UC7 : Suspicious security events detection/en: Revision history

From Wiki Campus Cyber

Diff selection: Mark the radio buttons of the revisions to compare and hit enter or the button at the bottom.
Legend: (cur) = difference with latest revision, (prev) = difference with preceding revision, m = minor edit.

2 January 2025

  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 3,830 bytes −56 Page créée avec « == Notebooks == Retrouvez tous les éléments du Use Case sur le GitLab du Campus Cyber : https://gitlab.com/campuscyber/gt-ia-et-cyber/-/tree/main/UC7%20Suspicious%20security%20events%20detection?ref_type=heads »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 3,886 bytes −56 Page créée avec « * Python (3.6 or +) * scikit-learn (1.0.2 or +) * seaborn (0.11.2 or +) »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 3,942 bytes −56 Page créée avec « === Requirements=== »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 3,998 bytes −56 Page créée avec « === Risks & Compliance=== {| class="wikitable" |+ !Type !Applicable !Comment(s) (if applicable)      |- |Bias |No |Has a complete bias study been carried out ? Comments if applicable    |- |Ethics committee |No |Does the project needs to be screened by an ethics committee and if so has this been achieved ? Comments if applicable |- |RSSI |No |Does the project needs to inform the RSSI about its outcome and activity, and if so has this been achieved ? Commen... »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,054 bytes −56 Page créée avec « === Notebooks=== {| class="wikitable" |+ !Notebook !Data Science step      ! |- |UseCase7_DataPrep.ipynb |''Data preparation (executed outside the platform)'' | |- |UseCase7_Detection.ipynb   |''Security events detection (including simple feature engineering)'' | |} »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,110 bytes −55 Page créée avec « === Specific feature engineering=== Not applicable »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,165 bytes −56 Page créée avec « Main columns used are: {| class="wikitable" |+ !Name !Description ! |- |SourceIP |Source IP address    | |- |datetime |Local date&time of the reception of the request by the web server    | |- |method |HTTP method of the request (i.e GET, POST..) | |} »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,221 bytes −56 Page créée avec « * Small size dataset: logs_sub_2.csv (211 335 lines) * Medium size dataset: logs_sub_5.csv (495 997 lines) * Large size dataset: logs_sub_10.csv (1 030 453 lines) »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,277 bytes −56 Page créée avec « The dataset has been processed to convert it from a raw log file format into tabular elements corresponding to client requests to the web site. Then, to reduce its size, it has been sampled to keep only requests coming from a sub-part of the client IP adresses. Finally, 3 csv files have been ingested into the platform: »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,333 bytes −56 Page créée avec « == Data== === Online Shopping Store=== This use case relies on the dataset ["Online Shopping Store - Web Server Logs"](https://doi.org/10.7910/DVN/3QBYB5). »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,389 bytes −56 Page créée avec « * Authors : Nicolas Stucki & Thomas Levy * Keywords: Unsupervised detection, clustering, outlier detection, Isolation Forest, interquartile range (IQR) »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,445 bytes −55 Page créée avec « === Results=== This section is not really applicable since the current objective is not targeted towards production or POC. Nevertheless, the two models are highlighting the most abnormal IP addresses (and potentially related users). These lists of addresses could be used as input for further investigation by an operational expert. »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,500 bytes −55 Page créée avec « === Data & methodologies=== By exploring web activities, it uses two stastistical methods (interquartile range - IQR - and Isolation Forest) to identify "outlier" behaviors that are rare compared to the most standard behaviors. »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,555 bytes −55 Page créée avec « === Business Objectives=== The use case (UC7) aims at detecting abnormal security events in web events. »
  • curprev 14:4914:49, 2 January 2025Juliette talk contribs 4,610 bytes −55 Page créée avec « === Project Objectives=== The overall objective of the Cyber project is to propose pedagogical notebooks presenting a set of algorithms on a precise cyber application. »
  • curprev 14:4814:48, 2 January 2025Juliette talk contribs 4,665 bytes −56 Page créée avec « == Overview == »
  • curprev 14:4814:48, 2 January 2025Juliette talk contribs 4,721 bytes +4,721 Page créée avec « UC7 : Suspicious security events detection »
Retrieved from "https://wiki.campuscyber.fr/UC7_:_Suspicious_security_events_detection/en"

Contribution Charter

Site Map

Linkedin.png
Youtube.png
Twitter.png
Logo-footer.png

Campus Cyber

CC-BY-SA
Powered by MediaWiki
Powered by Semantic MediaWiki