metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Debojyoti Dutta <ddu...@gmail.com>
Subject Re: ML features for Metron
Date Mon, 06 Jun 2016 07:10:18 GMT
Thanks Yazan ... these seem like great use cases. Online
clustering/classification makes sense and Metron could leverage Spark....

On Sat, Jun 4, 2016 at 8:02 AM, Yazan Boshmaf <boshmaf@ece.ubc.ca> wrote:

> One use case of Apache Metron (or OpenSOC) is to analyze amplification DDoS
> attacks <https://www.internetsociety.org/sites/default/files/01_5.pdf>.
>
> With honeypots as information sources (e.g., AmptPot
> <http://www.christian-rossow.de/publications/amppot-raid2015.pdf>), you
> have the typical UDP/IP features (IP addresses, timestamps, protocols,
> ports, payload, etc.), which get enriched with reverse IP data,
> geolocation, etc. Some of these attributes can be used as features to
> identify and characterize types of reflection attacks (e.g., exploiting
> NTP, DNS resolvers, or even RIPv1). Also, it is important to distinguish
> attackers from scanners, using certain features like timestamp
> synchronization across honeypots, as scanner tend to go through IP blocks,
> one by one, as compared to actual attacks.
>
> These are some of the attributes one might consider for this use case. It
> would be nice to have something that does online learning and analytics, so
> clustering / classification is done in real-time. Maybe Apache Spark's
> MLlib?
>
> All the best,
> Yazan
>
> On Sat, Jun 4, 2016 at 4:59 PM, Zeolla@GMail.com <zeolla@gmail.com> wrote:
>
> > I'm in
> >
> > On Sat, Jun 4, 2016, 09:53 Yazan Boshmaf <boshmaf@ece.ubc.ca> wrote:
> >
> > > Me too.
> > >
> > > On Sat, Jun 4, 2016 at 9:43 AM, Franck Vervial <vervial@gmail.com>
> > wrote:
> > >
> > > > hi,
> > > >
> > > > i am interested.
> > > >
> > > > regards
> > > > On Fri, 3 Jun 2016 at 3:43 PM, Debo Dutta (dedutta) <
> dedutta@cisco.com
> > >
> > > > wrote:
> > > >
> > > > > Hi
> > > > >
> > > > > Wondering if anyone is interested in starting a discussion on what
> > kind
> > > > of
> > > > > machine learning based features would be good for Metron …. Would
> > love
> > > to
> > > > > have the SOC users chime in on the dev list.
> > > > >
> > > > > The result of the discussion could lead to JIRA items.
> > > > >
> > > > > thx
> > > > > debo
> > > > >
> > > >
> > >
> > --
> >
> > Jon
> >
>



-- 
-Debo~

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message