Added generating TTL distribution and packets/source CDF graphs

Author: poorting

requirements.txt

@@ -2,3 +2,5 @@ duckdb
 pandas
 pyarrow
 pymisp
+matplotlib
+seaborn

src/attack.py

@@ -10,7 +10,7 @@
 from datetime import datetime, timedelta
 
 from util import AMPLIFICATION_SERVICES, ETHERNET_TYPES, DNS_QUERY_TYPES, ICMP_TYPES, TCP_FLAG_NAMES, \
-    get_outliers_single, get_outliers_mult, FileType
+    get_outliers_single, get_outliers_mult, get_ttl_distribution, get_packet_cdf, FileType
 from logger import LOGGER
 from misp import MispInstance
 
@@ -48,6 +48,12 @@ def filter_data_on_target(self, target: list[str]):
         df = self.db.execute(f"select count() as entries, sum(nr_packets) as total from '{self.view}'").fetchdf()
         LOGGER.debug(f"Attack object contains {int(df['entries'][0])} entries, with information on {int(df['total'][0])} packets")
 
+    def ttl_distribution(self):
+        return get_ttl_distribution(self.db, self.view)
+
+    def packet_cdf(self):
+        return get_packet_cdf(self.db, self.view)
+
 
 class AttackVector:
     def __init__(self, db: DuckDBPyConnection, view: str, source_port, protocol: str, filetype: FileType):

