Binary Log Parser and Anomaly Detector #!/usr/bin/env python3 """ Binary Log Parser and Anomaly Detector This script parses a custom binary format for login attempt logs and identifies potentially compromised accounts based on anomalous behavior. Format: - username_length: 4-byte integer (big-endian) - username: variable-length string - ip: 4-byte IPv4 address - timestamp: 4-byte Unix timestamp (big-endian) - success: 1-byte boolean Usage: python log_analyzer.py --input [--output ] [--sql ] """ import argparse import struct import socket import sqlite3 import json import os import sys from datetime import datetime from collections import defaultdict def parse_binary_log(file_path): """ Parse the binary log file according to the specified format. Args: file_path: Path to the binary log file Returns: List of login attempt records """ logs = [] try: with open(file_path, 'rb') as f: data = f.read() offset = 0 while offset < len(data): # Read username length (4-byte integer, big-endian) username_length = struct.unpack('>I', data[offset:offset+4])[0] offset += 4 # Read username (variable length string) username = data[offset:offset+username_length].decode('utf-8') offset += username_length # Read IP address (4-byte IPv4 address) ip_bytes = data[offset:offset+4] ip_address = socket.inet_ntoa(ip_bytes) offset += 4 # Read timestamp (4-byte Unix timestamp, big-endian) timestamp = struct.unpack('>I', data[offset:offset+4])[0] login_time = datetime.fromtimestamp(timestamp) offset += 4 # Read success flag (1-byte boolean) success = data[offset] == 1 offset += 1 # Add the parsed entry to our array logs.append({ 'username': username, 'ip_address': ip_address, 'timestamp': timestamp, 'login_time': login_time, 'success': success }) print(f"Successfully parsed {len(logs)} login attempts") return logs except Exception as e: print(f"Error parsing log file: {str(e)}") sys.exit(1) def detect_anomalies(logs): """ Analyze logs to identify potentially compromised accounts. Args: logs: List of parsed login attempt records Returns: List of users with anomaly scores and suspicious behavior details """ # Group logs by username user_logs = defaultdict(list) for log in logs: user_logs[log['username']].append(log) anomalies = [] # Business hours (assuming 9 AM to 5 PM) business_start_hour = 9 business_end_hour = 17 # Time threshold for rapid location changes (in seconds) location_change_threshold = 3600 # 1 hour # Analyze each user's login patterns for username, user_log in user_logs.items(): # Sort logs by timestamp user_log.sort(key=lambda x: x['timestamp']) # Calculate anomaly indicators unique_ips = set(log['ip_address'] for log in user_log) failed_attempts = sum(1 for log in user_log if not log['success']) successful_attempts = sum(1 for log in user_log if log['success']) # Check for rapid location changes rapid_location_changes = 0 for i in range(1, len(user_log)): current_log = user_log[i] previous_log = user_log[i-1] if current_log['ip_address'] != previous_log['ip_address']: time_diff = current_log['timestamp'] - previous_log['timestamp'] if time_diff < location_change_threshold: rapid_location_changes += 1 # Calculate after-hours logins after_hours_logins = sum( 1 for log in user_log if log['login_time'].hour < business_start_hour or log['login_time'].hour >= business_end_hour ) # Calculate anomaly score based on these factors # Weights can be adjusted based on the relative importance of each factor anomaly_score = ( (len(unique_ips) * 10) + (failed_attempts * 5) + (rapid_location_changes * 20) + (after_hours_logins * 3) ) anomalies.append({ 'username': username, 'anomaly_score': anomaly_score, 'unique_ips': len(unique_ips), 'ip_addresses': list(unique_ips), 'failed_attempts': failed_attempts, 'successful_attempts': successful_attempts, 'rapid_location_changes': rapid_location_changes, 'after_hours_logins': after_hours_logins, 'total_attempts': len(user_log) }) # Sort by anomaly score (descending) anomalies.sort(key=lambda x: x['anomaly_score'], reverse=True) return anomalies def create_database(logs, db_path=':memory:'): """ Create a SQLite database with the login data Args: logs: List of parsed login attempt records db_path: Path to save the SQLite database (default: in-memory) Returns: SQLite connection """ conn = sqlite3.connect(db_path) cursor = conn.cursor() # Create table cursor.execute(''' CREATE