FrancescoCitti/ml_threat_detection

# ml threat detection Detects anomalous SSH login activity in Linux auth logs using Isolation Forest. Groups events by IP, computes failure rates, and flags statistical outliers likely to represent brute-force or credential-stuffing attempts. ## How it works 1. `preprocess.py` parses raw `/var/log/auth.log` lines, extracts source IPs, and labels each event as failed or successful. 2. `model.py` aggregates per-IP statistics (attempt count, failure count, failure rate), scales them, and runs Isolation Forest to surface outliers. ## Usage pip install -r requirements.txt # Preprocess only python src/preprocess.py data/auth.log # Run full detection python src/model.py data/auth.log Place your auth log at `data/auth.log`. The file is excluded from version control. ## Output example 3 anomalous IP(s) detected: ip_encoded total_attempts failed_attempts failure_rate anomaly 42 847 841 0.993 -1 17 12 12 1.000 -1 3 203 199 0.981 -1 ## Files src/preprocess.py Log parsing and feature extraction src/model.py Isolation Forest detection requirements.txt Python dependencies data/ Place auth.log here (gitignored)