Skip to content

Statistical anomaly detector with multiple dispatch for Z-Score, IQR, MAD detection

Notifications You must be signed in to change notification settings

bad-antics/nullsec-juliaprobe

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 

Repository files navigation

NullSec JuliaProbe

Statistical Anomaly Detector written in Julia

Version Language License

Part of the NullSec offensive security toolkit
Discord: discord.gg/killers
Portal: bad-antics.github.io

Overview

JuliaProbe is a high-performance statistical anomaly detector for network traffic analysis. Leveraging Julia's multiple dispatch and numerical computing capabilities, it identifies suspicious patterns through Z-Score, IQR, MAD, and Isolation Forest methods.

Julia Features Showcased

  • Multiple Dispatch: Polymorphic detection methods
  • Type System: Abstract types for extensibility
  • Array Broadcasting: . syntax for vectorization
  • Enums: Type-safe risk levels
  • Structs: Immutable data structures
  • Higher-order Functions: map, filter, count
  • Comprehensions: Expressive array creation

Detection Methods

Method Description Sensitivity
Z-Score Standard deviation based High outliers
IQR Interquartile range Robust to extremes
MAD Median absolute deviation Very robust
Isolation Forest Tree-based isolation Complex patterns

Anomaly Classification

Pattern MITRE ID Indicators
Data Exfiltration T1048 Large byte transfers
Port Scanning T1046 High packet, low duration
C2 Communication T1071 Suspicious ports (4444, 31337)
Persistent Conn T1095 Long duration sessions
Statistical Anomaly T1571 Significant deviation

Installation

# Clone
git clone https://github.com/bad-antics/nullsec-juliaprobe.git
cd nullsec-juliaprobe

# Run (requires Julia 1.6+)
julia juliaprobe.jl

Usage

# Run demo mode
julia juliaprobe.jl --demo

# Analyze PCAP (when extended)
julia juliaprobe.jl capture.pcap

# Show help
julia juliaprobe.jl --help

Options

USAGE:
    juliaprobe [OPTIONS] <PCAP>

OPTIONS:
    -h, --help       Show help
    -t, --threshold  Detection threshold
    -m, --method     Detection method (zscore/iqr/mad)
    -o, --output     Output format

Sample Output

╔══════════════════════════════════════════════════════════════════╗
║          NullSec JuliaProbe - Statistical Anomaly Detector       ║
╚══════════════════════════════════════════════════════════════════╝

[Demo Mode]

Analyzing network traffic for anomalies...

  [CRITICAL] Data Exfiltration
    Detector:  Z-Score
    Score:     8.45
    Source:    192.168.1.100
    Target:    185.220.101.1:4444
    Bytes:     500000000
    MITRE:     T1048

  [HIGH] C2 Communication
    Detector:  IQR
    Score:     3.21
    Source:    45.33.32.156
    Target:    10.0.0.5:31337
    Bytes:     5000
    MITRE:     T1071

  [MEDIUM] Port Scan
    Detector:  MAD
    Score:     2.87
    Source:    192.168.1.50
    Target:    10.0.0.10:80
    Bytes:     100
    MITRE:     T1046

═══════════════════════════════════════════

  Summary:
    Events Analyzed: 55
    Anomalies Found: 5
    Critical:        2
    High:            2
    Medium:          1

Code Highlights

Multiple Dispatch for Detection

abstract type AnomalyDetector end

struct ZScoreDetector <: AnomalyDetector
    threshold::Float64
end

struct IQRDetector <: AnomalyDetector
    multiplier::Float64
end

function detect(detector::ZScoreDetector, values::Vector{Float64})
    μ = mean(values)
    σ = std(values)
    return abs.((values .- μ) ./ σ)
end

function detect(detector::IQRDetector, values::Vector{Float64})
    q1 = quantile(values, 0.25)
    q3 = quantile(values, 0.75)
    iqr = q3 - q1
    # ...
end

Vectorized Operations

# Broadcasting with dot syntax
z_scores = abs.((values .- μ) ./ σ)

# Array comprehension
distances = [v < lower ? lower - v : (v > upper ? v - upper : 0.0) 
             for v in values]

Type-safe Enums

@enum RiskLevel begin
    CRITICAL = 4
    HIGH = 3
    MEDIUM = 2
    LOW = 1
    INFO = 0
end

Architecture

┌────────────────────────────────────────────────────────────────┐
│                   JuliaProbe Architecture                      │
├────────────────────────────────────────────────────────────────┤
│                                                                │
│    ┌─────────────┐    ┌─────────────┐    ┌─────────────┐      │
│    │  Network    │───▶│  Feature    │───▶│  Vector     │      │
│    │  Events     │    │  Extraction │    │  Arrays     │      │
│    └─────────────┘    └─────────────┘    └──────┬──────┘      │
│                                                  │             │
│         ┌────────────────┬─────────────┬────────┘             │
│         ▼                ▼             ▼                       │
│    ┌─────────┐     ┌─────────┐   ┌─────────┐                  │
│    │ Z-Score │     │   IQR   │   │   MAD   │                  │
│    │ Detect  │     │ Detect  │   │ Detect  │                  │
│    └────┬────┘     └────┬────┘   └────┬────┘                  │
│         │               │              │                       │
│         └───────────────┼──────────────┘                       │
│                         ▼                                      │
│                ┌─────────────────┐                             │
│                │    Classify     │                             │
│                │    & Report     │                             │
│                └─────────────────┘                             │
│                                                                │
└────────────────────────────────────────────────────────────────┘

Why Julia?

Requirement Julia Advantage
High Performance Near-C speed
Numerical Computing Native support
Multiple Dispatch Flexible polymorphism
Broadcasting Vectorized operations
Type System Performance + safety
REPL Interactive development

License

MIT License - See LICENSE for details.

Related Tools

About

Statistical anomaly detector with multiple dispatch for Z-Score, IQR, MAD detection

Resources

Stars

Watchers

Forks

Packages

No packages published

Languages