TABLE login_attempts ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, ip_address TEXT NOT NULL, timestamp INTEGER NOT NULL, login_time TEXT NOT NULL, success INTEGER NOT NULL ) ''') # Create indexes cursor.execute('CREATE INDEX idx_username ON login_attempts(username)') cursor.execute('CREATE INDEX idx_ip_address ON login_attempts(ip_address)') cursor.execute('CREATE INDEX idx_timestamp ON login_attempts(timestamp)') cursor.execute('CREATE INDEX idx_success ON login_attempts(success)') # Insert data for log in logs: cursor.execute( 'INSERT INTO login_attempts (username, ip_address, timestamp, login_time, success) VALUES (?, ?, ?, ?, ?)', ( log['username'], log['ip_address'], log['timestamp'], log['login_time'].isoformat(), 1 if log['success'] else 0 ) ) conn.commit() return conn def generate_sql_script(): """ Generate a SQL script for creating the table and analyzing login data Returns: SQL script as a string """ return '''-- Create a table to store login attempts CREATE TABLE login_attempts ( id INTEGER PRIMARY KEY AUTOINCREMENT, username TEXT NOT NULL, ip_address TEXT NOT NULL, timestamp INTEGER NOT NULL, login_time TEXT NOT NULL, success INTEGER NOT NULL ); -- Create indexes for efficient searching CREATE INDEX idx_username ON login_attempts(username); CREATE INDEX idx_ip_address ON login_attempts(ip_address); CREATE INDEX idx_timestamp ON login_attempts(timestamp); CREATE INDEX idx_success ON login_attempts(success); -- Query to find users with multiple IP addresses SELECT username, COUNT(DISTINCT ip_address) AS unique_ip_count FROM login_attempts GROUP BY username HAVING unique_ip_count > 1 ORDER BY unique_ip_count DESC; -- Query to find failed login attempts followed by successful ones SELECT a.username, COUNT(*) AS suspicious_patterns FROM login_attempts a JOIN login_attempts b ON a.username = b.username AND a.timestamp < b.timestamp AND a.success = 0 AND b.success = 1 AND (b.timestamp - a.timestamp) < 300 -- Within 5 minutes GROUP BY a.username ORDER BY suspicious_patterns DESC; -- Query to find rapid login attempts from different locations SELECT a.username, a.ip_address AS ip1, b.ip_address AS ip2, datetime(a.login_time) AS time1, datetime(b.login_time) AS time2, (julianday(b.login_time) - julianday(a.login_time)) * 24 * 60 AS minutes_between FROM login_attempts a JOIN login_attempts b ON a.username = b.username AND a.ip_address != b.ip_address AND a.id < b.id AND (julianday(b.login_time) - julianday(a.login_time)) * 24 * 60 < 60 -- Less than 60 minutes apart ORDER BY minutes_between ASC; -- Query to find users with after-hours login activity SELECT username, COUNT(*) AS after_hours_logins FROM login_attempts WHERE (strftime('%H', login_time) < '09' OR strftime('%H', login_time) >= '17') GROUP BY username ORDER BY after_hours_logins DESC; -- Comprehensive anomaly detection query WITH unique_ips AS ( SELECT username, COUNT(DISTINCT ip_address) AS ip_count FROM login_attempts GROUP BY username ), failed_logins AS ( SELECT username, SUM(CASE WHEN success = 0 THEN 1 ELSE 0 END) AS failed_count FROM login_attempts GROUP BY username ), after_hours AS ( SELECT username, COUNT(*) AS after_hours_count FROM login_attempts WHERE (strftime('%H', login_time) < '09' OR strftime('%H', login_time) >= '17') GROUP BY username ), rapid_location_changes AS ( SELECT a.username, COUNT(*) AS rapid_changes FROM login_attempts a JOIN login_attempts b ON a.username = b.username AND a.ip_address != b.ip_address AND a.id < b.id AND (b.timestamp - a.timestamp) < 3600 -- Less than 1 hour apart GROUP BY a.username ) SELECT u.username, COALESCE(u.ip_count, 0) AS unique_ip_count, COALESCE(f.failed_count, 0) AS failed_logins, COALESCE(a.after_hours_count, 0) AS after_hours_logins, COALESCE(r.rapid_changes, 0) AS rapid_location_changes, (COALESCE(u.ip_count, 0) * 10) + (COALESCE(f.failed_count, 0) * 5) + (COALESCE(r.rapid_changes, 0) * 20) + (COALESCE(a.after_hours_count, 0) * 3) AS anomaly_score FROM unique_ips u LEFT JOIN failed_logins f ON u.username = f.username LEFT JOIN after_hours a ON u.username = a.username LEFT JOIN rapid_location_changes r ON u.username = r.username ORDER BY anomaly_score DESC LIMIT 10; ''' def analyze_compromised_user(conn, username): """ Perform detailed analysis on a potentially compromised user Args: conn: SQLite connection username: Username to analyze Returns: Dictionary with detailed analysis """ cursor = conn.cursor() # Get all login attempts for this user cursor.execute( ''' SELECT timestamp, login_time, ip_address, success FROM login_attempts WHERE username = ? ORDER BY timestamp ASC ''', (username,) ) logins = cursor.fetchall() # Analyze suspicious patterns suspicious_events = [] previous_ip = None previous_time = None for timestamp, login_time, ip_address, success in logins: if previous_ip and previous_ip != ip_address: time_diff = timestamp - previous_time if time_diff < 3600: # Less than 1 hour suspicious_events.append({ 'event_type': 'rapid_location_change', 'previous_ip': previous_ip, 'new_ip': ip_address, 'minutes_between': time_diff / 60 }) previous_ip = ip_address previous_time = timestamp # Get login success rate cursor.execute( ''' SELECT COUNT(*) AS total, SUM(CASE WHEN success = 1 THEN 1 ELSE 0 END) AS successful FROM login_attempts WHERE username = ? ''', (username,) ) total, successful = cursor.fetchone() success_rate = (successful / total) * 100 if total > 0 else 0 return { 'username': username, 'login_count': total, 'success_rate': success_rate, 'suspicious_events': suspicious_events, 'login_history': [ { 'timestamp': timestamp, 'login_time': login_time, 'ip_address': ip_address, 'success': bool(success) } for timestamp, login_time, ip_address, success in logins ] } def main(): """ Main function to process arguments and run the analysis """ parser = argparse.ArgumentParser(description='Analyze binary login logs for compromised accounts') parser.add_argument('--input', '-i', required=True, help='Path to binary log file') parser.add_argument('--output', '-o', help='Path to save analysis results (JSON)') parser.add_argument('--sql', '-s', help='Path to save SQL script') parser.add_argument('--db', '-d', help='Path to save SQLite database') parser.add_argument('--verbose', '-v', action='store_true', help='Enable verbose output') args = parser.parse_args() # Parse the binary log file print(f"Parsing binary log file: {args.input}") logs = parse_binary_log(args.input) # Analyze for anomalies print("Analyzing for suspicious behavior...") anomalies = detect_anomalies(logs) # Print top suspicious users print("\nTop potentially compromised accounts:") for i, anomaly in enumerate(anomalies[:5]): print(f"{i+1}. Username: {anomaly['username']}") print(f" Anomaly Score: {anomaly['anomaly_score']}") print(f" Unique IPs: {anomaly['unique_ips']}") print(f" Failed/Successful Logins: {anomaly['failed_attempts']}/{anomaly['successful_attempts']}") print(f" Rapid Location Changes: {anomaly['rapid_location_changes']}") print(f" After-Hours Logins: {anomaly['after_hours_logins']}") print() # Identify the most likely compromised user if anomalies: compromised_user = anomalies[0]['username'] print(f"RESULT: The most likely compromised account is: {compromised_user}") # Create database for SQL analysis db_path = args.db if args.db else ':memory:' conn = create_database(logs, db_path) # Get detailed analysis for the compromised user detailed_analysis = analyze_compromised_user(conn, compromised_user) if args.verbose: print("\nDetailed analysis for the compromised account:") print(f"Login history for {compromised_user}:") for entry in detailed_analysis['login_history']: status = "SUCCESS" if entry['success'] else "FAILED" print(f"{entry['login_time']} | {entry['ip_address']} | {status}") if detailed_analysis['suspicious_events']: print("\nSuspicious events:") for event in detailed_analysis['suspicious_events']: print(f"IP changed from {event['previous_ip']} to {event['new_ip']} " f"in {event['minutes_between']:.1f} minutes") else: print("No anomalies detected in the log data") # Save results to output file if args.output: with open(args.output, 'w') as f: json.dump({ 'summary': { 'total_logs': len(logs), 'total_users': len({log['username'] for log in logs}), 'compromised_user': compromised_user if anomalies else None }, 'anomalies': anomalies, 'detailed_analysis': detailed_analysis if anomalies else None }, f, indent=4, default=str) print(f"Analysis results saved to {args.output}") # Save SQL script if args.sql: with open(args.sql, 'w') as f: f.write(generate_sql_script()) print(f"SQL script saved to {args.sql}") # Report if database was saved if args.db: print(f"SQLite database saved to {args.db}") if __name__ == "__main__": main()