NetMon: Network Monitoring and Anomalous Traffic Detection

PYTHON/ 05.12.2024

Purpose

To detect, analyze, and alert on suspicious and unauthorized network traffic in real-time, ensuring proactive monitoring of anomalies.

Team

Agostina Svenson

Services

Python, machine learning, database integration.

Date

2024-12-05

Description

The program serves as a robust network monitoring and analysis tool designed to detect anomalies and unauthorized traffic in real-time. By leveraging Python’s powerful data manipulation libraries and visualization tools, it identifies suspicious patterns, such as unusually active IPs, unauthorized ports, and traffic spikes, enabling proactive security measures.

The system processes network data, excludes trusted traffic, and generates actionable insights through intuitive visualizations and email alerts. It ensures a streamlined flow of information, enhancing network visibility and facilitating immediate responses to potential threats. With its flexible design, it can integrate additional functionalities, such as machine learning for advanced anomaly detection or databases for historical data storage.

Breaf & idea

The program is an advanced network analysis and anomaly detection system that seamlessly integrates multiple components and technologies to provide real-time insights and alerts for network traffic. At its core, the system leverages Python for its flexible and scalable programming capabilities, alongside powerful data libraries like Pandas for efficient data processing and Matplotlib for intuitive visualization of patterns and anomalies.

Integration and Key Functionalities:

  • Data Input and Processing:
    • The program ingests network traffic data from CSV files, representing captured packet details like timestamps, source/destination IPs, protocols, and ports.
    • Trusted IPs or predefined ranges are excluded through a filtering mechanism to focus on suspicious or unauthorized activities.
  • Anomaly Detection:
    • Traffic is analyzed for patterns such as unusually active IPs, picos de tráfico (traffic spikes), and connections to unauthorized ports.
    • Configurable thresholds allow customization of what qualifies as an anomaly, catering to both general and specific security requirements.
  • Real-Time Alerting:

    • The system integrates with SMTP services to send immediate email alerts when anomalies are detected.
    • Alerts include detailed summaries of suspicious activity, unauthorized traffic, and visual attachments of the analysis for clear and actionable reporting.
  • Visualization:

    • Key findings, such as the most active IPs, peak traffic times, and unauthorized port usage, are plotted into easy-to-read graphs.
    • Graphs are saved as images and included in email alerts to enhance the clarity of the reports.
  • Extensibility:

    • The design is modular, allowing for the addition of advanced functionalities like machine learning for predictive analysis or integration with databases to store and query historical data.
    • It is adaptable to various use cases, such as monitoring enterprise networks, detecting denial-of-service attacks, or managing compliance with security policies.
  • Scalability:

    • The system can be expanded to process live network data streams using packet capture libraries (e.g., Scapy or Wireshark integrations).
    • It provides the foundation for a more comprehensive IDS/IPS (Intrusion Detection/Prevention System), potentially integrating with tools like Snort or Suricata for enhanced detection capabilities.

Workflow Overview:

  • Data Load: Traffic data is read from a file or a real-time source.
  • Filtering: Known trusted sources are removed to reduce noise.
  • Analysis: Traffic is scanned for anomalies based on thresholds for IP activity, port access, and traffic spikes.
  • Alert Generation: A detailed summary and visual graphs are compiled and sent via email.
  • Post-Processing: Temporary files, such as generated graphs, are cleaned up after processing.

Potential Enhancements:

  • Machine Learning:

    • Use models like Isolation Forest or Autoencoders to improve the detection of subtle anomalies in traffic.
    • Train on historical data to recognize and predict patterns specific to the monitored network.
  • Database Integration:

    • Store historical logs in databases like PostgreSQL or MongoDB for long-term analysis and reporting.
    • Use dashboards (e.g., Grafana or Tableau) to provide a live, interactive view of network activity.
  • Scalability for Real-Time Monitoring:

    • Incorporate libraries like Scapy or PyShark for direct packet sniffing and real-time analysis.
    • Leverage distributed processing tools like Apache Kafka for handling high volumes of traffic.

This system is designed to empower network administrators and security teams with a clear, actionable understanding of their traffic patterns while providing the foundation for scalable, real-time monitoring and response.

You can find the repository in the following button: