FlowPrint¶
The FlowPrint object that is used to generate Fingerprint’s. Note that this is mainly a wrapper method, the actual Fingerprint generation is done in the FingerprintGenerator.
-
class
flowprint.FlowPrint(batch=300, window=30, correlation=0.1, similarity=0.9, threshold=0.1)[source]¶ FlowPrint object creates fingerprints from mobile network traffic.
-
batch¶ Threshold for the batch size in seconds.
Type: float
-
window¶ Threshold for the window size in seconds.
Type: float
-
correlation¶ Threshold for the minimum required correlation.
Type: float
-
similarity¶ Threshold for the minimum required similarity.
Type: float
-
threshold¶ Threshold for anomaly detection.
Type: float
-
fingerprinter¶ FingerprintGenerator used for generating fingerprints.
Type: fingerprints.FingerprintGenerator
-
fingerprints¶ Dictionary of Fingerprint -> label, containing all fingerprints generated by FlowPrint.
Type: dict
-
-
FlowPrint.__init__(batch=300, window=30, correlation=0.1, similarity=0.9, threshold=0.1)[source]¶ FlowPrint object creates fingerprints from mobile network traffic.
Parameters: - batch (float, default=300) – Threshold for the batch size in seconds.
- window (float, default=30) – Threshold for the window size in seconds.
- correlation (float, default=0.1) – Threshold for the minimum required correlation.
- similarity (float, default=0.9) – Threshold for the minimum required similarity.
- threshold (float, default=0.1) – Threshold for anomaly detection.
Fitting and Predicting¶
We train FlowPrint using the fit() method and can predict using the predict() method.
-
FlowPrint.fit(X, y=None)[source]¶ Fit FlowPrint object with fingerprints from given flows.
Parameters: - X (Array-like of shape=(n_samples,)) – Flows for fitting FlowPrint.
- y (Array-like of shape=(n_samples,), optional) – If given, attach labels to fingerprints from X.
Returns: self – Returns FlowPrint object.
Return type: self
-
FlowPrint.predict(X, y=None, default='common')[source]¶ Find closest fingerprint to trained fingerprints.
Parameters: - X (Array-like of Fingerprint of shape=(n_fingerprints,)) – Fingerprints to compare against training set.
- y (Ignored) –
- default ("common"|"largest"|"other", default="common") –
- Default to this strategy if no match is found
- ”common” : return the fingerprint with most flows
- ”largest”: return the largest fingerprint
- other : return <other> as match, e.g. Fingerprint()/None
Returns: result – Closest matching fingerprints to original. If no match is found, fall back on default.
Return type: np.array of shape=(n_fingerprints,)
-
FlowPrint.fit_predict(X, y=None, default='common')[source]¶ Fit FlowPrint with samples and labels and return the predictions of the same samples after running them through FlowPrint.
Parameters: - X (Array-like of shape=(n_samples,)) – Flows for fitting FlowPrint.
- y (Array-like of shape=(n_samples,), optional) – If given, attach labels to fingerprints from X.
- default ("common"|"largest"|"other", default="common") –
- Default to this strategy if no match is found
- ”common” : return the fingerprint with most flows
- ”largest”: return the largest fingerprint
- other : return <other> as match, e.g. Fingerprint()/None
Returns: result – Closest matching fingerprints to original. If no match is found, fall back on default.
Return type: np.array of shape=(n_fingerprints,)
Generating fingerprints¶
As opposed to the fit() and predict() methods, recognize() and detect() require Fingerprint objects as input instead of Flow objects. Therefore, we provide a simple method to transform Flow objects to their corresponding Fingerprint.
App Recognition¶
Once FlowPrint is trained using the fit(), you can use FlowPrint to label unknown Flows with known apps.
-
FlowPrint.recognize(X, y=None, default='common')[source]¶ Return labels corresponding to closest matching fingerprints.
Parameters: - X (Array-like of Fingerprint of shape=(n_fingerprints,)) – Fingerprints to compare against training set.
- y (Ignored) –
- default ("common"|"largest"|"other", default="common") –
- Default to this strategy if no match is found
- ”common” : return the fingerprint with most flows
- ”largest”: return the largest fingerprint
- other : return <other> as match, e.g. Fingerprint()/None
Returns: result – Label of closest matching fingerprints to original
Return type: np.array of shape=(n_fingerprints,)
Unseen app detection¶
Once FlowPrint is trained using the fit(), you can use FlowPrint to detect if unknown Flows are in the set of known (trained) apps or if they are a previously unseen app.
-
FlowPrint.detect(X, y=None, threshold=None)[source]¶ Predict whether fingerprints of X are anomalous or not.
Parameters: - X (Array-like of Fingerprint of shape=(n_fingerprints,)) – Fingerprints to compare against training set.
- y (Ignored) –
- threshold (float, default=None) – Minimum required threshold to consider point benign. If None is given, use FlowPrint default
Returns: result – Prediction of samples in X: +1 if benign, -1 if anomalous.
Return type: np.array of shape=(n_samples,)
I/O methods¶
FlowPrint provides methods to save and load a FlowPrint object, including its fingerprints to a json file.
-
FlowPrint.save(file, fingerprints=None)[source]¶ Save fingerprints to file.
Parameters: - file (string) – File in which to save flowprint fingerprints.
- fingerprints (iterable of Fingerprint (optional)) – If None export fingerprints from fitted FlowPrint object, otherwise, export given fingerprints.
-
FlowPrint.load(*files, store=True, parameters=False)[source]¶ Load fingerprints from files.
Parameters: - file (string) – Files from which to load fingerprints.
- store (boolean, default=True) – If True, store fingerprints in FlowPrint object
- parameters (boolean, default=False) – If True, also update FlowPrint parameters from file
Returns: result – Fingerprints imported from file.
Return type: dict of Fingerprint -> label