Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
The ML component can be tested by running the ml_ops.sh script with the following syntax:
[soluser@node-04]$ ./ml_ops.sh YYYYMMDD <analysisname> <anomaly threshold> <max # results>
The anomaly threshold is used to determine which events are flagged as suspicious. Every event receives a probability estimated by the suspicious connects model and those events with probabilities below the anomaly threshold are returned as suspicious.
The max results parameter specifies the maximum number of results to return. If the number of events with probability scores below the anomaly threshold exceeds the maximum results limit, then the events with the least scores will be returned.
[soluser@node-04]$ ./ml_ops.sh 20150401 flow 1e-10 200
If the fourth argument is omitted, all results meeting the filter are returned:
[soluser@node-04]$ ./ml_ops.sh 20150401 dns 1e-12
To get the most suspicious results regardless of a threshold, use an anomaly threshold of 1:
[soluser@node-04]$ ./ml_ops.sh 20150401 proxy 1 1000