All numeric limits used by the detectors are module-level constants defined near the top of ids.py. Changing a constant and restarting the sniffer is the only action required to retune sensitivity.
Threshold reference
| Constant | Default | Scope | Rationale |
|---|
THRESHOLD_SYN_FLOOD | 10 | Packets in 500 ms window, per source IP | Pure SYN without ACK is rare in legitimate traffic; 10 occurrences in half a second is a clear storm signal |
THRESHOLD_DDOS | 500 | Packets in 1 s window, per destination IP | High to avoid false positives from video streaming, large downloads, or CDN bursts hitting the same host |
PORT_SCAN_THRESHOLD | 10 | Unique destination ports, cumulative per session | A browser opens 1–3 ports; touching 10 different ports from one source IP is an unambiguous reconnaissance pattern |
THRESHOLD_UDP_FLOOD | 500 | Packets in 1 s window, per destination IP | High to accommodate DNS query bursts and gaming traffic without triggering spurious alerts |
TIEMPO_ENTRE_ALERTAS | 2 | Seconds between repeat alerts per source IP | Anti-spam throttle — prevents a sustained attack from generating thousands of database writes and Telegram messages per minute |
Window sizes
Rate-based thresholds operate within a fixed time window. The window is enforced by the sliding-window list comprehension in each detector:
| Detector | Window |
|---|
| SYN flood | 500 ms (t - ts <= 0.5) |
| DDoS distribuido | 1 second (t - ts <= 1) |
| UDP flood | 1 second (t - ts <= 1) |
ML confidence threshold
When IPS mode is active, every heuristic detection is passed to the ensemble ML model for classification. The result of that classification is used only if the model’s confidence meets a minimum:
# In guardar_ataque():
if pred_ml and pred_ml != "Normal" and confianza >= 0.70:
tipo_final = f"{pred_ml} (ML: {confianza*100:.1f}%)"
else:
tipo_final = f"{tipo_ataque} (Heurística)"
| Condition | Label applied |
|---|
| ML confidence ≥ 70% and prediction is not “Normal” | ML label, e.g. SYN Flood (ML: 92.3%) |
| ML confidence < 70% or model unavailable | Heuristic label, e.g. SYN Flood (Heurística) |
clasificar_ataque_ml() returns ("Desconocido", 0.0) and the heuristic label is always used.
How to modify thresholds
All thresholds are plain Python constants at module scope. Open ids.py and edit the values directly:
# --- DETECTION THRESHOLDS ---
THRESHOLD_SYN_FLOOD = 10 # increase to reduce sensitivity
THRESHOLD_DDOS = 500 # decrease to catch lower-volume floods
PORT_SCAN_THRESHOLD = 10 # increase if legitimate apps probe many ports
THRESHOLD_UDP_FLOOD = 500 # decrease if UDP saturation occurs at lower rates
TIEMPO_ENTRE_ALERTAS = 2 # increase to reduce alert frequency per IP
Threshold changes take effect only on the next iniciar_monitoreo() call. If the sniffer is already running, stop it via detener_monitoreo(), update the constants, then call iniciar_monitoreo() again.
Sensitivity vs. false-positive tradeoff
Lowering a threshold makes the detector more sensitive — it will fire earlier and catch weaker attacks — but increases the probability of false positives on normal traffic. Raising a threshold reduces false positives but may allow lower-intensity attacks to go undetected.
| Goal | Action |
|---|
| Reduce false positives on a busy network | Raise THRESHOLD_DDOS and THRESHOLD_UDP_FLOOD |
| Detect low-rate stealth scans | Lower PORT_SCAN_THRESHOLD to 5 |
| Reduce alert noise during a known attack | Raise TIEMPO_ENTRE_ALERTAS |
| Improve detection in a controlled lab | Lower all thresholds (fewer legitimate bursts to contend with) |
If you observe frequent false positives from a specific IP range (for example, an internal monitoring system that probes ports), add its CIDR block to RANGOS_CONFIABLES in ids.py instead of raising thresholds globally. This protects detection sensitivity for all other traffic.