Re: [Nmlrg] Machine Learning in network - solicitation for use cases

["Liubing (Leo)" <leo.liubing@huawei.com>]

Hi Brian,

Thanks for your elaborating explanation.
Please see inline.

> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: Tuesday, September 08, 2015 12:39 PM
> To: Liubing (Leo); Sheng Jiang; Dacheng Zhang; nmlrg@irtf.org
> Subject: Re: [Nmlrg] Machine Learning in network - solicitation for use cases
> 
> On 08/09/2015 16:00, Liubing (Leo) wrote:
> 
> ...
> > But I'm curious about what is the item that could be labeled as "This is not
> an attack " or " You missed an attack ". E.g., the item is an packet, a stream,
> or any other kind of N-tuple things.
> 
> The two cases are rather different.
> 
> 1. The system signals "attack in progress" to the NOC. The operators have a
> look and decide that there is no attack, it is just some unusual traffic.
> (Example: you are live-streaming the Olympic Games. Two seconds after the
> end of the 100 metres final, there is an enormous burst of traffic.
> The machine learning system signals an attack, because it was not trained on
> the data set from the previous Olympic Games.)
> 
> In this case the NOC operators urgently tell the algorithm it is wrong.
> It needs to learn that the signature of a sudden burst just after the end of an
> event is less likely to be an attack than a sudden burst at another time.
> 
> 2. Someone invents a new kind of DDoS attack, which is therefore not in the
> historical training data. The system doesn't identify it.
> In this case, the NOC operators tell the algorithm "Attack started at <time>."

[Bing] It feels like the learning objects are mostly traffic burst events? When traffic burst happens, the machine judges whether it's a DDoS or not.
Then the training data might be a bunch of traffic burst evens marked as normal or abnormal. And the challenge should be how to pick a set of features out of a burst event for the machine learning program to discover the pattern of normal/abnormal classification.

This is just my hypothetical case, could be all wrong.

> This automatically becomes high quality training data for the algorithm: the
> signature of the new traffic at that time is 100% certain to be an attack.

> I think the hard part is extracting useful signatures from the traffic stream in
> real time; the learning/training part is fairly standard.
[Bing] When you said the signature of "100% certain", my perception is that it is something like the typical virus detection approach, which doing exact match of a particular piece of code that could identify a virus.
If my perception was correct, I think the signatures are some special combinations of the features (as mentioned above) where the classification pattern has a 100% confidence. Then I think it doesn't need to extract the signatures in real time, because the features are all pre-defined. 

However, this is only from my view, I might have totally misunderstood you.

Best regards,
Bing

>     Brian