Thanks Yazan ... these seem like great use cases. Online clustering/classification makes sense and Metron could leverage Spark....
On Sat, Jun 4, 2016 at 8:02 AM, Yazan Boshmaf <[email protected]> wrote: > One use case of Apache Metron (or OpenSOC) is to analyze amplification DDoS > attacks <https://www.internetsociety.org/sites/default/files/01_5.pdf>. > > With honeypots as information sources (e.g., AmptPot > <http://www.christian-rossow.de/publications/amppot-raid2015.pdf>), you > have the typical UDP/IP features (IP addresses, timestamps, protocols, > ports, payload, etc.), which get enriched with reverse IP data, > geolocation, etc. Some of these attributes can be used as features to > identify and characterize types of reflection attacks (e.g., exploiting > NTP, DNS resolvers, or even RIPv1). Also, it is important to distinguish > attackers from scanners, using certain features like timestamp > synchronization across honeypots, as scanner tend to go through IP blocks, > one by one, as compared to actual attacks. > > These are some of the attributes one might consider for this use case. It > would be nice to have something that does online learning and analytics, so > clustering / classification is done in real-time. Maybe Apache Spark's > MLlib? > > All the best, > Yazan > > On Sat, Jun 4, 2016 at 4:59 PM, [email protected] <[email protected]> wrote: > > > I'm in > > > > On Sat, Jun 4, 2016, 09:53 Yazan Boshmaf <[email protected]> wrote: > > > > > Me too. > > > > > > On Sat, Jun 4, 2016 at 9:43 AM, Franck Vervial <[email protected]> > > wrote: > > > > > > > hi, > > > > > > > > i am interested. > > > > > > > > regards > > > > On Fri, 3 Jun 2016 at 3:43 PM, Debo Dutta (dedutta) < > [email protected] > > > > > > > wrote: > > > > > > > > > Hi > > > > > > > > > > Wondering if anyone is interested in starting a discussion on what > > kind > > > > of > > > > > machine learning based features would be good for Metron …. Would > > love > > > to > > > > > have the SOC users chime in on the dev list. > > > > > > > > > > The result of the discussion could lead to JIRA items. > > > > > > > > > > thx > > > > > debo > > > > > > > > > > > > > > -- > > > > Jon > > > -- -Debo~
