data analysis machine learning bro and you
play

Data Analysis, Machine Learning, Bro and You! Together again like - PowerPoint PPT Presentation

Oct 18, 2023 •447 likes •705 views

Data Analysis, Machine Learning, Bro and You! Together again like never before... Presenter Brian Wylie Working at Kitware Inc. Background in Information Security and Vis Likes open source and mixed Corgis Whats the point of this talk?

  1. Data Analysis, Machine Learning, Bro and You! Together again like never before...

  2. Presenter Brian Wylie Working at Kitware Inc. Background in Information Security and Vis Likes open source and mixed Corgis

  3. What’s the point of this talk? Provide software classes and examples that make the path from Bro Network data to the popular data analysis and machine learning libraries easy . When you say easy , what do you mean? One line of code: Bro Log à Pandas DataFrame Pandas DataFrame with all the right types and timestamp as index

  4. What’s the intended audience? • People who like Python • Interested in Pandas, scikit-learn, Spark, Parquet • Hate seeing examples on Iris data or TF-IDF • Frustrated when trying to use your own data • Want easy examples using Bro!

  5. Are you going to show super scalable blah? • Presentation will talk about Pandas, Scikit-Learn • We also have classes/notebooks on: • Kafka • Parquet • Spark • We’ll show a some of this stuff… Please see tomorrow’s great Talk J 3:30 p.m. Spark and Bro: When Bro-Cut Won’t Cut It Eric Dull, Joseph Mosby, & Brian Sacash; Deloitte & Touche

  6. Talk Outline What is the best way to do data science on Bro Network data? ● Big Picture ● Software Bridges • Bro to Python • Bro to Pandas • Bro to Scikit-Learn ● Example: Anomaly Detection I’m not sure… Ahhh!!! ○ Bro DNS and HTTP logs ○ Categorical and Numeric Data ○ Clustering ○ Isolation Forests

  7. Security Data → Data Analysis and Machine Learning Data flow diagram of how Pandas and Scikit-Learn are used. ● DataFrame = Pandas ● Numpy array = Scikit-Learn JSON Agents Packets Logs Bro IDS DataFrame numpy array Stats Filtering Grouping Vis/Plots Clustering Anomaly Stats ML

  8. You guys haven't seen Talk Outline my rabbit have you? ● Big Picture ● Software Bridges (BAT) ○ Bro to Python ○ Bro to Pandas ○ Bro to Scikit-Learn ● Example: Anomaly Detection ○ Bro DNS and HTTP logs ○ Categorical and Numeric Data ○ Clustering ○ Isolation Forests

  9. What is BAT? A simple to use Python Module that makes getting Bro data into popular data Bro Analysis analysis and ML package super easy! Tools $ pip install bat https://github.com/Kitware/bat Who’s Kitware? ● ~130 people, offices around the world ● Developing and supporting open source software for 25 years ● New information security program ● Summer Internships available J

  10. You guys haven't seen Talk Outline my rabbit have you? ● Big Picture ● Software Bridges ○ Bro to Python ○ Bro to Pandas ○ Bro to Scikit-Learn ● Example: Anomaly Detection ○ Bro DNS and HTTP logs ○ Categorical and Numeric Data ○ Clustering ○ Isolation Forests

  11. Hello World from pprint import pprint from bat import bro_log_reader Step 1: $ pip install bat Step 2: Write a few lines of code # Run the bro reader on a given log file reader = bro_log_reader.BroLogReader('dhcp.log') Step 3: There is no step 3... for row in reader.readrows(): pprint(row) <<< Output >>> Output: Streaming (generator) of {'assigned_ip': '192.168.84.10', 'id.orig_h': '192.168.84.10', Python dictionaries with the 'id.orig_p': 68, proper type conversions. 'id.resp_h': '192.168.84.1', 'id.resp_p': 67, 'lease_time': datetime.timedelta(49710, 23000), 'mac': '00:20:18:eb:ca:54', 'trans_id': 495764278, 'ts': datetime.datetime(2012, 7, 20, 3, 14, 12, 219654), 'uid': 'CJsdG95nCNF1RXuN5'}

  12. What’s a Pandas? Talk Outline ● Big Picture ● Software Bridges ○ Bro to Python ○ Bro to Pandas ○ Pandas to Scikit-Learn ● Example: Anomaly Detection ○ Bro DNS and HTTP logs ○ Categorical and Numeric Data ○ Clustering ○ Isolation Forests

