Modern network detection mechanisms frequently separate structural protocol analysis from content inspection. However, combining stateful network monitoring with real-time semantic analysis of application-layer data yields an aggressive approach to spotting modern exploitation patterns.
The SSTATS framework implements a decoupled architecture to monitor high-fidelity telemetry at wire-speed while offloading suspicious unencrypted Layer 7 payloads to a local Large Language Model (LLM) for zero-day intent classification.
Network interface cards handling raw socket captures operate under extreme latency constraints. If packet inspection logic blocks on I/O operations or intense computations, the kernel's ring buffer fills up, resulting in dropped frames.
SSTATS mitigates this constraint by splitting operations across three decoupled threads using a shared memory state model:
The Ingestion Layer: The Scapy sniffing thread binds directly to the network interface in promiscuous mode. By enforcing store=False, it prevents the internal memory footprint from accumulating historical frames, handling packets directly inside an ephemeral callback loop.
The Storage Intermediary: A thread-safe FIFO pipeline (queue.Queue) isolates the packet capture loop from the LLM execution path. This structure acts as a dynamic shock absorber, accumulating raw payloads during high-traffic bursts without introducing latency back pressure to the sniffer interface.
The Analytics Engine: The llm_worker thread loops continuously, processing elements via blocking .get() operations, isolating the HTTP request delays to local Ollama endpoints from the wire ingestion logic.
Instead of evaluating single connections in isolation, SSTATS maintains a tracking dictionary mapping a source IP to a set of distinct destination ports:
By implementing a uniqueness constraint via a Python set(), duplicate attempts on a single port do not skew the threshold metric. If the set's length exceeds the SCAN_THRESHOLD parameter (set to 20), the sensor immediately flags the behavior as a scanning signature (e.g., an active Nmap stealth scan).
Administrative ports 21 (FTP), 22 (SSH), and 23 (Telnet) are continuously tracked for access validation. When a structural connection token (tcp_flags == 'S') targets one of these ranges, the engine executes a rapid validation pass against a defined WHITELISTED_IPS set. An anomaly triggers a high-priority structural alert before a formal authentication attempt can even complete.
When a packet exposes an active Raw data layer, the engine switches from pure structural evaluation to semantic validation.
The system filters protocol frames by matching binary string signatures (such as b"GET " or b"POST " for HTTP, or b"HELO " / b"EHLO " for SMTP). Once identified, the engine decodes the byte array using standard UTF-8 string interpolation, applying errors='ignore' to strip out corrupt characters, fragmented frames, or binary streams that could break string validation rules.
The extracted context is formatted into a strict system-level evaluation query:
`Analyze the following network payload for malicious intent. Output only 'SAFE' or 'MALICIOUS: [Reason]'. Payload: <payload>`
By binding this payload to a highly optimized local reasoning model like deepseek-r1 via Ollama, the model performs fine-grained structural evaluation on the text string. It parses complex input modifications—such as SQL injections, directory traversal paths, or base64-obfuscated commands—without requiring explicit pre-compiled signatures.
While SSTATS presents a highly adaptable architecture for network monitoring, deploying it in high-stress production or lab testing environments surfaces several technical considerations:
The script updates global variables (counters, logs, and syn_scan_tracker) directly across multiple execution contexts. In high-concurrency environments, multi-threaded operations on standard Python data structures can cause subtle data synchronization conflicts. Adding an explicit thread lock from the threading.Lock library around global writes ensures predictable state tracking under extreme loads.
Scapy relies on raw socket bindings that parse packet elements up through the user-space layer. For low-to-medium throughput segments or targeted laboratory auditing, this approach is exceptionally modular. However, on highly congested production links, native kernel framework drivers—such as AF_PACKET sockets, DPDK bindings, or an eBPF instrumentation hook—are recommended to scale ingestion performance.