The Stratosphere Linux IPS (Slips), is a behavioral-based intrusion detection and prevention system that uses machine learning algorithms to detect malicious behaviors.

Slips was first introduced in 2016. During the last year, Slips has gone through a significant refactoring process. The new version 0.6.2 of Slips was released on the 31st of October 2019. It is part of a larger suite of programs that include the Stratosphere Windows IPS and the Stratosphere Testing Framework.

Slips Architecture

Slips works at a flow level. Its core is to separate the traffic into profiles for each IP address that appeared in the traffic. A profile is a complete behavior of the IP in the traffic and the simplest data structure in Slips. Each profile is divided into time windows. Each time window is 1 hour long by default, and it contains dozens of features computed for all connections that start in that time window.

As slips internally generates Zeek files for most input files, Zeek log files are used to create profiles. For example, the timeline for each time window is an interpretation of what the IP did during 1 hour. The timeline consists of Zeek generated conn.log flows and additional interpretation from other logs like dns.log or http.log.

Operating platforms

  • Ubuntu 16.04 LTS
  • Debian stable/testing/unstable
  • MacOS 10.9.5, 10.10.x to 10.12.x
Get Stratosphere IPS for Linux here!