stratosphereips
diff --git a/‎.gitignore‎
Lines changed: 11 additions & 1 deletion b/‎.gitignore‎
Lines changed: 11 additions & 1 deletion
diff --git a/‎CLAUDE.md‎
Lines changed: 116 additions & 0 deletions b/‎CLAUDE.md‎
Lines changed: 116 additions & 0 deletions
diff --git a/‎alert_summary/DATASET_RISK_REPORT.md‎
Lines changed: 155 additions & 0 deletions b/‎alert_summary/DATASET_RISK_REPORT.md‎
Lines changed: 155 additions & 0 deletions
@@ -56,7 +56,7 @@ coverage.xml
 *.pot
 
 # Django stuff:
-*.log
+#*.log
 local_settings.py
 db.sqlite3
 db.sqlite3-journal
@@ -127,3 +127,13 @@ dmypy.json
 
 # Pyre type checker
 .pyre/
+
+# Intermediate LLM analysis files (regeneratable)
+alert_summary/datasets/*.cause_risk.*.json
+alert_summary/datasets/*.llm.*.json
+!alert_summary/datasets/*.llm.*.json.gz
+alert_summary/datasets/final_dataset_*.json
+alert_summary/my_dataset_*.llm.*.json
+alert_summary/results/
+.attic/
+alert_summary/.attic/
@@ -0,0 +1,116 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Repository Overview
+
+Slips-tools is a collection of tools and scripts for testing and evaluating Slips (network security analysis). The repository contains five main components:
+
+1. **Alert Summary Tools** (`alert_summary/`) - Slips Evidence Log DAG Generator with dual analysis modes (IP-based and per-analysis)
+2. **LLM Unit Testing** (`llm-unittest/`) - Promptfoo-based test suite for evaluating small language models on security-related tasks
+3. **Model Benchmarking** (`benchmark_models/`) - Performance benchmarking for Ollama-served models  
+4. **Data Visualization** (`multi_line_chart_plotter/`) - CSV plotting utility for performance metrics
+5. **System Monitoring** (`rpi_temperature_logger/`) - Raspberry Pi temperature logging
+
+## Key Commands
+
+### Alert Summary Tools
+```bash
+# IP-based analysis (traditional mode)
+cd alert_summary/
+python3 slips_dag_generator.py sample_logs/test_data.log --all-ips --minimal --include-threat-level
+
+# Per-analysis mode (alert-focused)
+python3 slips_dag_generator.py sample_logs/slips.log --per-analysis --compact
+
+# LLM-enhanced analysis
+./analyze_slips_with_llm.sh sample_logs/slips.log --per-analysis --format minimal
+
+# Dataset generation - Summarization workflow
+./sample_dataset.sh 100 my_dataset --seed 42
+./generate_dag_analysis.sh datasets/my_dataset.jsonl
+./generate_llm_analysis.sh datasets/my_dataset.jsonl --model gpt-4o-mini --group-events --behavior-analysis
+python3 correlate_incidents.py datasets/my_dataset.*.json --jsonl datasets/my_dataset.jsonl -o final_dataset.json
+
+# Dataset generation - Cause & Risk workflow
+./generate_cause_risk_analysis.sh datasets/my_dataset.jsonl --model gpt-4o-mini --group-events
+python3 correlate_risks.py datasets/my_dataset.*.json --jsonl datasets/my_dataset.jsonl -o final_dataset_risk.json
+```
+
+### LLM Unit Testing
+```bash
+# Run all test cases with Ollama backend
+cd llm-unittest/
+./run_tests.sh
+
+# Run individual test case
+promptfoo eval -c 01_test_action_json_parsing.yaml --max-concurrency 3 --no-cache --providers file://providers/ex_provider.yaml
+
+# View results
+promptfoo view
+```
+
+### Model Benchmarking
+```bash
+# Benchmark all available Ollama models
+cd benchmark_models/
+./benchmark_ollama_models.sh
+
+# Test single OpenAI-compatible endpoint
+./test_openai.sh
+```
+
+### Data Visualization
+```bash
+# Install dependencies
+cd multi_line_chart_plotter/
+pip install -r requirements.txt
+
+# Generate multi-line plot
+./plotter.py file1.csv file2.csv "Title" "X Label" "Y Label" output.png
+```
+
+### Temperature Monitoring
+```bash
+# Log Raspberry Pi temperature (requires RPi)
+cd rpi_temperature_logger/
+python3 rpi_temperature_logger.py
+```
+
+## Architecture
+
+### LLM Testing Framework
+- **Test Cases**: YAML files defining prompts and expected outputs for various security tasks (JSON parsing, Zeek analysis, tool use)
+- **Providers**: Configuration for different model endpoints (Ollama, OpenAI-compatible APIs)
+- **Evaluation**: Uses Promptfoo framework for systematic model evaluation
+
+### Benchmarking System