  13. Pandas DataFrames “Pandas is a Python package providing fast, flexible, and expressive data structures designed to make working with relational or labeled data both easy and intuitive. It aims to be the fundamental high-level building block for doing practical, real world data analysis in Python.” Demo: Bro To Pandas

  14. Scikit whatcha? Talk Outline ● Big Picture ● Software Bridges ○ Bro to Python ○ Python to Pandas ○ Pandas to Scikit-Learn ● Example: Anomaly Detection ○ Bro DNS and HTTP logs ○ Categorical and Numeric Data ○ Clustering ○ Isolation Forests

  15. Scikit-Learn “Scikit-learn is a free software machine learning library for the Python programming language. It features various classification, regression and clustering algorithms including support vector machines, random forests, gradient boosting, k-means and DBSCAN, and is designed to interoperate with the Python numerical and scientific libraries NumPy and SciPy.” ● We create numpy ndarrays with proper handling of both categorical and numeric types. Our DataFrameToMatrix class supports fit, fit_transform, and transform methods. ● Internal maps for categorical ‘one-hot’ encoding and numerical normalization means that serialization and train/evaluate use cases are supported. Demo: Bro To Scikit

  16. Talk Outline One fish is red.. You don’t need machine learning for that! ● Big Picture ● Software Bridges ○ Bro to Python ○ Python to Pandas ○ Pandas to Scikit-Learn ● Example: Anomaly Detection ○ Bro DNS and HTTP logs ○ Categorical and Numeric Data ○ Clustering ○ Isolation Forests

  17. Anomaly Detection Popular Mental Images Popular Misconception: It’s going to show me ‘bad’ stuff

  18. Anomaly Detection Just gets you to base camp... ~.01%: Possibly Malicious (Recommender System) ~1%: Interesting traffic (Organization + User Feedback) Interesting ~5%: Anomalous traffic (Anomaly Detection) Anomalous Base Camp ~95%: Normal network traffic that can Normal Network be filtered out early in the pipeline Traffic Raw Network Traffic 100%: All Traffic (unknown mix)

  19. Normal to Anomalous Anomaly Detection Bro IDS Output Anomalous DataFrame Normal Network Example: 1M HTTP Logs to Traffic Matrix Conversion 10k anomalous rows * Challenges: I-Forests ● Streaming Data Output: ● Data Volume Anomalous ● Categorical and Numerical Types ● 1-5% of data DNS/HTTP ● Efficient DataFrame/Matrix conversions ● Uncommon (by def) ● Good Base Camp * http://github.com/Kitware/bat/blob/master/notebooks/Anomaly_Detection.ipynb

  20. Isolation Forests: Anomaly Detection 4 Divisions (anomalous) 9 Divisions (not anomalous) https://github.com/Kitware/bat/blob/master/notebooks/Anomaly_Detection.ipynb

  21. Anomalous to Interesting Organization + User Feedback Anomalous Example: 10k rows clustered and DNS/HTTP organized for displayed to user * Interesting Organization and Anomalous Clustering Display and Challenges: Feedback* ● Streaming Data ● Organization and Clustering Interesting Output: ● Engaging the Human ● User Interface and Feedback* ● Fraction of 1%-5% ● Clustered/organized * Feedback will be used in the next phase of the pipeline ● Ready for Feedback* * http://github.com/Kitware/bat/blob/master/notebooks/Anomaly_Detection.ipynb

  22. Demo: Anomaly Detection https://github.com/Kitware/bat/blob/master/notebooks/Bro_to_Scikit.ipynb https://github.com/Kitware/bat/blob/master/notebooks/Anomaly_Detection.ipynb

  23. Demo: Bro to Kafka to Spark https://github.com/Kitware/bat/blob/master/notebooks/Bro_to_Kafka_to_Spark.ipynb

  24. Demo: Bro to Parquet to Spark https://github.com/Kitware/bat/blob/master/notebooks/Bro_to_Parquet_to_Spark.ipynb

  25. Questions/Comments?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Machine Learning Anders Holst SICS Big Data Analytics Analysis Big Data Big Value Big Data

Machine Learning Anders Holst SICS Big Data Analytics Analysis Big Data Big Value Big Data

Machine Learning Anders Holst SICS Big Data Analytics Analysis Big Data Big Value Big Data Analytics Analysis Big Data Big Value Real world Question Data Model Conclusion Machine Learning Use real data to train a model, which can

625 views • 27 slides
CMSC320 Introduction to Data One thing we might want to What data is available? What is the

