-
Notifications
You must be signed in to change notification settings - Fork 8
Running ML
The ML component can be tested by running the ml_ops.sh script with the following syntax:
[soluser@node-04]$ ./ml_ops.sh YYYYMMDD <analysisname> <anomaly threshold> <max # results>
The anomaly threshold is used to determine which events are flagged as suspicious. Every event receives a probability estimated by the suspicious connects model and those events with probabilities below the anomaly threshold are returned as suspicious.
The max results parameter specifies the maximum number of results to return. If the number of events with probability scores below the anomaly threshold exceeds the maximum results limit, then the events with the least scores will be returned.
For example:
[soluser@node-04]$ ./ml_ops.sh 20150401 flow 1e-10 200
If the fourth argument is omitted, all results meeting the filter are returned:
[soluser@node-04]$ ./ml_ops.sh 20150401 dns 1e-12
To get the most suspicious results regardless of a threshold, use an anomaly threshold of 1:
[soluser@node-04]$ ./ml_ops.sh 20150401 proxy 1 1000
- Home
- [Overview of Open Network Insight](Overview of Open Network Insight)
- [Technical Overview](Technical Overview)
- [Planning Guide](Planning Guide)
- [Deployment Option 1: Pure Hadoop](Pure Hadoop)
- [Deployment Option 2: Hybrid Hadoop / Virtual](Hybrid Hadoop)
- [Deployment Guide](Deployment Guide)
- [Installation & Configuration Guides](Installation & Configuration Guides)
- Initial Configuration
- [Configure User Accounts](Configure User Accounts)
- [Edit Solution Configuration](Edit Solution Configuration).
- [Setup HDFS](Setup HDFS)
- Ingest Component
- Machine Learning
- [Install Prerequisites](Install ML Prerequisites).
- [Installation & Configuration Guide](Install and Configure ML)
- [Running ML](Running ML)
- Operational Analytics & User Interface
- Initial Configuration
- [User Guide](User Guide)
- Flows
- [Suspicious Connects – Analyst View](Suspicious Connects)
- [Threat Investigation – Analyst View](Threat Investigation)
- Storyboard
- [Ingest Summary – Analyst View](Ingest Summary)
- DNS
- [Suspicious DNS – Analyst View](Suspicious DNS)
- [Threat Investigation – Analyst View](DNS Threat Investigation)
- [Storyboard](DNS Storyboard)
- Proxy
- [Suspicious Proxy - Analyst View](Suspicious Proxy)
- [Threat Investigation - Analyst View](Proxy Threat Investigation)
- [Storyboard](Proxy Storyboard)
- Flows
- ONI Demo