Re: [Nmlrg] Machine Learning in network - solicitation for use cases

[Jérôme François <jerome.francois@inria.fr>]

Le 17/09/2015 08:36, Sheng Jiang a écrit :
> Hi, Jerome,
>
> Thanks for sharing. It would be helpful if you could introduce a little bit more on how to leverage the machine learning in your use case, such as the learning objects and objectives, etc. It would also useful to discuss the working principle in your use case.
Assuming a protocol, the goal of this work was to automatically
identifiy every device type using this protocol. By identification, I
mean the name and version for software and the manufacturer and series
for hardware.

As usual, the feature definition was the core of the problem.:
- case 1 relies on the syntactic trees extracted from messages using the
protocol grammar
- case 2 relies on a temporal  behavioral tree which represents observed
sequence of message with inter-arrival time information

We then applied multi-class support vector machine with a learning
stage. Hence, specific kernel functions had to been defined. We also
tested other approaches like unsupervised graph-based clustering with
tree-based based on isomorphic trees. In our work, we specifically
targeted SIP and so applied the identification for one or a set of a
single session. Then, different use cases can benefit from this
approach: network inventory, detection of vulnerable/forbidden devices
or automatically generate rules for stateful firewall (in that case, the
classes which are learnt are not the device types but the anomalies). Of
course, in a perfect world, device type can be easily identified by some
configuration information or, for example, a user agent header can be
included in message. However, this can be easily faked.

Feature engineering was so very important. Messages were preprocessed to
create these trees and metrics (distances, kernels) had to be defined. I
have some other experiences with flow-based anomaly detection or
phishing detection and I observed that fine-tuning the feature is a key
step (more than ML algorithm parameter tuning).

jerome

> Many thanks and best regards,
>
> Sheng
>
>> -----Original Message-----
>> From: nmlrg [mailto:nmlrg-bounces@irtf.org] On Behalf Of Jér?me Fran?ois
>> Sent: Thursday, September 17, 2015 12:18 AM
>> To: nmlrg@irtf.org
>> Subject: Re: [Nmlrg] Machine Learning in network - solicitation for use cases
>>
>> I have experienced using ML for device fingerprinting meaning that by
>> observing traffic pattern (message sequence and timing information) it
>> is possible to automatically retrieve the precise types of device (name,
>> version, series).
>> It is particularily interesting to make network inventory as most of
>> cases there are some unknwon devices on the network (user or old ones)
>> and finally potentially identifying vulnerable devices from a security
>> point of view.
>>
>> jerome
>>
>> Le 31/08/2015 05:15, Sheng Jiang a écrit :
>>> Hi, all,
>>>
>>> Thanks for subscribe to NMLRG (Network Machine Learning) mail list. As we
>> know, there are already many ongoing researches for Machine Learning in
>> network, in many areas. But up to now, there are few matured applications
>> yet. So it is the time for a Research Group to work on this future-oriented
>> technology.
>>> The first step would be to collect possible use cases: where the machine
>> learning mechanism could be used in networks. The use cases does not need
>> to be mature, but should have potential.
>>> Note that this topic is rapidly moving from academic research into practical
>> application. Therefore, use cases from university environments, industrial
>> research and development organizations are all welcome.
>>> Best regards,
>>>
>>> Sheng
>> _______________________________________________
>> nmlrg mailing list
>> nmlrg@irtf.org
>> https://www.irtf.org/mailman/listinfo/nmlrg