IETF Logo Mail Archive

Re: [Nmlrg] Call for Agenda NMLRG @IETF94, Yokohama

Jérôme François <jerome.francois@inria.fr> Tue, 13 October 2015 16:02 UTC

Return-Path: <jerome.francois@inria.fr>
X-Original-To: nmlrg@ietfa.amsl.com
Delivered-To: nmlrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2365A1B47DB for <nmlrg@ietfa.amsl.com>; Tue, 13 Oct 2015 09:02:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.26
X-Spam-Level:
X-Spam-Status: No, score=-6.26 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HELO_EQ_FR=0.35, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_HI=-5, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6jyJi_xH0JlN for <nmlrg@ietfa.amsl.com>; Tue, 13 Oct 2015 09:02:57 -0700 (PDT)
Received: from mail2-relais-roc.national.inria.fr (mail2-relais-roc.national.inria.fr [192.134.164.83]) (using TLSv1.2 with cipher RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C13901B47D8 for <nmlrg@irtf.org>; Tue, 13 Oct 2015 09:02:56 -0700 (PDT)
X-IronPort-AV: E=Sophos;i="5.17,678,1437429600"; d="scan'208";a="182607478"
Received: from unknown (HELO [172.20.11.29]) ([65.157.103.250]) by mail2-relais-roc.national.inria.fr with ESMTP/TLS/DHE-RSA-AES128-SHA; 13 Oct 2015 18:02:54 +0200
Message-ID: <561D2B2D.5000508@inria.fr>
Date: Tue, 13 Oct 2015 18:02:53 +0200
From: =?windows-1252?Q?J=E9r=F4me_Fran=E7ois?= <jerome.francois@inria.fr>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.5.0
MIME-Version: 1.0
To: "Liubing (Leo)" <leo.liubing@huawei.com>, "nmlrg@irtf.org" <nmlrg@irtf.org>
References: <5D36713D8A4E7348A7E10DF7437A4B927BBB3FF0@nkgeml512-mbx.china.huawei.com> <561C1629.40304@inria.fr> <8AE0F17B87264D4CAC7DE0AA6C406F45C230D292@nkgeml506-mbx.china.huawei.com>
In-Reply-To: <8AE0F17B87264D4CAC7DE0AA6C406F45C230D292@nkgeml506-mbx.china.huawei.com>
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: 8bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/nmlrg/jXW81plMpa1kBLgwGU-8Wx5-JAc>
Subject: Re: [Nmlrg] Call for Agenda NMLRG @IETF94, Yokohama
X-BeenThere: nmlrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Machine Learning Research Group <nmlrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nmlrg/>
List-Post: <mailto:nmlrg@irtf.org>
List-Help: <mailto:nmlrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Tue, 13 Oct 2015 16:02:59 -0000

Hi Bing,

Le 13/10/2015 04:38, Liubing (Leo) a écrit :
>
>
> We actually build a method to aggregate multi-dimensional data within a
> single tree structure without assuming any order between dimensions and
> with variable granularity. 
> [Bing] I guess most of the raw data is more or less mix-dimensional. Orthogonal data should be a fine-tuned result most of the time.
> So, I guess your aggregation method should be common in some degree, that not only applied to your fingerprinting use case?
Yes, it is a generic method. We actually did not apply for
fingerprinting (yet). Actually, once you are able to define a hierarchy
over a dimension, you can use it. We apply on domain names, IP
addresses, port taxonomy and geographical positions.
>> It is a kind of mix between k-dimensional tree and density-based clustering. 
>> For example, we applied it to DNS answers
>> aggregating both domain names and IP address in a single data structure to
>> be analyzed rather than an individual record inspection to first identify time
>> period where some divergent behavior appears.
> [Bing] This sounds interesting. An naive question: can this algorithm be applied to network traffic N-tuples analysis, and is there any limitation to the number of "N"?
The number of N is not limited. It is basically what we do, we just
represent network traces or trafic recors as N-tuples and then aggregate
them.
For performance reason, the maximal size of tree is set and then
aggregation is invoked when the tree starts to be too large.
More details can be found here:
https://www.usenix.org/system/files/conference/lisa12/lisa12-final-26.pdf
We have been inspired by Aguri
(http://www.wide.ad.jp/news/event/stanford2002/documents/Measurement/aguri.pdf)

>
>> I know that it is not ML itself but we used it is fully in the scope of data
>> representation and pre-processing of ML.
> [Bing] Pre-processing might not be the key factor in ML theory/methodology perspective; but it is curtail in ML engineering perspective. So I'd like to hear it in your presentation.
Great!

Best,
jerome

v2.8.7 | Report a Bug | By Email