metron-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yazan Boshmaf <bosh...@ece.ubc.ca>
Subject Re: ML features for Metron
Date Sat, 04 Jun 2016 15:02:24 GMT
One use case of Apache Metron (or OpenSOC) is to analyze amplification DDoS
attacks <https://www.internetsociety.org/sites/default/files/01_5.pdf>.

With honeypots as information sources (e.g., AmptPot
<http://www.christian-rossow.de/publications/amppot-raid2015.pdf>), you
have the typical UDP/IP features (IP addresses, timestamps, protocols,
ports, payload, etc.), which get enriched with reverse IP data,
geolocation, etc. Some of these attributes can be used as features to
identify and characterize types of reflection attacks (e.g., exploiting
NTP, DNS resolvers, or even RIPv1). Also, it is important to distinguish
attackers from scanners, using certain features like timestamp
synchronization across honeypots, as scanner tend to go through IP blocks,
one by one, as compared to actual attacks.

These are some of the attributes one might consider for this use case. It
would be nice to have something that does online learning and analytics, so
clustering / classification is done in real-time. Maybe Apache Spark's
MLlib?

All the best,
Yazan

On Sat, Jun 4, 2016 at 4:59 PM, Zeolla@GMail.com <zeolla@gmail.com> wrote:

> I'm in
>
> On Sat, Jun 4, 2016, 09:53 Yazan Boshmaf <boshmaf@ece.ubc.ca> wrote:
>
> > Me too.
> >
> > On Sat, Jun 4, 2016 at 9:43 AM, Franck Vervial <vervial@gmail.com>
> wrote:
> >
> > > hi,
> > >
> > > i am interested.
> > >
> > > regards
> > > On Fri, 3 Jun 2016 at 3:43 PM, Debo Dutta (dedutta) <dedutta@cisco.com
> >
> > > wrote:
> > >
> > > > Hi
> > > >
> > > > Wondering if anyone is interested in starting a discussion on what
> kind
> > > of
> > > > machine learning based features would be good for Metron …. Would
> love
> > to
> > > > have the SOC users chime in on the dev list.
> > > >
> > > > The result of the discussion could lead to JIRA items.
> > > >
> > > > thx
> > > > debo
> > > >
> > >
> >
> --
>
> Jon
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message