+- **stream_query_llm.py**: Core Python script for querying models and measuring performance metrics
+- **benchmark_ollama_models.sh**: Orchestrates benchmarking across multiple models, collecting disk usage, RAM usage, and tokens-per-second
+- **Results**: Outputs structured CSV data for analysis
+
+### Provider Configuration
+Models are configured in `llm-unittest/providers/` with endpoints typically pointing to:
+- Ollama servers (e.g., `http://10.147.20.101:11434/v1`)
+- Custom model endpoints for specialized models like BitNet
+
+## Test Categories
+
+The LLM unit tests focus on security-relevant capabilities:
+- **Action JSON**: Parsing and understanding structured security actions
+- **Zeek Analysis**: Network traffic log analysis and signature generation  
+- **Tool Use**: Integration with security tools and workflows
+- **Summarization**: Converting technical data into actionable insights
+
+## Development Notes
+
+- Promptfoo requires `npm install -g promptfoo`
+- Python dependencies are minimal (openai, pandas, matplotlib)
+- Shell scripts expect `jq` and `curl` for JSON processing
+- Default configurations point to specific IP addresses that may need updating for different environments
+
+## Conda Environment Setup
+
+- Always use conda environment for running projects
+- Activation command: 
+  - `source $HOME/miniconda3/etc/profile.d/conda.sh && conda activate agents`
@@ -0,0 +1,155 @@
+# Network Event Cause & Risk Analysis Dataset for Slips IDS
+
+## Table of Contents
+
+- [1. Task Description](#1-task-description)
+- [2. Relationship to Summarization Workflow](#2-relationship-to-summarization-workflow)
+- [3. Dataset Generation Workflow](#3-dataset-generation-workflow)
+  - [Workflow Overview](#workflow-overview)
+  - [Stage 3: Multi-Model Cause & Risk Analysis](#stage-3-multi-model-cause--risk-analysis)
+  - [Stage 4: Dataset Correlation](#stage-4-dataset-correlation)
+  - [Dataset Structure](#dataset-structure)
+- [4. Use Cases and Applications](#4-use-cases-and-applications)
+
+## 1. Task Description
+
+Develop a dataset for **root cause analysis and risk assessment** of network security incidents from Slips IDS alerts. This complementary workflow focuses on structured security analysis rather than event summarization, providing:
+
+1. **Cause Analysis** - Categorized incident attribution (Malicious Activity / Legitimate Activity / Misconfigurations)
+2. **Risk Assessment** - Structured evaluation (Risk Level / Business Impact / Investigation Priority)
+
+**Target Deployment**: Same hardware constraints as [summarization workflow](DATASET_REPORT.md#2-limitations) (Raspberry Pi 5, 1.5B-3B parameter models).
+
+## 2. Relationship to Summarization Workflow
+
+Both workflows share identical **Stages 1-2** (incident sampling and DAG generation) but diverge in LLM analysis approach:
+
+| Aspect | Summarization Workflow | Risk Analysis Workflow |
+|--------|------------------------|------------------------|
+| **Documentation** | [DATASET_REPORT.md](DATASET_REPORT.md) | This document |
+| **Detailed Guide** | [README_dataset_summary_workflow.md](README_dataset_summary_workflow.md) | [README_dataset_risk_workflow.md](README_dataset_risk_workflow.md) |
+| **Analysis Script** | `generate_llm_analysis.sh` | `generate_cause_risk_analysis.sh` |
+| **Correlation Script** | `correlate_incidents.py` | `correlate_risks.py` |
+| **Output Fields** | `summary` + `behavior_analysis` | `cause_analysis` + `risk_assessment` |
+| **LLM Prompts** | 2 per incident (event summarization + behavior patterns) | 2 per incident (cause attribution + risk scoring) |
+| **Primary Use Case** | Incident timeline reconstruction, behavior pattern identification | Root cause analysis, threat prioritization, SOC decision support |
+
+**Recommendation**: Generate both datasets from the same sampled incidents to enable comparative analysis and multi-task model training.
+
+## 3. Dataset Generation Workflow
+
+### Workflow Overview
+
+**Stages 1-2** (Sampling + DAG): See [DATASET_REPORT.md §3](DATASET_REPORT.md#3-dataset-generation-workflow) - identical to summarization workflow.
