README.md


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70

# streamml

Streamml processes network packets in real-time, feeding them into the Half-Space Trees algorithm (via the River library). When the score exceeds the defined threshold, the application saves an evidentiary PCAP dump containing the relevant packet window.

Note: Currently supports Half-Space Trees, with plans to add more algorithms.

### Prerequisites
Ensure you have [uv](https://github.com/astral-sh/uv) installed.

### Running

Root privileges are needed for packet sniffing.
```bash
sudo uv run -m streamml.app
```


results are stored here:

LOGS_PATH = XDG_DATA_HOME/streamml/profiles_logs
PCAP_PATH = XDG_DATA_HOME/streamml/profiles_pcaps

This is how it works:

                  +--------------------+
                  | Profile Activation |
                  +---------+----------+
                            |
            +---------------+---------------+
            |                               |
    +-------v-------+               +-------v---------+
    | Start Sniffer |               | Start Processor |
    +-------+-------+               +-------+---------+                           
            |                               |                                     
    +-------v-------+               +-------v-------------+                       
    |   BPF Filter  |               | Get Packet from     |<------+
    +-------+-------+               | FIFO                |       |
            |                       +-------+-------------+       |
    +-------v-------+                       |                     |
    | Receive Packet|               +-------v-------------+       |
    +-------+-------+               | Add Packet to       |       |
            |                       | Window              |       |
    +-------v-------+               +-------+-------------+       |
    |  Add to FIFO  |                       |                     |
    +---------------+               +-------v-------------+   No  |
                                    |   End of Window?    +-------+
                                    +-------+-------------+       |
                                            | Yes                 |
                                    +-------v-------------+       |
                                    | Calculate Features  |       |
                                    +-------+-------------+       |
                                            |                     |
                                    +-------v-------------+       |
                                    | HST: score_one +    |       |
                                    | learn_one           |       |
                                    +-------+-------------+       |
                                            |                     |
                                    +-------v-------------+   No  |
                                    | Score > Threshold?  +-------+
                                    +-------+-------------+
                                            | Yes
                                    +-------v-------------+
                                    | PCAP Save           |
                                    | Logging             |
                                    | Alert               |
                                    +---------------------+


<img width="988" height="540" alt="screenshot1" src="https://github.com/user-attachments/assets/65ed2870-fb2c-4212-9db6-d74b10248809" />