Poseidon: Machine Learning
PoseidonML is the Machine Learning portion of our (Poseidon) project that attempts to answer two questions:
- what type of device is in this packet capture (pcap)?
- is it behaving in an expected way?
This repo is for the ML portion of the project, which can also be used in a "standalone" mode from the CLI. For more background and context on the macro project, please check outthe Poseidon project page on our website. This repo specifically covers the algorithms and models we deployed in our project.
While this repository and resulting docker container can be used completely independently, the code was written to support the Cyber Reboot Vent and Poseidon projects. See:
This repository contains the components necessary to build a docker container that can be used for training a number of ML models using network packet captures (pcaps). The repository includes scripts necessary to do the training (e.g. "train_OneLayer.py") as well as doing the evaluation once a model has been trained (e.g. "eval_OneLayer.py") These can be run from a shell.
Additional algorithms and models will be added here as we delve more deeply into network security profiles via machine learning models. Feel free to use, discuss, and contribute!
The plugin (i.e., model) we currently have available is DeviceClassifier, which utilizes the OneLayer feedforward technique by default, but the RandomForest technique used in our Poseidon project is also included.
For more information, check out the respective README file included within each plugin's folder.
Our models can be executed via Vent, Docker, and in a standalone manner on a Linux host. We recommend deployment via Vent in conjunction with Poseidon if you are running an SDN (software-defined network). Otherwise, we recommend using Docker.
See the README file included in the plugin's folder for specific instructions on deployment.