-
Notifications
You must be signed in to change notification settings - Fork 46
Running ML
The ML component can be tested by running the ml_ops.sh script with the following syntax:
[soluser@node-04]$ ./ml_ops.sh YYYYMMDD <analysisname> <anomaly threshold> <max # results>
The anomaly threshold is used to determine which events are flagged as suspicious. Every event receives a probability estimated by the suspicious connects model and those events with probabilities below the anomaly threshold are returned as suspicious.
The max results parameter specifies the maximum number of results to return. If the number of events with probability scores below the anomaly threshold exceeds the maximum results limit, then the events with the least scores will be returned.
For example:
[soluser@node-04]$ ./ml_ops.sh 20150401 flow 1e-10 200
If the fourth argument is omitted, all results meeting the filter are returned:
[soluser@node-04]$ ./ml_ops.sh 20150401 dns 1e-12
To get the most suspicious results regardless of a threshold, use an anomaly threshold of 1:
[soluser@node-04]$ ./ml_ops.sh 20150401 proxy 1 1000