IETF Logo Mail Archive

Re: [Nmlrg] Machine Learning in network - solicitation for use cases

Sheng Jiang <jiangsheng@huawei.com> Sat, 19 September 2015 02:35 UTC

Return-Path: <jiangsheng@huawei.com>
X-Original-To: nmlrg@ietfa.amsl.com
Delivered-To: nmlrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B79D61B4316 for <nmlrg@ietfa.amsl.com>; Fri, 18 Sep 2015 19:35:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dxY2hw_d2ZuG for <nmlrg@ietfa.amsl.com>; Fri, 18 Sep 2015 19:35:08 -0700 (PDT)
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [119.145.14.66]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0EC741B4313 for <nmlrg@irtf.org>; Fri, 18 Sep 2015 19:35:07 -0700 (PDT)
Received: from 172.24.1.49 (EHLO nkgeml402-hub.china.huawei.com) ([172.24.1.49]) by szxrg03-dlp.huawei.com (MOS 4.4.3-GA FastPath queued) with ESMTP id BNO10704; Sat, 19 Sep 2015 10:34:52 +0800 (CST)
Received: from NKGEML512-MBS.china.huawei.com ([169.254.8.49]) by nkgeml402-hub.china.huawei.com ([10.98.56.33]) with mapi id 14.03.0235.001; Sat, 19 Sep 2015 10:34:48 +0800
From: Sheng Jiang <jiangsheng@huawei.com>
To: Sebastian Abt <sabt@sabt.net>
Thread-Topic: [Nmlrg] Machine Learning in network - solicitation for use cases
Thread-Index: AQHQ48ASOhiRuf+FmUuBbNfoBoELfZ4ludyggAE2+AD//3q3AIAIZytggAATEvGAAFOjcIAAmLcAgAIupCCADqygAIACjRaA
Date: Sat, 19 Sep 2015 02:34:47 +0000
Message-ID: <5D36713D8A4E7348A7E10DF7437A4B927BB7D0E6@NKGEML512-MBS.china.huawei.com>
References: <D20A251E.25E52%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2B192@nkgeml512-mbx.china.huawei.com> <D20B2C03.25EC7%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D062@nkgeml512-mbx.china.huawei.com> <D211D160.26495%dacheng.zdc@alibaba-inc.com> <D211D7F2.2651C%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D300@nkgeml512-mbx.china.huawei.com> <D2130D6D.26ABF%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2DDB6@nkgeml512-mbx.china.huawei.com> <3D0B6D8D-4350-40F0-B09E-4094040A2A7A@sabt.net>
In-Reply-To: <3D0B6D8D-4350-40F0-B09E-4094040A2A7A@sabt.net>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.197]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
X-Mirapoint-Virus-RAPID-Raw: score=unknown(0), refid=str=0001.0A020204.55FCC9CD.006F, ss=1, re=0.000, recu=0.000, reip=0.000, cl=1, cld=1, fgs=0, ip=169.254.8.49, so=2013-05-26 15:14:31, dmn=2013-03-21 17:37:32
X-Mirapoint-Loop-Id: e8009c78e989d24a87131338d9869bba
Archived-At: <http://mailarchive.ietf.org/arch/msg/nmlrg/7665QFJmRm39q0PrHfCuA8zLTaI>
Cc: "nmlrg@irtf.org" <nmlrg@irtf.org>, Dacheng Zhang <dacheng.zdc@alibaba-inc.com>
Subject: Re: [Nmlrg] Machine Learning in network - solicitation for use cases
X-BeenThere: nmlrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Machine Learning Research Group <nmlrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nmlrg/>
List-Post: <mailto:nmlrg@irtf.org>
List-Help: <mailto:nmlrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Sat, 19 Sep 2015 02:35:10 -0000

>Especially for one-class systems that only learn models of normality, it is
>important to be able to track a change of normality. Otherwise, these systems
>render themselves useless over time / generate too much false alarms.  

The feedback-style learning could enhance the efficient and accuracy, I believe. The analysis results, either good or bad, after confirmed by human operators, could be fed back as new data. In these way, the quality of the data would be improved over time. However, this is general for machine learning. Security may be slightly different, and need to be continuously learn the new attacks, which may be invited by the attackers over the time.

Sheng

>As
>operator, you can only rely on the results if there are no (significant) baseline
>changes.  However, detecting this is probably not trivial and as far as I know
>this is not heavily researched by the network security community.  Some
>years ago, I read a paper that claimed that such baseline confidence checks
>are successfully employed in voice recognition systems and crucial for those
>system’s reliability.  Unfortunately, I don’t have this paper at hand.
>
>sebastian

v2.8.7 | Report a Bug | By Email