metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Debojyoti Dutta <ddu...@gmail.com>
Subject Re: ML features for Metron
Date Mon, 06 Jun 2016 07:12:27 GMT
Thx Egon. The idea of labeled data collection is awesome, else we have to
resort to unsupervised alone. Maybe one of the things the website could do
is to point to labeled data contributed by users of Metron.

On Mon, Jun 6, 2016 at 12:03 AM, Egon Kidmose <kidmose@gmail.com> wrote:

> Hi all,
>
> I'd be interested in joining that discussion.
>
> I'm a phd student applying ML in the security monitoring domain.
> It is my expectation that I'll be able to contribute with some event
> correlation and alert filtering methods.
> (Corelation: Finding events that are relevant to each other. Filtering:
> Suppressing false alerts from e.g. IDSs, or picking out the relevant ones)
> You'll see a PR as soon as I have something that is somewhat ready.
>
> A particularly interesting issue (to me at least) is the possibilities of
> using a real, running SOC as the the "label factory" for labelled data.
> Getting real data with labels for supervised methods is one of the great
> challenges, and I see quite some potential for Metron here.
>
>
> Mvh. / BR
> Egon Kidmose
>
> On Sat, Jun 4, 2016 at 5:02 PM, Yazan Boshmaf <boshmaf@ece.ubc.ca> wrote:
>
> > One use case of Apache Metron (or OpenSOC) is to analyze amplification
> DDoS
> > attacks <https://www.internetsociety.org/sites/default/files/01_5.pdf>.
> >
> > With honeypots as information sources (e.g., AmptPot
> > <http://www.christian-rossow.de/publications/amppot-raid2015.pdf>), you
> > have the typical UDP/IP features (IP addresses, timestamps, protocols,
> > ports, payload, etc.), which get enriched with reverse IP data,
> > geolocation, etc. Some of these attributes can be used as features to
> > identify and characterize types of reflection attacks (e.g., exploiting
> > NTP, DNS resolvers, or even RIPv1). Also, it is important to distinguish
> > attackers from scanners, using certain features like timestamp
> > synchronization across honeypots, as scanner tend to go through IP
> blocks,
> > one by one, as compared to actual attacks.
> >
> > These are some of the attributes one might consider for this use case. It
> > would be nice to have something that does online learning and analytics,
> so
> > clustering / classification is done in real-time. Maybe Apache Spark's
> > MLlib?
> >
> > All the best,
> > Yazan
> >
> > On Sat, Jun 4, 2016 at 4:59 PM, Zeolla@GMail.com <zeolla@gmail.com>
> wrote:
> >
> > > I'm in
> > >
> > > On Sat, Jun 4, 2016, 09:53 Yazan Boshmaf <boshmaf@ece.ubc.ca> wrote:
> > >
> > > > Me too.
> > > >
> > > > On Sat, Jun 4, 2016 at 9:43 AM, Franck Vervial <vervial@gmail.com>
> > > wrote:
> > > >
> > > > > hi,
> > > > >
> > > > > i am interested.
> > > > >
> > > > > regards
> > > > > On Fri, 3 Jun 2016 at 3:43 PM, Debo Dutta (dedutta) <
> > dedutta@cisco.com
> > > >
> > > > > wrote:
> > > > >
> > > > > > Hi
> > > > > >
> > > > > > Wondering if anyone is interested in starting a discussion on
> what
> > > kind
> > > > > of
> > > > > > machine learning based features would be good for Metron ….
Would
> > > love
> > > > to
> > > > > > have the SOC users chime in on the dev list.
> > > > > >
> > > > > > The result of the discussion could lead to JIRA items.
> > > > > >
> > > > > > thx
> > > > > > debo
> > > > > >
> > > > >
> > > >
> > > --
> > >
> > > Jon
> > >
> >
>



-- 
-Debo~

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message