detector package

Submodules

detector.detector module

class detector.detector.Detector

Bases: object

Main component of the Data Analysis stage to perform anomaly detection

Processes suspicious batches from the Inspector using configurable ML models to classify DNS requests as benign or malicious. Downloads and validates models from a remote server, extracts features from domain names, calculates probability scores, and generates alerts when malicious requests are detected above the configured threshold.

clear_data() → None

Clears all data from internal data structures.

Resets messages, timestamps, and warnings to prepare the Detector for processing the next suspicious batch.

detect() → None

Analyzes DNS requests and identifies malicious domains.

Processes each DNS request in the current batch by extracting features, running ML model prediction, and collecting warnings for requests that exceed the configured maliciousness threshold.

get_and_fill_data() → None

Consumes suspicious batches from Kafka and stores them for analysis.

Fetches suspicious batch data from the Inspector via Kafka and stores it in internal data structures. If the Detector is already busy processing data, consumption is skipped with a warning. Updates database entries for monitoring and logging purposes.

send_warning() → None

Generates and stores alerts for detected malicious requests.

Creates comprehensive alert records from accumulated warnings including overall risk scores, individual predictions, and metadata. Stores alerts in the database and updates batch processing status. If no warnings are present, marks the batch as filtered out.

exception detector.detector.WrongChecksum

Bases: Exception

Raises when model checksum validation fails.

detector.detector.main(one_iteration: bool = False) → None

Creates and runs the Detector instance in a continuous processing loop.

Initializes the Detector and starts the main processing loop that continuously fetches suspicious batches from Kafka, performs malicious domain detection, and generates alerts. Handles various exceptions gracefully and ensures proper cleanup of data structures.

Parameters:

one_iteration (bool) – For testing purposes - stops loop after one iteration.

Raises:

KeyboardInterrupt – Execution interrupted by user.