Documentation

Technical details about the detected attacks and classification rules.

Supported Attack Classifications

The system utilizes a hybrid detection engine combining Behavioral Analysis and Random Forest Classification. Below are the 11 specific attack types currently identified by the system, along with their detection logic and triggering thresholds.

1. TCP SYN Flood
High Severity

Denial of Service attack that consumes server resources by initiating many connections without completing the handshake.

Detection Rule:

  • • Protocol: TCP
  • • Flags: SYN set, ACK not set
  • • Threshold: > 100 pps (packets per second) average over 10s window
2. ICMP Flood
Medium Severity

Overwhelms the target with ICMP Echo Request (Ping) packets.

Detection Rule:

  • • Protocol: ICMP
  • • Threshold: > 50 pps average over 5s window
3. Port Scan
Medium Severity

Reconnaissance activity to identify open ports and services on a target system.

Detection Rule:

  • • Protocol: TCP / UDP
  • • Logic: Single Source IP connecting to > 10 unique Destination Ports within 30s
4. HTTP Flood
Medium Severity

Layer 7 DDoS attack aimed at web servers and applications.

Detection Rule:

  • • Protocol: TCP (Port 80/443)
  • • Threshold: > 50 requests/sec average over 10s window
5. DNS Amplification
High Severity

Reflection attack using open DNS resolvers to flood a target with large responses.

Detection Rule:

  • • Protocol: UDP (Source Port 53)
  • • Threshold: > 50 pps response rate
6. SSH Brute Force
Medium Severity

Repeated attempts to guess SSH credentials.

Detection Rule:

  • • Protocol: TCP (Dst Port 22)
  • • Flags: SYN
  • • Threshold: > 20 connection attempts in 60s from single Source IP
7. RDP Scan
Medium Severity

Scanning for exposed Remote Desktop Protocol services.

Detection Rule:

  • • Protocol: TCP (Dst Port 3389)
  • • Flags: SYN
  • • Threshold: > 10 attempts in 30s
8. SMB Scan
Medium Severity

Scanning for exposed Windows file sharing services (often used by ransomware).

Detection Rule:

  • • Protocol: TCP (Dst Port 139/445)
  • • Flags: SYN
  • • Threshold: > 15 attempts in 30s
9. BACnet Broadcast
Medium Severity

Abnormal broadcast traffic in Industrial Control Systems (ICS/OT).

Detection Rule:

  • • Protocol: UDP (Dst Port 47808)
  • • Threshold: > 20 pps average over 15s window
10. Modbus TCP Suspect
Medium Severity

Anomalous high-frequency requests in SCADA/ICS networks.

Detection Rule:

  • • Protocol: TCP (Dst Port 502)
  • • Threshold: > 10 req/sec average over 20s window
11. NTP Amplification
Medium Severity

Reflection attack utilizing Network Time Protocol servers.

Detection Rule:

  • • Protocol: UDP (Source Port 123)
  • • Threshold: > 20 pps response rate