User anomaly detector based on logs generated by Osquery framework and machine learning to process those logs. Machine learnings alogirthms that are currently implemented are: Recurrent neural network - Long short-term memory (LSTM) and One-Class Support Vector Machine (OCSVM). This project is part of Master thesis at Faculty of electrical engineering and computing, University of Zagreb.
Note: Only Linux platforms are supported. Tested on Xubuntu 16.04.
The code includes:
Existing security solutions are mostly based on preventing known malicious threats or a defined set of rules and therefore most outside and inside threats end as successful attacks. The idea was to build a system that is an adaptive user action identifier, so it can predict and detect anomalous behavior in real time.
user-behavior.conf
and osquery configuration file osquery.conf
from conf directory to osquery directory which is usually /etc/osquery/
or /usr/local/
./etc/rsyslog.conf
or /etc/rsyslog.d/
:
template(
name="OsqueryCsvFormat"
type="string"
string="%timestamp:::date-rfc3339,csv%,%hostname:::csv%,%syslogseverity:::csv%,%syslogfacility-text:::csv%,%syslogtag:::csv%,%msg:::csv%\n"
)
*.* action(type="ompipe" Pipe="/var/osquery/syslog_pipe" template="OsqueryCsvFormat")
If you use syslog-ng or you can read about the configuration here. If no logs are available, read debugging suggestions.
git clone
.pip install -r requirements.txt
.
Python 2.7 is required. I don't guarantee that everything works with Python 3+ but please feel free to try.sudo service osqueryd start
or /usr/local/bin/osqueryd
. Osquery in this case doesn't require root access. python main.py -a OCSVM
.
Default algorithm is LSTM. You can also change the queries result log file using the -l
flag, default is /var/log/osquery/osqueryd.results.log
.
If you are running osquery as root, use sudo to run python script because it needs to be able to read log file.The MIT License Copyright (c) 2017-present