
_dbConnection.Close();
}
}
}//end for
catch (MySqlException sqlEx)
{
//throw sqlEx;
System.Diagnostics.Debug.WriteLine(sqlEx.ToString());
}
catch (Exception ex)
{
//throw ex;
System.Diagnostics.Debug.WriteLine(ex.ToString());
}
finally
{
;
}
sbSql.Clear();
sbSql = null;
}
/// <summary>
/// Thread for training the decisition tree
/// </summary>
private void TrainingThread()
{
System.Console.WriteLine("Inside the training!!!!!!!!!!!!");
List <FlowFeature> trainingFeatures;
// List<FlowFeature> trainingFeatures;
//MySqlDao dao = null;
try
{
//dao = new MySqlDao();
// set data table
//Flow.SetLabelTable(dao.GetFlowLabels());
string traceFile = _openTrainingSetDlg.FileName;
System.Console.WriteLine("the training file is:" + traceFile);
if (File.Exists(traceFile) == false)
{
throw new FileNotFoundException("Trace file " + traceFile + " doesn't exist.");
}
NMParser parser = new NMParser();
IEnumerable <FlowFeature> allFeatures = GetFlowFeaturesFromTraceFile(parser, traceFile, -1);
trainingFeatures = allFeatures.ToList();
List <Attribute> attributes = new List <Attribute>();
attributes.Add(new NumericalAttribute("PX"));
attributes.Add(new NumericalAttribute("APL"));
attributes.Add(new NumericalAttribute("PV"));
attributes.Add(new NumericalAttribute("DPL"));
attributes.Add(new NumericalAttribute("PPS"));
attributes.Add(new IdSymbolicAttribute("Protocol", new List <string>()
{
"TCP", "UDP", "Mixed"
}));
attributes.Add(new NumericalAttribute("FPS"));
attributes.Add(new NumericalAttribute("AB"));
attributes.Add(new NumericalAttribute("TBT"));
attributes.Add(new NumericalAttribute("BS"));
attributes.Add(new NumericalAttribute("PS"));
attributes.Add(new NumericalAttribute("NNP"));
attributes.Add(new NumericalAttribute("NSP"));
attributes.Add(new NumericalAttribute("PSP"));
attributes.Add(new NumericalAttribute("Duration"));
attributes.Add(new NumericalAttribute("AIT"));
attributes.Add(new NumericalAttribute("IOPR"));
attributes.Add(new NumericalAttribute("Reconnect"));
attributes.Add(new IdSymbolicAttribute("Type", Flow2.GetFlowTypeNames()));
// System.Diagnostics.Debug.WriteLine("TrainingThread1");
AttributeSet attrSet = new AttributeSet(attributes);
ItemSet itemSet = new ItemSet(attrSet);
Dictionary <int, int> maliciousFlowCounter = new Dictionary <int, int>();
int value;
foreach (FlowFeature feature in trainingFeatures)
{
List <AttributeValue> attrVals = new List <AttributeValue>();
attrVals.Add(new KnownNumericalValue(feature.PX));
attrVals.Add(new KnownNumericalValue(feature.APL));
attrVals.Add(new KnownNumericalValue(feature.PV));
attrVals.Add(new KnownNumericalValue(feature.DPL));
attrVals.Add(new KnownNumericalValue(feature.PPS));
attrVals.Add(new KnownSymbolicValue((int)feature.Protocol));
attrVals.Add(new KnownNumericalValue(feature.FPS));
attrVals.Add(new KnownNumericalValue(feature.AB));
attrVals.Add(new KnownNumericalValue(feature.TBT));
attrVals.Add(new KnownNumericalValue(feature.BS));
attrVals.Add(new KnownNumericalValue(feature.PS));
attrVals.Add(new KnownNumericalValue(feature.NNP));
attrVals.Add(new KnownNumericalValue(feature.NSP));
attrVals.Add(new KnownNumericalValue(feature.PSP));
attrVals.Add(new KnownNumericalValue(feature.Duration));
attrVals.Add(new KnownNumericalValue(feature.AIT));
attrVals.Add(new KnownNumericalValue(feature.IOPR));
attrVals.Add(new KnownNumericalValue(feature.Reconnect));
attrVals.Add(new KnownSymbolicValue(feature.Type));
// System.Diagnostics.Debug.WriteLine("TrainingThread2");
// attrVals.Add(new ((DateTime)feature.DetectionTimeStamp));
Item it = new Item(attrVals.ToArray());
if (feature.Type > 0) // if the flow is not normal, count
{
if (!maliciousFlowCounter.TryGetValue(feature.Type, out value))
{
maliciousFlowCounter.Add(feature.Type, 1);
}
else
{
maliciousFlowCounter[feature.Type]++;
}
}
itemSet.Add(it);
}
foreach (int index in maliciousFlowCounter.Keys)
{
System.Diagnostics.Debug.WriteLine("Number of Malicious Flows for type: " + Flow2.GetFlowTypeName(index) + " is: " + maliciousFlowCounter[index].ToString());
}
SymbolicAttribute goalAttribute = attrSet.FindByName("Type") as SymbolicAttribute;
List <Attribute> testAttributes = new List <Attribute>();
testAttributes.Add(attrSet.FindByName("PX"));
testAttributes.Add(attrSet.FindByName("APL"));
testAttributes.Add(attrSet.FindByName("PV"));
testAttributes.Add(attrSet.FindByName("DPL"));
testAttributes.Add(attrSet.FindByName("PPS"));
testAttributes.Add(attrSet.FindByName("Protocol"));
testAttributes.Add(attrSet.FindByName("FPS"));
// testAttributes.Add(attrSet.FindByName("Type"));
testAttributes.Add(attrSet.FindByName("AB"));
testAttributes.Add(attrSet.FindByName("TBT"));
testAttributes.Add(attrSet.FindByName("BS"));
testAttributes.Add(attrSet.FindByName("PS"));
testAttributes.Add(attrSet.FindByName("NNP"));
testAttributes.Add(attrSet.FindByName("NSP"));
testAttributes.Add(attrSet.FindByName("PSP"));
testAttributes.Add(attrSet.FindByName("Duration"));
testAttributes.Add(attrSet.FindByName("AIT"));
testAttributes.Add(attrSet.FindByName("IOPR"));
testAttributes.Add(attrSet.FindByName("Reconnect"));
// System.Diagnostics.Debug.WriteLine("TrainingThread3");
SimpleDecisionTreeBuilder builder = new SimpleDecisionTreeBuilder( /// create tree hear!
new WeightedItemSet(itemSet),
new AttributeSet(testAttributes),
goalAttribute);
builder.ScoreThreshold = 0.0001d; // 0.0001 * itemSet.Size();
System.Diagnostics.Debug.WriteLine("DT ScoreThreshold is " + builder.ScoreThreshold.ToString());
LearningDecisionTree dt = builder.Build();
TestDecisionTree tdt = new TestDecisionTree(dt);
StoreDecisionTree(tdt);
}
catch (ThreadInterruptedException)
{
;
}
catch (ThreadAbortException)
{
;
}
catch (Exception ex)
{
MessageBox.Show(ex.ToString(), "Error");
}
finally
{
menuTraining.Text = Properties.Resources.StartTrainingText;
}
}