CMSC320 Introduction to Data One thing we might want to What data is available? What is the

An Illustrative Analysis Business First Data Science in Society Abstracting the analysis Abstracting the analysis Data Science in Society: Data Journalism Data Science in Society: Machine Learning Data Science in Society: Machine Learning

921 views • 69 slides
Machine learning for CalabiYau manifolds Harold Erbin Asc , Lmu (Germany) Machine Learning

Machine learning for CalabiYau manifolds Harold Erbin Asc , Lmu (Germany) Machine Learning

Machine learning for CalabiYau manifolds Harold Erbin Asc , Lmu (Germany) Machine Learning Landscape, Ictp , Trieste 12th December 2018 1 / 35 Outline: 1. Motivations Motivations Machine learning CalabiYau 3-folds Data analysis ML

500 views • 46 slides
Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine

CS573 Data Privacy and Security Differential Privacy Machine Learning Li Xiong Big Data + Machine Learning + Machine Learning Under Adversarial Settings Data privacy/confidentiality attacks membership attacks, model inversion

3.44k views • 63 slides
Introduction to machine learning COMS 4721 Learning from data Machine learning : the study

Introduction to machine learning COMS 4721 Learning from data Machine learning : the study

Introduction to machine learning COMS 4721 Learning from data Machine learning : the study of computational mechanisms that learn from data in order to make predictions and decisions. Example 1: image classification A birdwatcher

932 views • 14 slides
An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning

An Exercise in An Exercise in Machine Learning Machine Learning http://www.cs.iastate.edu/~cs573x/bbsilab.html Machine Learning Software Preparing Data Building Classifiers Interpreting Results Machine Learning Software

496 views • 26 slides
Machine Learning Track Data Analytics, Machine Learning and HPC in todays changing

Machine Learning Track Data Analytics, Machine Learning and HPC in todays changing

Intel HPC Developer Convention Salt Lake City 2016 Machine Learning Track Data Analytics, Machine Learning and HPC in todays changing application environment Franz J. Kirly (practical) An overview of data analytics DATA Scientific

550 views • 27 slides
Better Machine Learning Through Data Sa Saleema ema Amershi shi Machine T eaching Group

Better Machine Learning Through Data Sa Saleema ema Amershi shi Machine T eaching Group

Better Machine Learning Through Data Sa Saleema ema Amershi shi Machine T eaching Group Microsoft Research August 14, 2016 Making better sense of data. Better data makes better machine learning. Data + Algorithm = Model Data Algorithm

1.16k views • 81 slides
MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED

MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED

ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING MACHINE LEARNING Kernel Canonical Correlation Analysis 1 ADVANCED MACHINE LEARNING ADVANCED MACHINE LEARNING Structure of todays and next weeks class 1) Briefly go through one

613 views • 28 slides
Machine Learning Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 Data Analysis What kind

Machine Learning Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 Data Analysis What kind

Data Summarization and Machine Learning Kelly Rivers and Stephanie Rosenthal 15-110 Fall 2019 Data Analysis What kind of analysis is best for your application? Counting how many times does something happen? Probabilities how

853 views • 58 slides
x ? Machine Learning 5/4/20 Tim Althoff, UW CS547: Machine Learning for Big Data,

x ? Machine Learning 5/4/20 Tim Althoff, UW CS547: Machine Learning for Big Data,

? ? x ? Machine Learning 5/4/20 Tim Althoff, UW CS547: Machine Learning for Big Data, http://www.cs.washington.edu/cse547 2 ? ? ? ? Machine Learning ? Node classification 5/4/20 Tim Althoff, UW CS547: Machine Learning for Big Data,

755 views • 53 slides
Machine learning for machine data David Andrzejewski - @davidandrzej

Machine learning for machine data David Andrzejewski - @davidandrzej

Machine learning for machine data David Andrzejewski - @davidandrzej Data Sciences, Sumo Logic Strata Conference Machine Data Track February 13, 2014 1

1.1k views • 72 slides
ONLINE MACHINE LEARNING AND DATA MINING EDO LIBERTY STANDARD MACHINE LEARNING SETTING =

ONLINE MACHINE LEARNING AND DATA MINING EDO LIBERTY STANDARD MACHINE LEARNING SETTING =

ONLINE MACHINE LEARNING AND DATA MINING EDO LIBERTY STANDARD MACHINE LEARNING SETTING = call = ? = crawl Training Test Data Data Train call Apply Model Label 2 STANDARD MACHINE LEARNING SETTING Predicting the future

