IETF Logo Mail Archive

Re: [Nmlrg] Machine Learning in network - solicitation for use cases

Sheng Jiang <jiangsheng@huawei.com> Tue, 08 September 2015 03:40 UTC

Return-Path: <jiangsheng@huawei.com>
X-Original-To: nmlrg@ietfa.amsl.com
Delivered-To: nmlrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B0A9C1B5FBE for <nmlrg@ietfa.amsl.com>; Mon, 7 Sep 2015 20:40:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mbpXmxQq2gTz for <nmlrg@ietfa.amsl.com>; Mon, 7 Sep 2015 20:40:06 -0700 (PDT)
Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [119.145.14.65]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A14E01B5FBD for <nmlrg@irtf.org>; Mon, 7 Sep 2015 20:40:05 -0700 (PDT)
Received: from 172.24.1.50 (EHLO nkgeml402-hub.china.huawei.com) ([172.24.1.50]) by szxrg02-dlp.huawei.com (MOS 4.3.7-GA FastPath queued) with ESMTP id CRY32857; Tue, 08 Sep 2015 11:39:52 +0800 (CST)
Received: from NKGEML512-MBX.china.huawei.com ([169.254.7.33]) by nkgeml402-hub.china.huawei.com ([10.98.56.33]) with mapi id 14.03.0235.001; Tue, 8 Sep 2015 11:39:50 +0800
From: Sheng Jiang <jiangsheng@huawei.com>
To: Dacheng Zhang <dacheng.zdc@alibaba-inc.com>, "nmlrg@irtf.org" <nmlrg@irtf.org>
Thread-Topic: [Nmlrg] Machine Learning in network - solicitation for use cases
Thread-Index: AQHQ48ASOhiRuf+FmUuBbNfoBoELfZ4ludyggAE2+AD//3q3AIAIZytggAATEvGAAFOjcIAAmLcAgAIupCA=
Date: Tue, 8 Sep 2015 03:39:48 +0000
Message-ID: <5D36713D8A4E7348A7E10DF7437A4B927BB2DDB6@nkgeml512-mbx.china.huawei.com>
References: <D20A251E.25E52%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2B192@nkgeml512-mbx.china.huawei.com> <D20B2C03.25EC7%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D062@nkgeml512-mbx.china.huawei.com> <D211D160.26495%dacheng.zdc@alibaba-inc.com> <D211D7F2.2651C%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D300@nkgeml512-mbx.china.huawei.com> <D2130D6D.26ABF%dacheng.zdc@alibaba-inc.com>
In-Reply-To: <D2130D6D.26ABF%dacheng.zdc@alibaba-inc.com>
Accept-Language: en-GB, zh-CN, en-US
Content-Language: zh-CN
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.111.99.197]
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
MIME-Version: 1.0
X-CFilter-Loop: Reflected
Archived-At: <http://mailarchive.ietf.org/arch/msg/nmlrg/ADtNnX6bEWmfAjkctIzVUbwogG8>
Subject: Re: [Nmlrg] Machine Learning in network - solicitation for use cases
X-BeenThere: nmlrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Machine Learning Research Group <nmlrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nmlrg/>
List-Post: <mailto:nmlrg@irtf.org>
List-Help: <mailto:nmlrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Sep 2015 03:40:10 -0000

>>>DDoS and APT are very active research topics. Application layer DDoS
>>>attacks are more difficult to detect than layer 4 DDoS attacks. In many
>>>cases, the application layer DDoS does not introduce large amount
>>>traffics. However, by using big data and data mining tech, it is possible
>>>to find out the clues of such attacks.
>>
>>Hi, Dacheng,
>>
>>Applying machine learning in DDoS protection is an interest use case. For
>>my understanding, the machine would learn the potential attack behaviors,
>>am I right?
>
>Yes, you are right.
>>
>>If yes, I have two questions: a) does the machine learning has the
>>possibility to learn/identify new attack behaviors, which was not
>>recognized before? If yes, what is the working principles?
>
>Normally we need to generate a normal behavior model and some
>“abnormal
>behavior models”, the machine will detect whether certain behavior of a
>client will be located in an ‘abnormal’ area.
>I need to check with my colleagues to see whether we could disclose more
>detailed information for the moment.

This would be an interesting use case. Looking forward to see more information. For now, I guess we do not need much details in algorithms or specific implementation. It would be interested to learn, in general, the objects of learning, and the expected output of the learning in the DDoS protection use case.

>> b) is it possible for autonomic reaction from the network operational
>>perspective after detect such DDoS attack? Give the machine learning may
>>not be accurate, my guess is human intervention is needed.
>
>In the current practice, machine learning procedure is normally offline.
>1) machine learning may not very that accurate. 2) big data processing
>needs time and computing resources.  Human involvement is required.

What may influence the accuracy of the mechanism learning result? In another word, how to improve the accuracy in machine learning mechanism? This question may not be DDoS protection specific.

Best regards,

Sheng

>Looking for future discussion on this topic.
>
>Cheers
>
>Dacheng
>
>>
>>Best regards,
>>
>>Sheng
>>
>>>There were some related discussions in Dots. If you are interested, I
>>>could find them out later.
>>>
>>>_______________________________________________
>>>nmlrg mailing list
>>>nmlrg@irtf.org
>>>https://www.irtf.org/mailman/listinfo/nmlrg
>

v2.8.7 | Report a Bug | By Email