As part of the Understanding Cybersecurity Series (UCS), NTLFlowLyzer is a Python open-source project to extract network layer features from TCP-based network traffic for Anomaly Profiling (AP) which is the second component of the NetFlowLyzer.

NTLFlowLyzer generates bidirectional flows from the Network and Transportation Layers of network traffic, where the first packet determines the forward (source to destination) and backward (destination to source) directions, hence the statistical time-related features can be calculated separately in the forward and backward directions. Additional functionalities include selecting features from the list of existing features, adding new features, and controlling the duration of flow timeout. Moreover, TCP flows are terminated upon connection teardown (by FIN or RST packet), reaching the flow's maximum duration, or being inactive for a certain amount of time (timeout).

• NTLFlowLyzer
• Table of Contents
• Installation
• Execution
• Architecture
• Extracted Features
  • Definitions
  • Statistical Information Calculation
• Output
• Copyright (c) 2023
• Contributing
• Project Team members
• Acknowledgment

Before installing or running the NTLFlowLyzer package, it's essential to set up the necessary requirements on your system. Begin by ensuring you have both Python and pip installed and functioning properly (execute the pip3 --version command). Then, execute the following command:

pip3 install -r requirements.txt

You are prepared to install NTLFlowLyzer. To proceed, execute the following command in the package's root directory (where the setup.py file is located), which will install the NTLFlowLyzer package on your system:

python3 setup.py install

pip3 install .

After successfully installing the package, confirm the installation by running the following command:

ntlflowlyzer --version

The core aspect of running NTLFlowLyzer involves preparing the configuration file. This file is designed to facilitate users in customizing the program's behavior with minimal complexity and cost, thus enhancing program scalability. Below, we outline how to prepare the configuration file and subsequently demonstrate how to execute NTLFlowLyzer using it.

The configuration file is formatted in JSON, comprising key-value pairs that enable customization of the package. While some keys are mandatory, others are optional. Below, each key is explained along with its corresponding value:

• pcap_file_address [Required]

  This key specifies the input PCAP file address. The format of the value should be a string.

  Note: At this version of NTLFlowLyzer, we only support the PCAP format. For other formats such as PCAPNG, you must convert them to PCAP. To convert PCAPNG to PCAP, you can use Wireshark. If you prefer command-line tools, you can use the following command:

  tshark -F pcap -r {pcapng_file} -w {pcap_file}

  Replace {pcapng_file} with the path to your PCAPNG file and {pcap_file} with the desired output PCAP file name.

• output_file_address [Required]

  This key specifies the output CSV file address. The format of the value should be a string.

• label [Optional]

  This key specifies the value of the label column in the output CSV file address. The format of the value should be a string. The default value is Unknown.

• number_of_threads [Optional]

  This key specifies the number of threads to be used for all processes, including flow extraction, feature calculation, and output writing. The value must be an integer of at least 3. The default value is 4.

  It's important to consider that the optimal value for this option varies based on the system configuration and the format of the input PCAP file. For instance, if the PCAP file contains a large number of packets (e.g., more than 5 million) and they are all TCP packets, increasing the number of threads might be beneficial. However, if the packets represent a small number of flows and all related packets are contiguous, adding more threads could potentially slow down the program since there are fewer distinct flows.

  As a rule of thumb, the ideal value for this option typically falls between half the number of CPU cores (CPU count) and twice the CPU count. This helps balance computational resources without overwhelming the system. (0.5 * cpu_count < best_option < 2 * cpu_count)

• feature_extractor_min_flows [Optional]

  This key determines the minimum number of finished flows required for the feature extractor thread to initiate its work and extract features from these finished flows. The value must be an integer. The default value is 4000.

  Selecting a high value for this option will consume more RAM since more flows will be stored in memory, potentially slowing down the entire program. Conversely, choosing a low value for this option can slow down the execution process, as it involves locking the finished flows list and then copying those flows for feature extraction. These two processes, locking and copying, are slow and can impede other program components.

• writer_min_rows [Optional]

  This key specifies the minimum number of ready flows (i.e., finished flows from which features have been extracted) required for the writer thread to begin its work of writing the flows to the CSV file. The value must be an integer. The default value is 6000.

  Opting for a high value for this option will increase RAM usage since more flows will be stored in memory, potentially slowing down the overall program performance. Conversely, selecting a low value for this option can slow down the execution process, involving locking the finished flows list, copying those flows for the writing process, and performing I/O operations to write to the file. These three processes — locking, copying, and I/O — are slow and may impede other program components.

• read_packets_count_value_log_info [Optional]

  This key determines the minimum number of processed packets (i.e., the number of packets read from the PCAP file and assigned to a flow) required for the logger to log. The value must be an integer. The default value is 10,000. This means that after processing every 10,000 packets, the program will print a statement indicating the number of packets analyzed.

