[ For Share ] Detection for script-like traffic in Proxy logs

The goal was to spot traffic patterns that are too consistent to be human-generated.

1. Collect Proxy Logs (last 24 hours). This can be a huge amount of data, so I just sort the top 5 user and dest, with dests being unique.

2. For each of the 5 rows, I re-run the same SPL for the $user$ and $dest$ token but this time, I spread the events by 1-second time interval

3. Calculation. Now, this might seem so technical to look at but bear with me. It is not that complicated. I calculate the average time delta of the traffic and filter those that match a 60-second, 120-sec, 300-sec, etc when the time delta is floor'd and ceiling'd. After that, I filter time delta matches where the spread of the time delta is less than 3 seconds. This narrows it down so much to the idea that we're removing the unpredictability of the traffic. But this may still result to many events, so I also filter out the traffic with largely variable payload (bytes_out). The UCL I used was the "payload mean" + 3 sigma. 4. That's it. The remaining parts are just cosmetics and CIM-compliance field renames.

https://preview.redd.it/pr20i4z8nqfe1.jpg?width=2428&format=pjpg&auto=webp&s=c4a86a80694b79628f2ff5cdf2264e6a86e4453e