inspector package

Submodules

inspector.inspector module

class inspector.inspector.EnsembleModels(value)

Bases: str, Enum

Available ensemble models for combining multiple anomaly detectors

VOTE = 'VoteEnsemble'

WEIGHT = 'WeightEnsemble'

__format__(format_spec)

Returns format using actual value type unless __str__ has been overridden.

class inspector.inspector.Inspector

Bases: object

Main component of the Data Inspection stage to detect anomalies in request batches

Analyzes batches of DNS requests using configurable streaming anomaly detection models. Supports univariate, multivariate, and ensemble detection modes. Processes time series features from DNS request patterns to identify suspicious network behavior and forwards anomalous batches to the Detector for further analysis.

clear_data() → None

Clears all data from internal data structures.

Resets messages, anomalies, feature matrix, and timestamps to prepare the Inspector for processing the next batch of data.

get_and_fill_data() → None

Consumes data from Kafka and stores it for processing.

Fetches batch data from the configured Kafka topic and stores it in internal data structures. If the Inspector is already busy processing data, the consumption is skipped with a warning. Logs batch information and updates database entries for monitoring purposes.

inspect() → None

Runs anomaly detection using configured StreamAD models.

Executes anomaly detection based on the configured mode (univariate, multivariate, or ensemble). Validates model configuration and delegates to the appropriate inspection method.

Raises:

NotImplementedError – If no models are configured or mode is unsupported.

send_data() → None

Forwards anomalous data to the Detector for further analysis.

Evaluates anomaly scores against the configured thresholds. If the proportion of anomalous time steps exceeds the threshold, groups messages by client IP and forwards each group as a suspicious batch to the Detector via Kafka. Otherwise, logs the batch as filtered out and updates monitoring databases.

inspector.inspector.main(one_iteration: bool = False) → None

Creates and runs the Inspector instance in a continuous processing loop.

Initializes the Inspector and starts the main processing loop that continuously fetches batches from Kafka, performs anomaly detection, and forwards suspicious batches to the Detector. Handles various exceptions gracefully and ensures proper cleanup of data structures.

Parameters:

one_iteration (bool) – For testing purposes - stops loop after one iteration.

Raises:

KeyboardInterrupt – Execution interrupted by user.