This tool uses machine learning to analyse encrypted network traffic for maliciious activity without the need to decrypt packets. This project was largely influenced by Cisco research from 2016.
- Python
- scikit-learn
- numpy
- pandas
- imblearn
- Linux
- Joy
Joy is a BSD-licensed libpcap-based software package for extracting data features from live network traffic or packet capture (pcap) files, using a flow-oriented model similar to that of IPFIX or Netflow, and then representing these data features in JSON.
-
Install Joy dependencies:
[sudo] apt-get update [sudo] apt-get install gcc git libcurl3 libcurl4-openssl-dev libpcap0.8 libpcap-dev libssl-dev make python python-pip ruby ruby-ffi libz-dev -
Download Joy:
git clone https://github.com/cisco/joy.git cd joy -
Configure:
./configure --enable-gzip -
Build:
make clean; make -
Installation:
sudo ./install_joy/install-sh
It takes as input, packet capture files. These files are fed into Joy to extract JSON formatted features including TLS metadata, DNS, HTTP, Netflow, etc depending on the argument passed to "bin/joy ...".
The JSON data is further parsed to extract TLS metadata information as input features to our model. These features can broadly be categoried as:
- TLS/SSL Handshake Information:
- Ciphersuites
- Extensions
- Key length
- Server Certificate
- Byte Distribution
- Individual Flow Metadata
- Netflow Information