src/graphs.py

@@ -0,0 +1,224 @@
+#! /usr/bin/env python3
+
+###############################################################################
+import sys
+import os
+import logging
+import argparse
+from pathlib import Path
+from argparse import RawTextHelpFormatter
+import textwrap
+
+import pandas as pd
+import pprint
+from math import pi
+import duckdb
+
+import seaborn as sns
+import matplotlib
+import matplotlib.pyplot as plt
+
+
+# # ------------------------------------------------------------------------------
+# def createBarGraph_old(df, title=' ', y_label='score/percentage', label_suffix='', palette=paletteR, widegraph=False):
+#     pp = pprint.PrettyPrinter(indent=4)
+#
+#     sns.set_style('ticks')
+#
+#     # Assume first column are the periods
+#     df = df.set_index(df.columns[0])
+#
+#     categories = list(df.columns)
+#     # print("Categories ({}): {}".format(len(categories), categories))
+#
+#     periods = list(df.index.values)
+#     if isinstance(df.index, pd.DatetimeIndex):
+#         periods = [str(prd)[:10] for prd in df.index.values]
+#     # print("Periods ({}): {}".format(len(periods), periods))
+#
+#     nr_of_bars = len(periods) * len(categories)
+#
+#     # Create a linear color map from the palette given
+#     # to avoid overrunning the palette
+#     segments = len(periods)
+#     my_cmap = LinearSegmentedColormap.from_list('Custom', palette, segments)
+#
+#     # if (df.columns)
+#     figwidth = 3 + (len(df.columns) * len(df)) / 5.5
+#     barWidth = 1.0
+#     # Number of bars as gap in between categories
+#     cat_gap = 1
+#
+#     if widegraph:
+#         figwidth *= 3
+#         barWidth = 0.5
+#
+#     plt.figure(figsize=(figwidth, 8))
+#     ax = plt.subplot()
+#     ax.set_title(title, fontname=_graph_font, fontsize='large', y=1.05)
+#     ax.set_ylabel('score/percentage', fontname=_graph_font, fontsize='medium', loc='center')
+#     ax.set_xlabel('category', fontname=_graph_font, fontsize='medium', loc='center', labelpad=15.0)
+#     ax.spines['bottom'].set_linewidth(0.5)
+#     ax.spines['left'].set_linewidth(0.5)
+#
+#     ax.set_ylim(0, 100)
+#     loc = matplotlib.ticker.MultipleLocator(base=10)
+#     ax.yaxis.set_major_locator(loc)
+#     ax.yaxis.set_minor_locator(matplotlib.ticker.MultipleLocator(2))
+#     plt.tick_params(axis='y', which='minor', direction='out', length=3, width=0.5)
+#     plt.tick_params(axis='y', which='major', width=0.5, labelsize='small')
+#     plt.grid(which='major', axis='y', linestyle='dotted', linewidth=0.5, color='black', alpha=0.3)
+#
+#     ax.xaxis.set_minor_locator(matplotlib.ticker.MultipleLocator(len(periods) + 1))
+#     ax.xaxis.set_major_locator(matplotlib.ticker.MultipleLocator(len(periods) + cat_gap))
+#     plt.tick_params(axis='x', which='minor', direction='out', length=0, width=0.5, rotation=90, labelsize='x-small')
+#     plt.tick_params(axis='x', which='major', direction='out', length=0, width=0.5, labelsize='small')
+#
+#     plt.xticks(fontname=_graph_font)
+#     plt.yticks(fontname=_graph_font)
+#
+#     for i in range(0, len(periods)):
+#         rbars = range(i + 1, nr_of_bars + cat_gap * len(categories) + 1, len(periods) + cat_gap)
+#         plt.bar(rbars,
+#                 df.iloc[i, :].tolist(),
+#                 width=barWidth,
+#                 color=my_cmap(i),
+#                 edgecolor=(1, 1, 1, 1),
+#                 linewidth=1,
+#                 label=periods[i],
+#                 zorder=2,
+#                 )
+#         # Plot the values on top
+#         for j, r in enumerate(rbars):
+#             x = r - 0.2
+#             rotation = 'vertical'
+#             if widegraph:
+#                 x = r - 0.05
+#                 rotation = 'horizontal'
+#             y = df.iloc[i, j] + 1.5
+#             s = str(int(df.iloc[i, j]))
+#             plt.text(x=x, y=y, s=s, fontname=_graph_font, fontweight='normal', fontsize='small', rotation=rotation)
+#
+#     barsx = []
+#     for i in range(0, len(categories)):
+#         barsx.append(i * (len(periods) + cat_gap) + len(periods) / 2 + 0.5)
+#
+#     xticks = categories
+#     if len(df) > 3:
+#         plt.xticks(barsx, xticks, rotation='horizontal', fontname=_graph_font)
+#     else:
+#         plt.xticks(barsx, xticks, rotation='vertical', fontname=_graph_font)
+#
+#     leg = plt.legend(prop={'family': _graph_font}, framealpha=0.5, edgecolor='grey')
+#     for line in leg.get_lines():
+#         line.set_linewidth(7)
+#
+#     barslots = (len(periods) + cat_gap) * len(categories) - cat_gap
+#     plt.margins(x=0.51 / barslots)
+#     ax.set_xlim(0, barslots + 1)
+#
+#     plt.tight_layout()
+#     sns.despine()
+#     # plt.show()
+#
+#     return ax
+
+
+# ------------------------------------------------------------------------------
+def create_bar_graph(df, title=' ', max_x: float = None, max_y: float = None, filename: Path = None):
+    pp = pprint.PrettyPrinter(indent=4)
+
+    sns.set()
+    sns.set_style('ticks')
+
+    # Assume first column are the periods
+    datax = df.columns[0]
+    datay = df.columns[1]
+
+    categories = list(df.columns)
+
+    plt.figure(figsize=(16, 8))
+    ax = plt.subplot()
+    # ax.set_title(title, fontname=_graph_font, fontsize='large', y=1.05)
+    # ax.set_ylabel(datay, fontname=_graph_font, fontsize='medium', loc='center')
+    # ax.set_xlabel(datax, fontname=_graph_font, fontsize='medium', loc='center', labelpad=15.0)
+    ax.set_title(title, fontsize='large', y=1.05)
+    ax.set_ylabel(datay, fontsize='medium', loc='center')
+    ax.set_xlabel(datax, fontsize='medium', loc='center', labelpad=15.0)
+
+    if max_y:
+        ax.set_ylim(0, max_y)
+    else:
+        ax.set_ylim(0, df[datay].max())
+    ax.yaxis.set_minor_locator(matplotlib.ticker.AutoMinorLocator())
+    plt.tick_params(axis='y', which='minor', direction='out', length=3, width=0.5)
+    plt.tick_params(axis='y', which='major', width=0.5, labelsize='small')
+
+    if max_x:
+        ax.set_xlim(0, max_x)
+    else:
+        ax.set_xlim(0, df[datax].max())
+    loc = matplotlib.ticker.MultipleLocator(base=10)
+    ax.xaxis.set_major_locator(loc)
+    ax.xaxis.set_minor_locator(matplotlib.ticker.MultipleLocator(5))
+    plt.tick_params(axis='x', which='minor', direction='out', length=3, width=0.5, rotation=90, labelsize='x-small')
+    plt.tick_params(axis='x', which='major', length=5, width=0.5, rotation=0, labelsize='small')
+
+    plt.xticks()
+    plt.yticks()
+
+    plt.grid(which='major', linestyle='dashed', color='black', linewidth=1)
+    plt.grid(which='minor', linestyle='solid', color='grey', linewidth=0.5)
+
+    plt.bar(df[datax], df[datay], color='darkgreen', width=1)
+
+    plt.tight_layout()
+    if filename:
+        plt.savefig(str(filename) + '.svg', bbox_inches='tight')
+        plt.savefig(str(filename) + '.png', bbox_inches='tight')
+    plt.close()
+
+
+# ------------------------------------------------------------------------------
+def create_line_graph(df, title=' ', normalize_x: bool = False, normalize_y: bool = False, filename: Path = None):
+    pp = pprint.PrettyPrinter(indent=4)
+
+    sns.set()
+    sns.set_style('ticks')
+
+    datax = df.columns[0]
+    datay = df.columns[1]
+
+    plt.figure(figsize=(16, 8))
+    ax = plt.subplot()
+    ax.set_title(title, fontsize='large', y=1.05)
+    ax.set_ylabel(datay, fontsize='medium', loc='center')
+    ax.set_xlabel(datax, fontsize='medium', loc='center', labelpad=15.0)
+
+    if normalize_y:
+        df[datay] = df[datay] / df[datay].max()
+    ax.set_ylim(0, df[datay].max())
+    ax.yaxis.set_minor_locator(matplotlib.ticker.AutoMinorLocator())
+    plt.tick_params(axis='y', which='minor', direction='out', length=3, width=0.5)
+    plt.tick_params(axis='y', which='major', width=0.5, labelsize='small')
+
+    if normalize_x:
+        df[datax] = df[datax] / df[datax].max()
+    ax.set_xlim(0, df[datax].max())
+    ax.xaxis.set_minor_locator(matplotlib.ticker.AutoMinorLocator())
+    plt.tick_params(axis='x', which='minor', direction='out', length=3, width=0.5, rotation=90, labelsize='x-small')
+    plt.tick_params(axis='x', which='major', length=5, width=0.5, rotation=0, labelsize='small')
+
+    plt.xticks()
+    plt.yticks()
+
+    plt.grid(which='major', linestyle='dashed', color='black', linewidth=1)
+    plt.grid(which='minor', linestyle='solid', color='grey', linewidth=0.5)
+
+    plt.plot(df[datax], df[datay], color='darkgreen')
+
+    plt.tight_layout()
+    if filename:
+        plt.savefig(str(filename) + '.svg', bbox_inches='tight')
+        plt.savefig(str(filename) + '.png', bbox_inches='tight')
+    plt.close()