+
+**Quick commands:**
+```bash
+# Stage 1: Sample 100 incidents
+./sample_dataset.sh 100 my_dataset --seed 42
+
+# Stage 2: Generate DAG analysis
+./generate_dag_analysis.sh datasets/my_dataset.jsonl
+```
+
+### Stage 3: Multi-Model Cause & Risk Analysis
+
+Query LLMs with dual prompts for cause attribution and risk assessment:
+
+```bash
+# GPT-4o-mini (recommended baseline)
+./generate_cause_risk_analysis.sh datasets/my_dataset.jsonl \
+  --model gpt-4o-mini --group-events
+
+# Qwen2.5:3b (target deployment model)
+./generate_cause_risk_analysis.sh datasets/my_dataset.jsonl \
+  --model qwen2.5:3b \
+  --base-url http://10.147.20.102:11434/v1 --group-events
+```
+
+**Output Structure** (per incident):
+```json
+{
+  "cause_analysis": "**Possible Causes:**\n\n**1. Malicious Activity:**\n• Port scanning indicates reconnaissance...\n\n**2. Legitimate Activity:**\n• Could be network monitoring tools...\n\n**3. Misconfigurations:**\n• Firewall allowing unrestricted scanning...\n\n**Conclusion:** Most likely malicious reconnaissance activity.",
+
+  "risk_assessment": "**Risk Level:** High\n\n**Justification:** Active scanning + C2 connections...\n\n**Business Impact:** Potential data breach or service disruption...\n\n**Likelihood of Malicious Activity:** High - Systematic attack pattern...\n\n**Investigation Priority:** Immediate - Block source IP and investigate."
+}
+```
+
+### Stage 4: Dataset Correlation
+
+Merge all analyses (DAG + LLM cause/risk assessments) by incident ID:
+
+```bash
+python3 correlate_risks.py datasets/my_dataset.*.json \
+  --jsonl datasets/my_dataset.jsonl \
+  -o datasets/final_dataset_risk.json
+```
+
+### Dataset Structure
+
+Final output contains merged analyses with model-specific risk assessments:
+
+```json
+{
+  "total_incidents": 100,
+  "incidents": [
+    {
+      "incident_id": "uuid",
+      "category": "Malware",
+      "source_ip": "192.168.1.113",
+      "timewindow": "5",
+      "timeline": "2024-04-05 16:53:07 to 16:53:50",
+      "threat_level": 15.36,
+      "event_count": 4604,
+      "dag_analysis": "• 16:53 - 222 horizontal port scans [HIGH]\n...",
+      "cause_risk_gpt_4o_mini": {
+        "cause_analysis": "**1. Malicious Activity:** Reconnaissance scanning...",
+        "risk_assessment": "**Risk Level:** High\n**Justification:**..."
+      },
+      "cause_risk_gpt_4o": { ... },
+      "cause_risk_qwen2_5": { ... }
+    }
+  ]
+}
+```
+
+**Key differences from summarization dataset**:
+- `cause_risk_*` fields replace `llm_*` fields
+- Structured 3-category cause analysis (vs. free-form summary)
+- 5-field risk assessment framework (vs. behavior flow description)
+
+## 4. Use Cases and Applications
+
+### Security Operations Center (SOC)
+- **Automated Triage**: Risk level + investigation priority for alert queue sorting
+- **Incident Attribution**: Distinguish malicious attacks from misconfigurations
+- **Resource Allocation**: Business impact assessment for team assignments
+
+### Model Training Applications
+- **Classification Tasks**: Train models to categorize incidents (malicious/legitimate/misconfiguration)
+- **Risk Scoring**: Fine-tune models for threat level prediction
+- **Decision Support**: Generate actionable recommendations (block/monitor/investigate)
+
+### Dataset Comparison
+Use both workflows together:
+- **Summarization**: "What happened?" (temporal sequences, behavior patterns)
+- **Risk Analysis**: "Why did it happen?" + "How urgent?" (attribution, prioritization)
+
+**Combined Training Strategy**:
+```bash
+# Generate both datasets from same incidents
+./generate_llm_analysis.sh datasets/my_dataset.jsonl --model qwen2.5:3b --group-events --behavior-analysis
+./generate_cause_risk_analysis.sh datasets/my_dataset.jsonl --model qwen2.5:3b --group-events
+
+# Correlate separately
+python3 correlate_incidents.py datasets/my_dataset.*.json --jsonl datasets/my_dataset.jsonl -o summary_dataset.json
+python3 correlate_risks.py datasets/my_dataset.*.json --jsonl datasets/my_dataset.jsonl -o risk_dataset.json
+
+# Multi-task training: Merge datasets and train single model on both tasks
+```
+
+---
+
+**For detailed implementation**: See [README_dataset_risk_workflow.md](README_dataset_risk_workflow.md)
+**For workflow comparison**: See [WORKFLOWS_OVERVIEW.md](WORKFLOWS_OVERVIEW.md) (if available)
+**For evaluation methods**: See [LLM_EVALUATION_GUIDE.md](LLM_EVALUATION_GUIDE.md)