• check_flows_ending_min_flows [Optional]

  This key specifies the minimum number of ongoing flows (i.e., created flows that have not yet finished) required for checking if they have reached the timeout or maximum flow time value. The value must be an integer. The default value is 2000. This indicates that if the number of ongoing flows exceeds 2000, the program will proceed to check all flows for timeout or maximum flow time.

• capturer_updating_flows_min_value [Optional]

  This key determines the minimum number of finished flows required to be added to the queue for feature extraction. The value must be an integer. The default value is 2000. This means that if the number of finished flows exceeds 2000, the program will move them to a separate list for the feature extractor.

• max_flow_duration [Optional]

  This key sets the maximum duration of a flow in seconds. The value must be an integer. The default value is 120,000. It means if the flow duration exceeds 120,000 seconds, the program will terminate the flow and initiate a new one.

• activity_timeout [Optional]

  This key defines the flow activity timeout in seconds. The value must be an integer. The default value is 5000. It means if 5000 seconds have elapsed since the last packet of the flow, the program will terminate the flow.

• floating_point_unit [Optional]

  This key specifies the floating point unit used for the feature extraction process. The value must be in the format: .[UNIT]f. The default value is .4f. This indicates that the feature values will be rounded to the fourth decimal place.

• max_rows_number [Optional]

  This key defines the maximum number of rows in the output CSV file. The value must be an integer. The default value is 900,000. It means if there are more than 900,000 flows to be written in the CSV file, the program will close the current CSV file and create a new one for the remaining flows.

• features_ignore_list [Optional]

  This key specifies the features that you do not want to extract. The value must be a list of string values, where each string represents a feature name. The default value is an empty list. If you include a feature name in this list, the program will skip extracting that feature, and it will not appear in the output CSV file.

An example of a configuration file would be like this:

{
    "pcap_file_address": "/mnt/c/dataset/my_pcap_file.pcap",
    "output_file_address": "./output-of-my_pcap_file.csv",
    "label": "Benign",
    "number_of_threads": 4,
    "feature_extractor_min_flows": 2500,
    "writer_min_rows": 1000,
    "read_packets_count_value_log_info": 1000000,
    "check_flows_ending_min_flows": 20000,
    "capturer_updating_flows_min_value": 5000,
    "max_flow_duration": 120000,
    "activity_timeout": 300,
    "floating_point_unit": ".4f",
    "max_rows_number": 800000,
    "features_ignore_list": ["duration", "src_ip"]
}

In general, we recommend adjusting the values of the following options: number_of_threads, feature_extractor_min_flows, writer_min_rows, check_flows_ending_min_flows, and capturer_updating_flows_min_value, based on your system configuration. This is particularly important if your PCAP file is large (usually more than 4 GB with over 1 million TCP packets), to optimize program efficiency.

You can use -h to see different options of the program.

To execute NTLFlowLyzer, simply run the following command:

ntlflowlyzer -c YOUR_CONFIG_FILE

Replace YOUR_CONFIG_FILE with the path to your configuration file.

Moreover, this project has been successfully tested on Ubuntu 20.04, Ubuntu 22.04, Windows 10, and Windows 11. It should work on other versions of Ubuntu OS (or even Debian OS) as long as your system has the necessary Python3 packages (you can find the required packages listed in the requirements.txt file).

We have currenlty 114 features that are as follows:

