forked from agreenjay/sysmon
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathgraph-anomaly.ps1
99 lines (64 loc) · 1.81 KB
/
graph-anomaly.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
. ..\queue\Queue.ps1
#find anomalies - variation of BADGraph
function extend-subgraph($v, $t) {
$vertexQueue = New-Object Queue
$vertexQueue.enqueue($v)
$h=$v.value.Weight
$s=@() #subgraph
$s+=$v
while (!$vertexQueue.isEmpty()) {
$currentVertex = $vertexQueue.dequeue()
$es= $currentVertex.getEdges()
$extend=$false
foreach($e in $es) {
$ev= $e.endVertex
if ( ($h+ $ev.value.weight)/($s.count+1) -le $th ) {
$s+=$ev
$h =$h + $ev.value.weight
#queue it up
$vertexQueue.enqueue($ev)
}
}
}
if($s.count -ge 2) {
$global:mset.Add($s)|Out-Null
}
}
$AW=0
$GW=0
#$ms = @() #list of abnormal sub-graphs
$mset = [System.Collections.ArrayList]@()
#calculate total "weight"
foreach ($e in $g.getAllEdges() ) {
$GW = $GW + $e.weight
}
write-host "Weight of Graph: " $GW
$AW = $GW / $g.vertices.count
write-host "Average weight per vertex: " $AW
#assign weight to vertices
for ($i=0; $i -lt $g.vertices.count; $i++) {
$w=0
$v=$g.vertices[$i]
foreach($e in $v.getEdges()) {
if($e -eq $null) {continue}
$w=$w + $e.weight
}
$v.value.Weight = $w
}
#Lets hunt for anomalies
$th=[single]($AW)*3 #threshold value
foreach ($k in $g.vertices.Keys) {
$v=$g.vertices[$k]
#worthy candidates
extend-subgraph $v $th
}
for($i=0; $i -lt $mset.count; $i++) {
write-host "---Subgraph" $i
$w=0
for($j=0; $j -lt $mset[$i].count; $j++) {
write-host "------ "$mset[$i][$j].value.Key
$w=$mset[$i][$j].value.Weight + $w
}
$a=$w/$mset[$i].count
write-host "------ " "Weight:" $w "Average weight:" $a
}