IETF Logo Mail Archive

Re: [Nmlrg] Machine Learning in network - solicitation for use cases

Brian E Carpenter <brian.e.carpenter@gmail.com> Mon, 07 September 2015 03:52 UTC

Return-Path: <brian.e.carpenter@gmail.com>
X-Original-To: nmlrg@ietfa.amsl.com
Delivered-To: nmlrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6CB321B33E8 for <nmlrg@ietfa.amsl.com>; Sun, 6 Sep 2015 20:52:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2
X-Spam-Level:
X-Spam-Status: No, score=-2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id M3t7ogDibtFg for <nmlrg@ietfa.amsl.com>; Sun, 6 Sep 2015 20:52:17 -0700 (PDT)
Received: from mail-pa0-x22d.google.com (mail-pa0-x22d.google.com [IPv6:2607:f8b0:400e:c03::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDDFC1B31D6 for <nmlrg@irtf.org>; Sun, 6 Sep 2015 20:52:17 -0700 (PDT)
Received: by pacex6 with SMTP id ex6so83240100pac.0 for <nmlrg@irtf.org>; Sun, 06 Sep 2015 20:52:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:to:references:from:organization:message-id:date:user-agent :mime-version:in-reply-to:content-type:content-transfer-encoding; bh=vYSzWtDUZxaATaU9y/9oVm96WSFB7t/zUcMvEDiP1A8=; b=BnkwpQFXFJI5urVJbJ/hHXr5zr14LM20snhjvGmJ4gh2uJOUlaFr7IwEjBzp51hM+9 lU+gVmLPma6/OZ3/i0ZutY8uC3jmENogaYkXi5VXALTf3YPaPlcwF5p0xbkEZiB2iJsm LLEWvNAF/AnDdqDeBaS/5ZK4t9xBMFz+fmRHYOmcIb1C7/zf3BO1H/I+Oancli2qWYVz gTHR7WAQU2qdxJcAkz/BV/Dn1hJZ1Ql+PpkHvfxsdYpi1wZyQj2K0WQjI0ck1ky4STwc e07EjAWBCuVEQN4TIPX7WrhPEVKc+7KL5lRAkSIauRnopcSlp3banfdPF2Cd5dsJbS6w Bk9A==
X-Received: by 10.68.99.197 with SMTP id es5mr40985792pbb.112.1441597937434; Sun, 06 Sep 2015 20:52:17 -0700 (PDT)
Received: from [192.168.178.25] ([163.47.222.171]) by smtp.gmail.com with ESMTPSA id w5sm7539315pbs.31.2015.09.06.20.52.14 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sun, 06 Sep 2015 20:52:16 -0700 (PDT)
To: Sheng Jiang <jiangsheng@huawei.com>, Dacheng Zhang <dacheng.zdc@alibaba-inc.com>, "nmlrg@irtf.org" <nmlrg@irtf.org>
References: <D20A251E.25E52%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2B192@nkgeml512-mbx.china.huawei.com> <D20B2C03.25EC7%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D062@nkgeml512-mbx.china.huawei.com> <D211D160.26495%dacheng.zdc@alibaba-inc.com> <D211D7F2.2651C%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D300@nkgeml512-mbx.china.huawei.com> <55EC9987.9030002@gmail.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D65D@nkgeml512-mbx.china.huawei.com>
From: Brian E Carpenter <brian.e.carpenter@gmail.com>
Organization: University of Auckland
Message-ID: <55ED09ED.3090406@gmail.com>
Date: Mon, 7 Sep 2015 15:52:13 +1200
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Thunderbird/38.2.0
MIME-Version: 1.0
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B927BB2D65D@nkgeml512-mbx.china.huawei.com>
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/nmlrg/JFvs8zOw6WfxcoZVDCQAuFocnw0>
Subject: Re: [Nmlrg] Machine Learning in network - solicitation for use cases
X-BeenThere: nmlrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Machine Learning Research Group <nmlrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nmlrg/>
List-Post: <mailto:nmlrg@irtf.org>
List-Help: <mailto:nmlrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Mon, 07 Sep 2015 03:52:19 -0000

On 07/09/2015 14:26, Sheng Jiang wrote:
> 
> 
>>>> DDoS and APT are very active research topics. Application layer DDoS
>>>> attacks are more difficult to detect than layer 4 DDoS attacks. In many
>>>> cases, the application layer DDoS does not introduce large amount
>>>> traffics. However, by using big data and data mining tech, it is possible
>>>> to find out the clues of such attacks.
>>>
>>> Hi, Dacheng,
>>>
>>> Applying machine learning in DDoS protection is an interest use case. For my
>> understanding, the machine would learn the potential attack behaviors, am I
>> right?
>>>
>>> If yes, I have two questions: a) does the machine learning has the possibility
>> to learn/identify new attack behaviors, which was not recognized before? If
>> yes, what is the working principles? b) is it possible for autonomic reaction
>>from the network operational perspective after detect such DDoS attack?
>> Give the machine learning may not be accurate, my guess is human
>> intervention is needed.
>>
>> I suppose this is in some ways similar to spam processing in email. For
>> example,
>> a Bayesian spam filter is surprisingly good, but sometimes makes mistakes, so
>> human training to correct false positives and false negatives is essential.
> 
> Hi, Brian,
> 
> I believe there is feedback-style training in spam processing. But what do you mean by "human" training? Do you mean the feedback is decided and feed by human administrators? I believe this could be done by machine learning mechanisms.

In the spam case it is definitely a real live human who must detect an error
by the classifier. In my case I estimate that maybe 0.5% of the messages
in my Gmail spam folder are not spam, and maybe 1% in my Gmail Inbox are actually
spam.

I think that for real-time DDOS protection, the solution has to include real-time
input from an operator for both cases: "This is not an attack" and "You missed
an attack". I think that means that the machine-learning system will always
run in training mode, even if training is only needed in 1% of cases.

> 
> Actually, spam filtering was one of the earliest network-relevant area that starts to use machine learning. It would worth to study the machine learning applications in spam filtering. Or we could invite some expert in this area to join nmlrg discussion.

Agreed
  Brian

> 
> Best regards,
> 
> Sheng
> 
>> How can
>> human training be achieved for a real-time case like DDOS?
>>
>>   Brian
>>
>>>
>>> Best regards,
>>>
>>> Sheng
>>>
>>>> There were some related discussions in Dots. If you are interested, I
>>>> could find them out later.
>>>>
>>>> _______________________________________________
>>>> nmlrg mailing list
>>>> nmlrg@irtf.org
>>>> https://www.irtf.org/mailman/listinfo/nmlrg
>>> _______________________________________________
>>> nmlrg mailing list
>>> nmlrg@irtf.org
>>> https://www.irtf.org/mailman/listinfo/nmlrg
>>>

v2.8.7 | Report a Bug | By Email