Blog News
May 14, 2025 By Sergey

Integrated AI Analysis of Suricata: From Streams to Multi-Anomalies

The project is being implemented within general framework of Suri-Oculus project (https://suri-oculus.com).

Introduction

Suricata is a powerful engine for network traffic analysis and intrusion detection (IDS/IPS), capable of generating rich event streams. However, in real-world conditions, simple logical event analysis is not enough. Distributed attacks, hidden threats, and complex interdependencies require a deeper understanding of system behavior.

We implemented an integrated AI-powered Suricata event analysis system, which combines:

  • ML-modules for analyzing individual streams (flow, http, dns, tls);
  • visualization of time-based dependencies and correlations;
  • system-wide meta-analysis;
  • automatic detection of multi-anomalies;
  • export, logging, and alerting mechanisms.

System Architecture

Overall flow:

Suricata ➝ Redis ➝ Stream-level ML Analysis ➝ Integrated Model ➝ UI/API

⬑ Log replay / pcap replay

Key Components:

  • First-Level Modules — Analyze specific event types (flow, DNS, TLS, etc.) using IsolationForest. 📁 Example modules: flow_ai_module.py, dns_ai_module.py.
  • Integrated Model — Aggregates features over a time window (e.g. 60 minutes) to detect system-level anomalies using RandomForest or IsolationForest.
  • Multi-Anomaly Detector — Identifies moments when multiple streams exhibit anomalies simultaneously — the so-called multi-anomalies.
  • User Interface — Built with Chart.js, Plotly.js, multilingual support (i18n), and auto-refresh logic.

Visualizations and Charts

1. Time-based Charts by Stream Type

 

  • Show the number of anomalies per stream type (flow, http, dns, tls).
  • Support filtering by time interval, range, and minimum anomaly threshold.

2. IP-based Anomaly Chart

 

Allows filtering anomalies for a specific src/dst IP

3. Correlation Matrix and Strong Link Graph

 

  • The correlation matrix shows how stream types are related over time.
  • The strong link graph visualizes only stream types with correlations above a defined threshold (e.g. 0.7).

System Meta-Analysis

The meta-model evaluates aggregated features such as:

  • Number of anomalies per type (count_tls_anomalies_last_60m, etc.);
  • Total number of events;
  • Number of unique source IPs.

The result is a binary classification: 🔥 Deviation Detected or ✅ System is Operating Normally
Multi-Anomalies and Alerts

When anomalies occur simultaneously in multiple streams, it’s classified as a multi-anomaly. Severity levels:

1 — 2 streams involved;
2 — 3 streams;
3 — All 4 types.

Each multi-anomaly event is logged in Redis with a flag escalated. An operator can manually escalate an event. In the future, integration with email, Slack, or Telegram will be added.

Web Interface Features

  • Full multilingual support (Russian & English);
  • Tooltips and modals explaining system logic;
  • Auto-refresh;
  • Multi-anomaly log with escalation controls.

Conclusion & Future Plans

We built a modular AI platform for analyzing Suricata data that combines statistical learning, machine intelligence, and intuitive visual feedback.

Next Steps:

  • Support for other sources (Zeek, Wazuh, etc.);
  • Integration with SIEM and alerting platforms;
  • Complex correlation rules and chained multi-alerts;
  • Distributed/cloud deployment support.

💡 AI helps not just detect anomalies — it allows us to truly understand the behavior of the network. And that is vital in a world of complex threats.