FlowPrint

The FlowPrint object that is used to generate Fingerprint’s. Note that this is mainly a wrapper method, the actual Fingerprint generation is done in the FingerprintGenerator.

class flowprint.FlowPrint(batch=300, window=30, correlation=0.1, similarity=0.9, threshold=0.1)

FlowPrint object for creating fingerprints from mobile network traffic

batch

Threshold for the batch size in seconds

Type:float
window

Threshold for the window size in seconds

Type:float
correlation

Threshold for the minimum required correlation

Type:float
similarity

Threshold for the minimum required similarity

Type:float
threshold

Threshold for anomaly detection

Type:float
fingerprinter

FingerprintGenerator used for generating fingerprints

Type:fingerprints.FingerprintGenerator
fingerprints

Dictionary of Fingerprint -> label, containing all fingerprints generated by FlowPrint

Type:dict
FlowPrint.__init__(batch=300, window=30, correlation=0.1, similarity=0.9, threshold=0.1)

FlowPrint object for creating fingerprints from mobile network traffic

Parameters:
  • batch (float, default=300) – Threshold for the batch size in seconds
  • window (float, default=30) – Threshold for the window size in seconds
  • correlation (float, default=0.1) – Threshold for the minimum required correlation
  • similarity (float, default=0.9) – Threshold for the minimum required similarity
  • threshold (float, default=0.1) – Threshold for anomaly detection

Generating fingerprints

FlowPrint.fit(X, y=None)

Fit FlowPrint object with fingerprints from given flows.

Parameters:
  • X (np.array of shape=(n_samples,)) – Flows for fitting FlowPrint.
  • y (np.array of shape=(n_samples,), optional) – If given, attach labels to fingerprints from X.
Returns:

self – Returns FlowPrint object
Return type:

self
FlowPrint.predict(X, y=None, default='common')

Find closest fingerprint to trained fingerprints

Parameters:
  • X (Array-like of Fingerprint of shape=(n_fingerprints,)) – Fingerprints to compare against training set.
  • y (ignored) –
  • default (‘common’|’largest’|other, default=’common’) –
    Default to this strategy if no match is found
    • ’common’ : return the fingerprint with most flows
    • ’largest’: return the largest fingerprint
    • other: return <other> as match, e.g. Fingerprint()/None
Returns:

result – Closest matching fingerprints to original. If no match is found, fall back on default
Return type:

np.array of shape=(n_fingerprints,)
FlowPrint.fit_predict(X, y=None, default='common')

Fit FlowPrint with samples and labels and return the predictions of the same samples after running them through FlowPrint.

Parameters:
  • X (np.array of shape=(n_samples,)) – Flows for fitting FlowPrint.
  • y (np.array of shape=(n_samples,), optional) – If given, attach labels to fingerprints from X.
  • default (‘common’|’largest’|other, default=’common’) –
    Default to this strategy if no match is found
    • ’common’ : return the fingerprint with most flows
    • ’largest’: return the largest fingerprint
    • other: return <other> as match, e.g. Fingerprint()/None
Returns:

result – Closest matching fingerprints to original. If no match is found, fall back on default
Return type:

np.array of shape=(n_fingerprints,)

App Recognition

Once FlowPrint is trained using the fit(), you can use FlowPrint to label unknown Flows with known apps.

FlowPrint.recognize(X, y=None, default='common')

Return labels corresponding to closest matching fingerprints

Parameters:
  • X (Array-like of Fingerprint of shape=(n_fingerprints,)) – Fingerprints to compare against training set.
  • y (ignored) –
  • default (‘common’|’largest’|other, default=’common’) –
    Default to this strategy if no match is found
    • ’common’ : return the fingerprint with most flows
    • ’largest’: return the largest fingerprint
    • other: return <other> as match, e.g. Fingerprint()/None
Returns:

result – Label of closest matching fingerprints to original
Return type:

np.array of shape=(n_fingerprints,)

Unseen app detection

Once FlowPrint is trained using the fit(), you can use FlowPrint to detect if unknown Flows are in the set of known (trained) apps or if they are a previously unseen app.

FlowPrint.detect(X, y=None, threshold=None)

Predict whether samples of X are anomalous or not.

Parameters:
  • X (np.array of shape=(n_samples,)) – Flows for fitting FlowPrint.
  • y (Ignored) –
  • threshold (float, default=None) – Minimum required threshold to consider point benign. If None is given, use FlowPrint default
Returns:

result – Prediction of samples in X: +1 if benign, -1 if anomalous.
Return type:

np.array of shape=(n_samples,)

I/O methods

FlowPrint provides methods to save and load a FlowPrint object, including its fingerprints to a json file.

FlowPrint.save(file, fingerprints=None)

Save fingerprints to file.

Parameters:
  • file (string) – File in which to save flowprint fingerprints.
  • fingerprints (iterable of Fingerprint (optional)) – If None export fingerprints from fitted FlowPrint object, otherwise, export given fingerprints.
FlowPrint.load(*files, store=True, parameters=False)

Load fingerprints from files.

Parameters:
  • file (string) – Files from which to load fingerprints.
  • store (boolean, default=True) – If True, store fingerprints in FlowPrint object
  • parameters (boolean, default=False) – If True, also update FlowPrint parameters from file
Returns:

result – Fingerprints imported from file.
Return type:

dict of Fingerprint -> label