Story

I’ve been experimenting with an AI-assisted approach to detecting patterns in network traffic.

For context, I maintain a project called Phone Home Detector, which analyses traffic between IP address pairs. It aggregates traffic into one-minute buckets and applies a set of fixed rules based on byte counts and transmission intervals.

I recently prototyped an extension that exposes transmission size and timing data through an MCP tool, making it queryable by an LLM. The goal is to explore whether an LLM can identify patterns that are difficult to capture using static rules alone.

This work is still experimental, and I’m not yet convinced it is an improvement over fixed-rule approaches. That said, I do find it interesting, and it may be a foundation for further exploration. The following is an example of a summary that it generates:

The data sizes sent to IP address 91.189.91.49 are mostly consistent at 200, after an initial size of 168, and the intervals at which they are sent vary without any apparent pattern.