Skip to content
Snippets Groups Projects
Commit 93c5af0e authored by Popal, Massi's avatar Popal, Massi
Browse files

Upload New File

parent 03f8754c
No related branches found
No related tags found
No related merge requests found
Hide whitespace changes
Inline Side-by-side
Showing
with 37 additions and 0 deletions
readme.txt 0 → 100644
+ 37
0
View file @ 93c5af0e
GRAPH-BASED ALERT CORRELATION IN COLLABORATIVE HOME NETWORKS
OVERVIEW
This project implements a graph-based alert correlation system for analyzing network logs in home environments. It focuses on detecting Indicators of Compromise from static log files, such as Zeek conn.log and dns.log, or compatible CSV files. The system consists of a client (gbac.py) that processes logs and a server (gbac_server.py) that correlates IoCs across networks, sending alerts for both single IoCs and multi-step attacks.
REQUIREMENTS
Python 3.8 or higher. Log files in Zeek .log format (e.g., conn.log, dns.log) or CSV with columns: Timestamp, Source IP, Source Port, Destination IP, Destination Port, Protocol. Two terminal instances for running the server and client.
INSTALLATION
1. Install Dependencies: Navigate to the project directory in a terminal and execute: `pip install -r requirements.txt` to install required Python libraries.
2. Generate SSL Certificates: To enable HTTPS communication, generate self-signed certificates using OpenSSL:
`openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes`
Follow the prompts; default values are acceptable for this prototype. Ensure cert.pem and key.pem are in the project directory. Copy cert.pem to any additional machines if testing across devices.
3. Prepare Log Files: Place log files in an accessible directory. Supported formats are detailed in gbac.py under parse_log_file.
USAGE
1. Run the Server: In a terminal, navigate to the project directory and execute: `python3 gbac_server.py`. The server listens on port 443 (HTTPS) and requires cert.pem and key.pem.
2. Run the Client: In a separate terminal, execute:
`python gbac.py --conn_files conn1.log conn2.log --network_ids HomeNet1 HomeNet2 --server_url https://localhost:443`
You can optionally add dns.log files
3. Operation: The client parses logs, detects IoCs, and sends them to the server. The server stores IoCs in iocs.db, checks for multi-step attacks, and sends alerts back to clients. If no multi-step attacks are detected, alerts are sent for individual IoCs. Output is displayed in the terminal, including detected patterns, certainty scores, and sample alerts.
FILES
gbac.py: Client script for log parsing and IoC detection.
gbac_server.py: Server script for IoC correlation and alert distribution.
requirements.txt: List of required Python libraries.
ERROR HANDLING
Certificate Errors: Ensure cert.pem and key.pem exist; regenerate using OpenSSL if missing.
Library Errors: Verify all dependencies are installed via requirements.txt.
No Output: Confirm log files are non-empty and correctly formatted.
REFERENCES
This project is inspired by the Graph-Based Alert Correlation (GAC) algorithm developed by Haas & Fischer (https://doi.org/10.1145/3167132.3167239). The project is based on the open-source implementation from this GitHub repository: https://github.com/0snap/graph_alert_correlation.
CONCLUSION
This project demonstrates an approach to alert correlation using graph theory. It processes static logs to identify and correlate potential threats and correlate them between multiple home networks in an collaborative environment.
\ No newline at end of file
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment