Stratosphere Linux IPS

The first free software to use machine learning to detect attacks in the network.

Stratosphere Linux IPS (Slips) is a modular system that profiles the behavior of IP addresses and performs detections in time windows. Slips' modules detect a range of attacks both to and from the protected device, connects to other Slips using P2P, and exports alerts to other systems. It was first introduced in 2016. During the last year, Slips has gone through a significant refactoring process. The new version 0.6.2 of Slips was released on the 31st of October 2019. It is part of a larger suite of programs that include the Stratosphere Windows IPS and the Stratosphere Testing Framework.

Slips Architecture

Slips works at a flow level. Its core is to separate the traffic into profiles for each IP address that appeared in the traffic. A profile is a complete behavior of the IP in the traffic and the simplest data structure in Slips. Each profile is divided into time windows. Each time window is 1 hour long by default, and it contains dozens of features computed for all connections that start in that time window.

As slips internally generates Zeek files for most input files, Zeek log files are used to create profiles. For example, the timeline for each time window is an interpretation of what the IP did during 1 hour. The timeline consists of Zeek generated conn.log flows and additional interpretation from other logs like dns.log or http.log.