kaffa/xdp-defense
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
11c1ab0134413ecb2575f48e8b873389bde5fc57
xdp-defense/config/config.yaml
kaffa 11c1ab0134 Add time-aware traffic logger and auto-retrain system 
- Log traffic features with timestamps to CSV every 5s
- Add hour_sin/hour_cos time features (15 → 17 feature vector)
- Auto-retrain from traffic log at configurable interval (default 24h)
- Detect old 15-feature models and switch to learning mode
- SIGUSR1 now retrains from traffic log first, falls back to collect mode
- Add CLI: `ai traffic` (time-bucketed summary), `ai log` (recent entries)
- Add config keys: traffic_log_file, retention_days, retrain_window

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-07 10:14:07 +09:00

76 lines
2.6 KiB
YAML
Raw Blame History

# XDP Defense - Unified Configuration
# Combines CIDR/country/whitelist blocking with DDoS rate limiting + AI detection
general:
interface: eth0
log_level: info # debug, info, warning, error
pid_file: /var/lib/xdp-defense/daemon.pid
data_dir: /var/lib/xdp-defense
bpf_dir: /opt/xdp-defense/bpf
pin_path: /sys/fs/bpf/xdp-defense
blocker:
enabled: true
config_dir: /etc/xdp-blocker # existing data path (blocklist, countries, whitelist)
rate_limits:
default_pps: 1000 # packets per second threshold
default_bps: 0 # bytes per second (0 = disabled)
window_sec: 1 # time window in seconds
# Time-based profiles (daemon switches automatically)
profiles:
business_hours:
hours: "09:00-18:00"
weekdays: "mon-fri"
pps: 2000 # higher during business hours
bps: 0
night:
hours: "00:00-06:00"
pps: 500 # stricter at night
bps: 0
escalation:
# Violations before escalation
rate_limit_after: 1 # violations before eBPF rate limiting kicks in
temp_block_after: 5 # violations before temporary block
perm_block_after: 999999 # effectively disabled
# Temporary block duration (seconds)
temp_block_duration: 300 # 5 minutes
# Violation memory window (seconds) - violations older than this are forgotten
violation_window: 600 # 10 minutes
# Cooldown: after unblocking, track more aggressively
cooldown_multiplier: 0.5 # multiply thresholds by this after recent block
ewma:
alpha: 0.3 # EWMA smoothing factor (0-1, higher = more reactive)
poll_interval: 1 # seconds between rate counter polls
threshold_multiplier: 3.0 # alert when EWMA > multiplier * baseline
ai:
enabled: true
model_type: IsolationForest
contamination: auto # let sklearn decide boundary
n_estimators: 100 # number of trees
# Learning phase
learning_duration: 86400 # 24 hours baseline collection
min_samples: 1000 # minimum samples before training
# Inference
poll_interval: 5 # seconds between feature reads
anomaly_threshold: -0.16 # sklearn decision_function threshold
# Retraining
retrain_interval: 86400 # auto-retrain interval (seconds, default 24h)
retrain_window: 86400 # data range for retrain (most recent N seconds)
model_file: /var/lib/xdp-defense/ai_model.pkl
training_data_file: /var/lib/xdp-defense/training_data.csv
# Traffic logging
traffic_log_file: /var/lib/xdp-defense/traffic_log.csv
traffic_log_retention_days: 7 # days to keep traffic log data
Reference in New Issue View Git Blame Copy Permalink