1. Given IP address (source + destination) and ports pairing (source + destionation) it is possible to build up a picture of the different TCP sessions in network communication.
2. To indicate this is one session, ideally just concatenating all the TCP flow back and forth into one single long vector should be able to characterize this communication.
3. Since compressed information will lead to more efficient training, these information can be encoded to use less bits, and thus its decoding will be needed to extract out useful information.
4. "Anomaly" can exists in many ways: rare IP address, rare TCP session types, rare occurrence of TCP sessions having huge number of TCP packets, rare occurrence of data packet size etc.
5. After representation is the training: which is the best optimization strategy to use:
https://arxiv.org/pdf/1609.04747.pdf
Yes. stochastic gradient descent + potential random alternative directions of ascent/descent may bring new shorter path. But the present "Tensorflow" or "matrix" method of calculation hardcoded the nodes (edges represent the path connecting the nodes, which is the matrix values itself), and necessitating its computation iteratively.
Alternatively 3 variations:
1: having MANY smaller "tensor" that get computed as and when that is necessary - ie, if the neural does not flow with sufficient threshold values, no computation is needed.
2: In the traditional flow: 1 node spreading to other nodes but with a weightage that is calculated and is FIXED. How about adding a random variation component - so that every time it fires, the spread to other neigbor is always random, but through other measure of control it is always constrained to give the optimum values it has given earlier. But no guarantee as every answre given is always different due to some random component. This randomness may give rise to creative alternative neural pathway.
3. Instead of having fixed pathways, it is everlasting in search of new path - by creating new pairs of "minute changes" or "minute variations". Ie, just before the iterative SGD computation, identificatioon of new nodes with new pathways enumerated, and tensor restructured/recomputed, and the iteration will contnue for certain number of steps, before triggering searching for new nodes or new pairing.
References:
https://acmccs.github.io/papers/p1285-duA.pdf
https://arxiv.org/abs/1710.09207
https://www.elen.ucl.ac.be/Proceedings/esann/esannpdf/es2015-56.pdf
https://github.com/aurotripathy/lstm-anomaly-detect
http://www.diva-portal.org/smash/get/diva2:1149130/FULLTEXT01.pdf
https://github.com/akash13singh/lstm_anomaly_thesis
No comments:
Post a Comment