fosr 0.1.0

Fos-R (Forgery Of Security Records) is a synthetic network traffic generator.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85

# Fos-R

Fos-R is a network traffic generator based on AI models. It does not require GPU and can generate in the order of Gbps of network traffic with a laptop.

## Setup

You can install Fos-R with:

    cargo install fosr

You need to install the pcap library. On Ubuntu/Debian, you can do:

    apt install libpcap-dev

Then, you can check the install with:

    fosr -V

# Generation modes

Several generation modes are available.

## Create-pcap

In this mode, Fos-R output a pcap file generated with the AI models.

## Honeynet

In this mode, Fos-R generates and play network traffic between different computers in the same network.
Fos-R needs to be executed on each computer and provided a configuration file.

## Replay-pcap

_(Not available yet)_

In this mode, Fos-R replays a pcap file with raw sockets.

# Roadmap

## v0.1 - March 2025 - "MVP"

- Create-pcap and honeynet modes
- Linux only support
- Basic default models

## v0.2 - Q2 2025 - "Usability"

- Documentation and API
- User interface
- Performance and binary size

## v0.3 - Q3 2025 - "Portability"

- Windows version
- WASM version (pcap creation only)

## v0.4 - Q4 2025 - "Quality"

- Generation quality
- High quality default models
- Concept drift mode

# Technical description

The generation is organized in four stages.

## Stage 0: timestamp generation

This steps selects the starting point of the next flow to generate.

## Stage 1: netflow generation

This step in based on the FlowChronicle tool. Using as input the set of learned patterns,it generates new netflow records by first sampling patterns and then sampling non-fixed values inside these patterns.

## Stage 2: intermediate representation generation

This step is based on the TADAM tool. Using the flows generated by stage 1, it creates a list of PacketsIR<T>, where T is a transport protocol. Each PacketsIR<T> corresponds to a flow between two IP addresses. This structure contains the original flow (generated by stage 1) with the metadata of the flow. There is also a vector packets_info that contains some information about the packet header: packet direction (forward or backward), payload size and type, timestamp, and TCP flags when the transport protocol is TCP.

## Stage 3: packet generation

Stage 3 creates a list of complete packets by completing the information given by the output of stage 2.

## Stage 4 (optional): send and receive packets on the network

Stage 4 relies on raw sockets to send and receive the packets generated by stage 3.