Running ML

elopezsa edited this page Sep 21, 2016 · 1 revision

The ML component can be tested by running the script with the following syntax:

[soluser@node-04]$ ./ YYYYMMDD <analysisname> <anomaly threshold> <max # results>

The anomaly threshold is used to determine which events are flagged as suspicious. Every event receives a probability estimated by the suspicious connects model and those events with probabilities below the anomaly threshold are returned as suspicious.

The max results parameter specifies the maximum number of results to return. If the number of events with probability scores below the anomaly threshold exceeds the maximum results limit, then the events with the least scores will be returned.

For example:

[soluser@node-04]$ ./ 20150401 flow 1e-10 200

If the fourth argument is omitted, all results meeting the filter are returned:

[soluser@node-04]$ ./ 20150401 dns 1e-12

To get the most suspicious results regardless of a threshold, use an anomaly threshold of 1:

[soluser@node-04]$ ./ 20150401 proxy 1 1000
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.
Press h to open a hovercard with more details.