metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Egon Kidmose <kidm...@gmail.com>
Subject Re: ML features for Metron
Date Mon, 06 Jun 2016 07:03:43 GMT
Hi all,

I'd be interested in joining that discussion.

I'm a phd student applying ML in the security monitoring domain.
It is my expectation that I'll be able to contribute with some event
correlation and alert filtering methods.
(Corelation: Finding events that are relevant to each other. Filtering:
Suppressing false alerts from e.g. IDSs, or picking out the relevant ones)
You'll see a PR as soon as I have something that is somewhat ready.

A particularly interesting issue (to me at least) is the possibilities of
using a real, running SOC as the the "label factory" for labelled data.
Getting real data with labels for supervised methods is one of the great
challenges, and I see quite some potential for Metron here.


Mvh. / BR
Egon Kidmose

On Sat, Jun 4, 2016 at 5:02 PM, Yazan Boshmaf <boshmaf@ece.ubc.ca> wrote:

> One use case of Apache Metron (or OpenSOC) is to analyze amplification DDoS
> attacks <https://www.internetsociety.org/sites/default/files/01_5.pdf>.
>
> With honeypots as information sources (e.g., AmptPot
> <http://www.christian-rossow.de/publications/amppot-raid2015.pdf>), you
> have the typical UDP/IP features (IP addresses, timestamps, protocols,
> ports, payload, etc.), which get enriched with reverse IP data,
> geolocation, etc. Some of these attributes can be used as features to
> identify and characterize types of reflection attacks (e.g., exploiting
> NTP, DNS resolvers, or even RIPv1). Also, it is important to distinguish
> attackers from scanners, using certain features like timestamp
> synchronization across honeypots, as scanner tend to go through IP blocks,
> one by one, as compared to actual attacks.
>
> These are some of the attributes one might consider for this use case. It
> would be nice to have something that does online learning and analytics, so
> clustering / classification is done in real-time. Maybe Apache Spark's
> MLlib?
>
> All the best,
> Yazan
>
> On Sat, Jun 4, 2016 at 4:59 PM, Zeolla@GMail.com <zeolla@gmail.com> wrote:
>
> > I'm in
> >
> > On Sat, Jun 4, 2016, 09:53 Yazan Boshmaf <boshmaf@ece.ubc.ca> wrote:
> >
> > > Me too.
> > >
> > > On Sat, Jun 4, 2016 at 9:43 AM, Franck Vervial <vervial@gmail.com>
> > wrote:
> > >
> > > > hi,
> > > >
> > > > i am interested.
> > > >
> > > > regards
> > > > On Fri, 3 Jun 2016 at 3:43 PM, Debo Dutta (dedutta) <
> dedutta@cisco.com
> > >
> > > > wrote:
> > > >
> > > > > Hi
> > > > >
> > > > > Wondering if anyone is interested in starting a discussion on what
> > kind
> > > > of
> > > > > machine learning based features would be good for Metron …. Would
> > love
> > > to
> > > > > have the SOC users chime in on the dev list.
> > > > >
> > > > > The result of the discussion could lead to JIRA items.
> > > > >
> > > > > thx
> > > > > debo
> > > > >
> > > >
> > >
> > --
> >
> > Jon
> >
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message