Re: [Nmlrg] Machine Learning in network - solicitation for use cases

["Liubing (Leo)" <leo.liubing@huawei.com>]

Hi Brian,

Thanks much for the information. 
The papers are very good stuff to get a sense of how modern technologies detect the DDoS event, rather than my arbitrary imagination:)

Best regards,
Bing

> -----Original Message-----
> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> Sent: Wednesday, September 09, 2015 7:05 AM
> To: Liubing (Leo); Sheng Jiang; Dacheng Zhang; nmlrg@irtf.org
> Subject: Re: [Nmlrg] Machine Learning in network - solicitation for use cases
> 
> Bing,
> 
> We are at the limits of my knowledge here. However, as I said, I think that
> automatically extracting event signatures from a real time packet stream is
> the hard part.
> 
> I think a typical approach would be to run a variety of statistical algorithms
> over a sliding window of incoming packet headers.
> This paper talks about one technique (but not used in real time):
> http://www.cs.auckland.ac.nz/CDMTCS//researchreports/266eimann.pdf
> and the corresponding PhD thesis:
> https://researchspace.auckland.ac.nz/bitstream/handle/2292/3427/02whol
> e.pdf
> 
> Regards
>    Brian
> 
> 
> On 08/09/2015 20:13, Liubing (Leo) wrote:
> > Hi Brian,
> >
> > Thanks for your elaborating explanation.
> > Please see inline.
> >
> >> -----Original Message-----
> >> From: Brian E Carpenter [mailto:brian.e.carpenter@gmail.com]
> >> Sent: Tuesday, September 08, 2015 12:39 PM
> >> To: Liubing (Leo); Sheng Jiang; Dacheng Zhang; nmlrg@irtf.org
> >> Subject: Re: [Nmlrg] Machine Learning in network - solicitation for
> >> use cases
> >>
> >> On 08/09/2015 16:00, Liubing (Leo) wrote:
> >>
> >> ...
> >>> But I'm curious about what is the item that could be labeled as
> >>> "This is not
> >> an attack " or " You missed an attack ". E.g., the item is an packet,
> >> a stream, or any other kind of N-tuple things.
> >>
> >> The two cases are rather different.
> >>
> >> 1. The system signals "attack in progress" to the NOC. The operators
> >> have a look and decide that there is no attack, it is just some unusual
> traffic.
> >> (Example: you are live-streaming the Olympic Games. Two seconds after
> >> the end of the 100 metres final, there is an enormous burst of traffic.
> >> The machine learning system signals an attack, because it was not
> >> trained on the data set from the previous Olympic Games.)
> >>
> >> In this case the NOC operators urgently tell the algorithm it is wrong.
> >> It needs to learn that the signature of a sudden burst just after the
> >> end of an event is less likely to be an attack than a sudden burst at
> another time.
> >>
> >> 2. Someone invents a new kind of DDoS attack, which is therefore not
> >> in the historical training data. The system doesn't identify it.
> >> In this case, the NOC operators tell the algorithm "Attack started at
> <time>."
> >
> > [Bing] It feels like the learning objects are mostly traffic burst events?
> When traffic burst happens, the machine judges whether it's a DDoS or not.
> > Then the training data might be a bunch of traffic burst evens marked as
> normal or abnormal. And the challenge should be how to pick a set of
> features out of a burst event for the machine learning program to discover
> the pattern of normal/abnormal classification.
> >
> > This is just my hypothetical case, could be all wrong.
> >
> >> This automatically becomes high quality training data for the
> >> algorithm: the signature of the new traffic at that time is 100% certain to
> be an attack.
> >
> >> I think the hard part is extracting useful signatures from the
> >> traffic stream in real time; the learning/training part is fairly standard.
> > [Bing] When you said the signature of "100% certain", my perception is
> that it is something like the typical virus detection approach, which doing
> exact match of a particular piece of code that could identify a virus.
> > If my perception was correct, I think the signatures are some special
> combinations of the features (as mentioned above) where the classification
> pattern has a 100% confidence. Then I think it doesn't need to extract the
> signatures in real time, because the features are all pre-defined.
> >
> > However, this is only from my view, I might have totally misunderstood
> you.
> >
> > Best regards,
> > Bing
> >
> >>     Brian