746 views • 51 slides
Machine Learning and Econometrics Hal Varian Jan 2014 Definitions Machine learning, data

Machine Learning and Econometrics Hal Varian Jan 2014 Definitions Machine learning, data

Machine Learning and Econometrics Hal Varian Jan 2014 Definitions Machine learning, data mining, predictive analytics, etc. all use data to predict some variable as a function of other variables. May or may not care about insight,

609 views • 44 slides
Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is

Machine Learning for Malware Analysis Andrew Davis Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Viruses - Adware/Spyware - Backdoors -

904 views • 30 slides
Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is

Machine Learning for Malware Analysis Mike Slawinski Data Scientist Introduction - What is Malware? - Software intended to cause harm or inflict damage on computer systems - Many different kinds: - Adware/Spyware - Backdoors - Viruses

383 views • 26 slides
Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer

Outside the Closed World: On Finding Intrusions with Anomaly Detection Robin Sommer International Computer Science Institute, &amp; Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org Advanced Topics in Computer

1.35k views • 99 slides
STAD-HD: Spatial Temporal Anomaly Detection for Heterogeneous Data through Visual Analytics

STAD-HD: Spatial Temporal Anomaly Detection for Heterogeneous Data through Visual Analytics

STAD-HD: Spatial Temporal Anomaly Detection for Heterogeneous Data through Visual Analytics Solution for 2016 VAST Challenge MC2 &amp; MC3 Yu Zhang 1 , Guozheng Li 1 , Chufan Lai 1 , Qiangqiang Liu 1 , Shuai Chen 1 , Lu Feng 1 , Tangzhi Ye 1 ,

430 views • 29 slides
40 years of the Weyl anomaly M. J. Duff Physics Department Imperial College London CFT Beyond

40 years of the Weyl anomaly M. J. Duff Physics Department Imperial College London CFT Beyond

40 years of the Weyl anomaly M. J. Duff Physics Department Imperial College London CFT Beyond Two Dimensions Texas A&amp;M March 2012 1 / 50 Abstract Classically, Weyl invariance S ( g , ) = S ( g , ) under = ( x )

881 views • 50 slides
The Location and Evolution of the South Atlantic Anomaly as Observed by SOLSTICE Laura

The Location and Evolution of the South Atlantic Anomaly as Observed by SOLSTICE Laura

The Location and Evolution of the South Atlantic Anomaly as Observed by SOLSTICE Laura OConnor (University of Michigan) Mentor: Marty Snow (Laboratory for Atmospheric and Space Physics) Outline Background information Description of

421 views • 30 slides
A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four

A New SU(2) Anomaly Edward Witten PCTS, October 3, 2018 A familiar anomaly says that in four spacetime dimensions, an SU(2) gauge theory with a single multiplet of fermions that transform under SU(2) in the spin 1/2 representation is

820 views • 43 slides
Massless Scalar &amp; Scalar Condensate from the Quantum Conformal Anomaly E. Mottola, Los Alamos

Massless Scalar &amp; Scalar Condensate from the Quantum Conformal Anomaly E. Mottola, Los Alamos

Massless Scalar &amp; Scalar Condensate from the Quantum Conformal Anomaly E. Mottola, Los Alamos w. D. Blaschke, R. Caballo-Rubio, JHEP 1412 (2014) 153 w. R. Vaulin, Phys. Rev. D 74, 064004 (2006) w. I. Antoniadis &amp; P. O. Mazur, N. Jour.

520 views • 23 slides
Role Inference + Anomaly Detection = Situational Awareness in BACnet networks D. Fauri , M.

Role Inference + Anomaly Detection = Situational Awareness in BACnet networks D. Fauri , M.

Role Inference + Anomaly Detection = Situational Awareness in BACnet networks D. Fauri , M. Kapsalakis, D. R. dos Santos, E.Costante, J. den Hartog, S. Etalle Gothenburg, Sweden DIMVA 2019 - 16th Conference on Detection of Intrusions and

837 views • 15 slides
Z Explanations of Neutral Current B Anomalies by Ben Allanach (University of Cambridge)

Z Explanations of Neutral Current B Anomalies by Ben Allanach (University of Cambridge)

Z Explanations of Neutral Current B Anomalies by Ben Allanach (University of Cambridge) Can we directly discover particles from explanations? Third Family Hypercharge Model General SM U (1) model BCA, Gripaios, You,

990 views • 75 slides

More recommend