IETF Logo Mail Archive

Re: [Nmlrg] Machine Learning in network - solicitation for use cases

Sebastian Abt <sabt@sabt.net> Thu, 17 September 2015 19:17 UTC

Return-Path: <sabt@sabt.net>
X-Original-To: nmlrg@ietfa.amsl.com
Delivered-To: nmlrg@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E39E71A8A6C for <nmlrg@ietfa.amsl.com>; Thu, 17 Sep 2015 12:17:58 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.91
X-Spam-Level:
X-Spam-Status: No, score=-1.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id TR5BBths9eoZ for <nmlrg@ietfa.amsl.com>; Thu, 17 Sep 2015 12:17:56 -0700 (PDT)
Received: from sephina.sabt.net (mail.sabt.net [IPv6:2001:1a50:1::3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E0DFB1B3157 for <nmlrg@irtf.org>; Thu, 17 Sep 2015 12:17:55 -0700 (PDT)
Received: from [62.216.164.250] (helo=mbpro.fritz.box) by sephina.sabt.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.69 (FreeBSD)) (envelope-from <sabt@sabt.net>) id 1ZcegZ-0001vQ-I9; Thu, 17 Sep 2015 21:17:35 +0200
Content-Type: multipart/signed; boundary="Apple-Mail=_403874A0-471E-45B3-9BBD-7624E656206A"; protocol="application/pkcs7-signature"; micalg=sha1
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Sebastian Abt <sabt@sabt.net>
In-Reply-To: <5D36713D8A4E7348A7E10DF7437A4B927BB2DDB6@nkgeml512-mbx.china.huawei.com>
Date: Thu, 17 Sep 2015 21:17:34 +0200
Message-Id: <3D0B6D8D-4350-40F0-B09E-4094040A2A7A@sabt.net>
References: <D20A251E.25E52%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2B192@nkgeml512-mbx.china.huawei.com> <D20B2C03.25EC7%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D062@nkgeml512-mbx.china.huawei.com> <D211D160.26495%dacheng.zdc@alibaba-inc.com> <D211D7F2.2651C%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2D300@nkgeml512-mbx.china.huawei.com> <D2130D6D.26ABF%dacheng.zdc@alibaba-inc.com> <5D36713D8A4E7348A7E10DF7437A4B927BB2DDB6@nkgeml512-mbx.china.huawei.com>
To: Sheng Jiang <jiangsheng@huawei.com>
X-Mailer: Apple Mail (2.2104)
Archived-At: <http://mailarchive.ietf.org/arch/msg/nmlrg/tLfiogtUbFDq408Y-iFl4PDCJSY>
Cc: "nmlrg@irtf.org" <nmlrg@irtf.org>, Sebastian Abt <sabt@sabt.net>, Dacheng Zhang <dacheng.zdc@alibaba-inc.com>
Subject: Re: [Nmlrg] Machine Learning in network - solicitation for use cases
X-BeenThere: nmlrg@irtf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Network Machine Learning Research Group <nmlrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/nmlrg/>
List-Post: <mailto:nmlrg@irtf.org>
List-Help: <mailto:nmlrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/nmlrg>, <mailto:nmlrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Thu, 17 Sep 2015 19:17:59 -0000

> Am 08.09.2015 um 05:39 schrieb Sheng Jiang <jiangsheng@huawei.com>om>:
> 
>>> b) is it possible for autonomic reaction from the network operational
>>> perspective after detect such DDoS attack? Give the machine learning may
>>> not be accurate, my guess is human intervention is needed.
>> 
>> In the current practice, machine learning procedure is normally offline.
>> 1) machine learning may not very that accurate. 2) big data processing
>> needs time and computing resources.  Human involvement is required.
> 
> What may influence the accuracy of the mechanism learning result? In another word, how to improve the accuracy in machine learning mechanism? This question may not be DDoS protection specific.

I think there are many different factors that affect accuracy of a ML system.  Most crucial in my opinion are the following two:

1. You need to find an appropriate description of the class(es) you try to learn.  In ML, this processing of finding/generating an appropriate description is commonly called feature extraction.  For network security this means that you need to find a way to transform your given representation of traffic (e.g., packets, flow records, SNMP counters, …) such that only the bits relevant to describe normality/to distinguish between two classes A and B are reflected and everything else is dismissed, effectively reducing entropy. The resulting feature vectors should have high intra-class and low inter-class similarity - for whatever notion of similarity you choose.

2. Especially for one-class systems that only learn models of normality, it is important to be able to track a change of normality. Otherwise, these systems render themselves useless over time / generate too much false alarms.  As operator, you can only rely on the results if there are no (significant) baseline changes.  However, detecting this is probably not trivial and as far as I know this is not heavily researched by the network security community.  Some years ago, I read a paper that claimed that such baseline confidence checks are successfully employed in voice recognition systems and crucial for those system’s reliability.  Unfortunately, I don’t have this paper at hand.

sebastian

v2.8.7 | Report a Bug | By Email