bugfix + fraction of attack by bytes

Author: tvdhout

fingerprint_format.md

@@ -47,7 +47,7 @@ The datatype `Map<?, Float>` refers to a map of values to their corresponding fr
 |---------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|--------------------------------|
 | `service`                             | Name of the service used in this attack vector, determined by the source port and protocol. e.g. UDP port 53 -> DNS. Or: "Unknown service" or "Fragmented IP packets" for the vector of packet fragments that cannot be assigned to another vector | String                         |
 | `protocol`                            | IP protocol, e.g. TCP, UDP, ICMP                                                                                                                                                                                                                   | String                         |
-| `fraction_of_attack`                  | The fraction of the entire DDoS attack that this attack vector makes up \[0, 1\], not taking into account the vector of packet fragments (null)                                                                                                    | Float or null                  |
+| `fraction_of_attack`                  | The fraction of the entire DDoS attack that this attack vector makes up \[0, 1\], calculated from total bytes, not taking into account the vector of packet fragments (null)                                                                       | Float or null                  |
 | `source_port`                         | Source port of this attack vector if the source port in combination with protocol is associated with a specific service (e.g. UDP/53 -> DNS), if not - see `destiantion_ports`                                                                     | Integer or "random"            |
 | `destination_ports`                   | List of outlier destination ports (if any) with the corresponding fraction of the traffic, or "random". e.g. {"443": 0.65, "80": 0.35}. (The keys are strings because of the JSON format)                                                          | Map<String, Float> or "random" |
 | `tcp_flags`                           | List of outlier TCP flags (if any) with the corresponding fraction of the traffic,. e.g. {"...A....": 0.987}. null if the protocol is not TCP, or there are no outliers                                                                            | null or Map<String, Float>     |

src/analysis.py

@@ -169,13 +169,14 @@ def combine_outliers(port_protocol_tuples: list[tuple[str, int]]) -> list[tuple[
     # Compute the fraction of all traffic for each attack vector, discard vectors with less than 5% of traffic
     LOGGER.debug("Computing the fraction of traffic each attack vector contributes.")
     while True:
-        total_packets = sum([v.packets for v in attack_vectors])
+        total_bytes = sum([v.bytes for v in attack_vectors])
         for vector in attack_vectors:
-            vector.fraction_of_attack = round(vector.packets / total_packets, 3)
+            vector.fraction_of_attack = round(vector.bytes / total_bytes, 3)
             if vector.fraction_of_attack < 0.05:
                 break
         else:
             break
+        LOGGER.debug(f'removing {vector} ({vector.fraction_of_attack * 100}% of traffic)')
         attack_vectors.remove(vector)
 
     # Create attack vector(s) with fragmented packets

src/attack.py

@@ -60,7 +60,7 @@ def __init__(self, data: pd.DataFrame, source_port: int, protocol: str, filetype
         self.source_ips: list[IPAddress] = data.source_address.unique()
         self.fraction_of_attack = 0
         try:
-            if self.protocol == 'UDP':
+            if self.protocol == 'UDP' and source_port != -1:
                 self.service = (AMPLIFICATION_SERVICES.get(self.source_port, None) or
                                 socket.getservbyport(source_port, protocol.lower()).upper())
             elif self.protocol == 'TCP':
@@ -109,7 +109,7 @@ def __init__(self, data: pd.DataFrame, source_port: int, protocol: str, filetype
                                                    return_others=True)) or 'random'
 
     def __str__(self):
-        return f"[AttackVector] {self.service} on port {self.source_port}, protocol {self.protocol}"
+        return f"[AttackVector ({self.fraction_of_attack * 100}% of traffic) {self.protocol}, service: {self.service}]"
 
     def __repr__(self):
         return self.__str__()