src/main.py

@@ -8,13 +8,16 @@
 from pathlib import Path
 from argparse import ArgumentParser, Namespace
 
+import matplotlib.pyplot as plt
+
 from logger import LOGGER
 from misp import MispInstance
 from reader import read_files
 from attack import Attack, Fingerprint
 from analysis import infer_target, extract_attack_vectors, compute_summary
 from util import parquet_files_to_view, FileType, determine_filetype, determine_source_filetype, \
     print_logo, parse_config
+from graphs import create_line_graph, create_bar_graph
 
 DOCKERIZED: bool = 'DISSECTOR_DOCKER' in os.environ
 
@@ -36,6 +39,8 @@ def parse_arguments() -> Namespace:
                         help='Optional: target IP address of this attack (subnet currently unsupported)')
     parser.add_argument('--ddosdb', action='store_true', help='Optional: directly upload fingerprint to DDoS-DB')
     parser.add_argument('--misp', action='store_true', help='Optional: directly upload fingerprint to MISP')
+    parser.add_argument('--graph', action='store_true',
+                        help='Optional: Create graphs of the attack, stored alongside the fingerprint')
     parser.add_argument('--noverify', action='store_true', help="Optional: Don't verify TLS certificates")
     parser.add_argument('--debug', action='store_true', help='Optional: show debug messages')
     parser.add_argument('--show-target', action='store_true', help='Optional: Do NOT anonymize the target IP address '
@@ -77,14 +82,14 @@ def parse_arguments() -> Namespace:
         # Convert the file(s) to parquet
         dst_dir = tempfile.gettempdir() if DOCKERIZED else f"{os.getcwd()}/parquet"
         pqt_files = read_files(args.files, dst_dir=dst_dir, filetype=filetype, nr_processes=args.n)
-        duration = time.time()-start
+        duration = time.time() - start
         LOGGER.info(f"Conversion took {duration:.2f}s")
         LOGGER.debug(pqt_files)
 
     if args.debug and not DOCKERIZED:
         # Store duckdb on disk in debug mode if not dockerized
         os.makedirs('duckdb', exist_ok=True)
-        db_name = "duckdb/"+os.path.basename(args.files[0])+".duckdb"
+        db_name = "duckdb/" + os.path.basename(args.files[0]) + ".duckdb"
         LOGGER.debug(f"Basename: {db_name}")
         if os.path.exists(db_name):
             os.remove(db_name)
@@ -125,6 +130,16 @@ def parse_arguments() -> Namespace:
     args.output.mkdir(parents=True, exist_ok=True)
     fingerprint.write_to_file(args.output / (fingerprint.checksum[:16] + '.json'))  # write the fingerprint to disk
 
+    if args.graph:
+        ttl = attack.ttl_distribution()
+        create_bar_graph(ttl, 'TTL distribution', max_x=255,
+                         filename=args.output / (fingerprint.checksum[:16] + '_ttl'))
+
+        cdf = attack.packet_cdf()
+        create_line_graph(cdf, "Cumulative distribution of packets per source", normalize_x=False,
+                          filename=args.output / (fingerprint.checksum[:16] + '_cdf'))
+
+
     if args.ddosdb:  # Upload the fingerprint to a specified DDoS-DB instance
         fingerprint.upload_to_ddosdb(**parse_config(args.config), noverify=args.noverify)
     if args.misp:  # Upload the fingerprint to a specified MISP instance