Slips is a modular behavioral-based Python intrusion prevention system that uses machine learning to detect malicious behaviors in the network traffic.

Slips was designed to focus on targeted attacks, detection of command and control channels to provide good visualisation for the analyst. Slips is able to analyze real live traffic and the large network captures in the type of a pcap files, Suricata, Zeek/Bro and Argus flows, and highlight suspicious behaviour and connections that needs to analyzed in depth.

Download SLIPS

How can you help?

All contributors are welcomed! Here are a few ideas and be sure to check our GitHub repository!

Run Slips and report bugs and needed features, and suggest ideas
Pull requests with a solved GitHub issue and new feature
Pull request with a new detection module.

Latest News

Featured

New Slips version v1.1.19 is here!

Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system.

Adaptive Response in Slips IDS as Immune T Cells

The T Cell module was created to give Slips a stateful adaptive response layer on top of its existing evidence pipeline. While the original detectors already provide the innate immune component through PAMP and DAMP evidence, the T Cell module adds antigen recognition, co-stimulation, context evaluation, tolerance, activation, effector action, and memory. It does this by extracting structured antigens from live evidence, matching them against the accepted regex repertoire generated by RegexGenerator, and then combining that recognition with the cumulative danger signaled by recent PAMP and DAMP observations. This allows Slips to move from isolated detections to a more explicit immune decision process that can decide when to ignore, when to contain, and when to remember.

Adapting Detections in Slips with Immune Pseudo-Generated Regexes

The RegexGenerator module was created to give Slips an adaptive way to discover new string-based detectors for changing indicators such as domains, URIs, filenames, TLS SNI values, and certificate common names. It continuously uses the shared LLM service to propose one regex at a time, then applies local validation and negative selection against benign corpora to reject unsafe or overly broad patterns. The accepted regexes become a reusable adaptive recognition repertoire for other modules, especially the T Cell responder.

New Slips version v1.1.18 is here!

Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system.

HTTPS Anomaly Detection in Slips: Adaptive Baselines for Real Traffic

The new HTTPS anomaly detection module in Slips builds per-host adaptive baselines in traffic time, then detects deviations at two levels: per-flow (for bytes to known servers) and per-hour (for host behavior like new servers, unique servers, JA3 changes, and flow volume). It uses online statistics and z-scores for transparent scoring, plus controlled adaptation states (training_fit, drift_update, suspicious_update) to keep learning while reducing poisoning risk.
The result is explainable, operational evidence in clear human text: what changed, confidence, and why it is anomalous.

Rethinking Cybersecurity Defense: Principles from Biological Immunity

Our research identifies sixteen fundamental principles of biological immunity and translates them into cybersecurity defense architectures that emphasize multi-dimensional coordination over single- point tactics.

New Slips version v1.1.17 is here!

Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system.

New Slips version v1.1.16 is here!

Our team is excited to share the latest news and features of Slips, our behavioral-based machine learning intrusion detection system.

How can you help?

Latest News

Protecting the civil society through high quality research