PoseidonML is the Machine Learning portion of our (Poseidon) project that attempts to answer two questions:
- what type of device is in this packet capture (pcap)?
- is it behaving in an expected way?
This repo is for the ML portion of the project, which can also be used in a "standalone" mode from the CLI. For more background and context on the macro project, please check out the Poseidon project page on our website. This repo specifically covers the algorithms and models we deployed in our project.
While this repository and resulting docker container can be used completely independently, the code was written to support the Cyber Reboot Vent and Poseidon projects. See:
This repository contains the components necessary to build a docker container
that can be used for training a number of ML models using network packet
captures (pcaps). The repository includes scripts necessary to do the
training as well as doing the evaluation once a model has been trained. These
can be run from a shell once poseidonml is installed as a package or run in a
Docker container using the networkml script.
Additional algorithms and models will be added here as we delve more deeply into network security profiles via machine learning models. Feel free to use, discuss, and contribute!
The algorithms (i.e., untrained model) we currently have available are the OneLayer feedforward technique (default), the RandomForest technique as an alternative classifier and the SoS technique which is used for detecting abnormal behavior.
For more information, check out the respective README file included within
the networkml/algorithms folder.
Our models can be executed via Vent, Docker, and in a standalone manner on a Linux host. We recommend deployment via Vent in conjunction with Poseidon if you are running an SDN (software-defined network). Otherwise, we recommend using Docker.
See the README file included in the networkml/algorithms folder for specific instructions on deployment.
This package is set up for anaconda/miniconda to be used for package and environment management. Assuming you have the latest install (as of this writing, we have been using conda 4.5.12), set up the environment by performing the following:
- Ensure that the CONDA_EXE environment variable has been set. If
echo $CONDA_EXEreturns empty, resolve this byexport CONDA_EXE=$_CONDA_EXEin your bash shell. - Run
make devto set up the environment - Run
conda activate posml-devto begin.
You can remove the dev environment via standard conda commands:
- Run
conda deactivate - Run
conda env remove -y -n posml-dev
For more information about using conda, please refer to their user documentation.