Creating anomaly detection IDPS

Hi Dan,

There are various ways one can use to detect anomaly using Bro based on the network traffic.
Use of Intel FW and Scan scripts with Bro gives a start to detect different types of scanning and other suspicious activity going on in the network.
Not sure what’s exactly your use-case is regarding NSL-KDD training sets with Bro.
Are you trying to use Bro generated network data as the test set for your classifiers/learning algos?, or trying to feed Bro with the NSL-KDD training sets? I don’t think machine learning is currently being supported by Bro.
Or I might have mis-understood the question :slight_smile:


My take is that while Bro has the intel framework and bro scripts to classify and alert on traffic, the real anomaly detection/heavy lifting should be done where the bro data is stored. We use Bro as a (big) data source for analytics and discovery.

There are several plugins where you can move/process the Bro data. If you like Python/Pandas/Scikit-Learn you might try the Python BroThon package ( which I started working on… we’re working on anomaly detection using scikit-learn i-forests and some other stuff with it…

If you want to use Bro Scripts there might be some examples here to start playing around with:

Hi Brian,

This looks really interesting, didn’t know about the python package available for Bro data.
recently I took a course on search and data mining, and wondered if it can be done on Bro data,
your post comes at perfect timing :slight_smile: will play around with it. Thanks!