1. Duration
2. PacketsCount
3. FwdPacketsCount
4. BwdPacketsCount
5. TotalPayloadBytes
6. FwdTotalPayloadBytes
7. BwdTotalPayloadBytes
8. PayloadBytesMax
9. PayloadBytesMin
10. PayloadBytesMean
11. PayloadBytesStd
12. PayloadBytesVariance
13. FwdPayloadBytesMax
14. FwdPayloadBytesMin
15. FwdPayloadBytesMean
16. FwdPayloadBytesStd
17. FwdPayloadBytesVariance
18. BwdPayloadBytesMax
19. BwdPayloadBytesMin
20. BwdPayloadBytesMean
21. BwdPayloadBytesStd
22. BwdPayloadBytesVariance
23. TotalHeaderBytes
24. MaxHeaderBytes
25. MinHeaderBytes
26. MeanHeaderBytes
27. StdHeaderBytes
28. FwdTotalHeaderBytes
29. FwdMaxHeaderBytes
30. FwdMinHeaderBytes
31. FwdMeanHeaderBytes
32. FwdStdHeaderBytes
33. BwdTotalHeaderBytes
34. BwdMaxHeaderBytes
35. BwdMinHeaderBytes
36. BwdMeanHeaderBytes
37. BwdStdHeaderBytes
38. FwdAvgSegmentSize
39. BwdAvgSegmentSize
40. AvgSegmentSize
41. FwdInitWinBytes
42. BwdInitWinBytes
43. ActiveMin
44. ActiveMax
45. ActiveMean
46. ActiveStd
47. IdleMin
48. IdleMax
49. IdleMean
50. IdleStd
51. BytesRate
52. FwdBytesRate
53. BwdBytesRate
54. PacketsRate
55. BwdPacketsRate
56. FwdPacketsRate
57. DownUpRate
58. AvgFwdBytesPerBulk
59. AvgFwdPacketsPerBulk
60. AvgFwdBulkRate
61. AvgBwdBytesPerBulk
62. AvgBwdPacketsPerBulk
63. AvgBwdBulkRate
64. FwdBulkStateCount
65. FwdBulkSizeTotal
66. FwdBulkPacketCount
67. FwdBulkDuration
68. BwdBulkStateCount
69. BwdBulkSizeTotal
70. BwdBulkPacketCount
71. BwdBulkDuration
72. FINFlagCounts
73. PSHFlagCounts
74. URGFlagCounts
75. ECEFlagCounts
76. SYNFlagCounts
77. ACKFlagCounts
78. CWRFlagCounts
79. RSTFlagCounts
80. FwdFINFlagCounts
81. FwdPSHFlagCounts
82. FwdURGFlagCounts
83. FwdECEFlagCounts
84. FwdSYNFlagCounts
85. FwdACKFlagCounts
86. FwdCWRFlagCounts
87. FwdRSTFlagCounts
88. BwdFINFlagCounts
89. BwdPSHFlagCounts
90. BwdURGFlagCounts
91. BwdECEFlagCounts
92. BwdSYNFlagCounts
93. BwdACKFlagCounts
94. BwdCWRFlagCounts
95. BwdRSTFlagCounts
96. PacketsIATMean
97. PacketsIATStd
98. PacketsIATMax
99. PacketsIATMin
100. PacketsIATSum
101. FwdPacketsIATMean
102. FwdPacketsIATStd
103. FwdPacketsIATMax
104. FwdPacketsIATMin
105. FwdPacketsIATSum
106. BwdPacketsIATMean
107. BwdPacketsIATStd
108. BwdPacketsIATMax
109. BwdPacketsIATMin
110. BwdPacketsIATSum
111. SubflowFwdPackets
112. SubflowBwdPackets
113. SubflowFwdBytes
114. SubflowBwdBytes

• IAT
• Bulk
• Subflow
• Idle

We use differnet libraries to calculate various mathematical equations. Below you can see the libraries and their brief definition based on their documentations:

• statistics

  This module provides functions for calculating mathematical statistics of numeric (Real-valued) data.

  The module is not intended to be a competitor to third-party libraries such as NumPy, SciPy, or proprietary full-featured statistics packages aimed at professional statisticians such as Minitab, SAS and Matlab. It is aimed at the level of graphing and scientific calculators.

Nine mathematical functions are used to extract different features. You can see how those functions are calculated in the NTLFlowLyzer below:

1. Min

   You know what it means :). The 'min' function (Python built-in) calculates the minimum value in a given list.

2. Max

   Same as min. The 'max' function (Python built-in) calculates the minimum value in a given list.

3. Mean

   The 'mean' function from 'statistics' library (Python built-in) calculates the mean value of a given list. According to the library documentation:

   The arithmetic mean is the sum of the data divided by the number of data points. It is commonly called “the average”, although it is only one of many different mathematical averages. It is a measure of the central location of the data.

   This runs faster than the mean() function and it always returns a float. The data may be a sequence or iterable. If the input dataset is empty, raises a StatisticsError.

4. Standard Deviation

   The 'pstdev' function from 'statistics' library (Python built-in) calculates the mean value of a given list. According to the library documentation:

   Return the population standard deviation (the square root of the population variance). See pvariance() for arguments and other details.

For citation in your works and also understanding NTLFlowLyzer completely, you can find below published papers:

• “Toward Generating a New Cloud-based Distributed Denial of Service (DDoS) Dataset and Intrusion Traffic Characterization”, MohammadMoein Shafi, Arash Habibi Lashkari, Vicente Rodriguez, and Ron Nevo, Information, Vol 15(3), 131, (2024)

Any contribution is welcome in form of pull requests.

• Arash Habibi Lashkari: Founder and supervisor

• Moein Shafi: Graduate student, Researcher and developer - York University ( 2 years, 2022 - 2024)

• Sepideh Niktabe: Graduate students, Researcher and developer - York University (6 months, 2022-2023)

• Mehrsa Khoshpasand: Researcher Assistant (RA) - York University (3 months, 2022)

• Parisa Ghanad: Volunteer Researcher and developer - Amirkabir University (4 months, 2022)

This project has been made possible through funding from the Natural Sciences and Engineering Research Council of Canada — NSERC (#RGPIN-2020-04701) and Canada Research Chair (Tier II) - (#CRC-2021-00340) to Arash Habibi Lashkari.