# VAE (variational autoencoder) outlier detector deployment

Wrap a keras VAE python model for use as a prediction microservice in seldon-core and deploy on seldon-core running on minikube

## Dependencies

- [helm](https://github.com/helm/helm)
- [minikube](https://github.com/kubernetes/minikube) --> install 0.25.2
- [s2i](https://github.com/openshift/source-to-image)

python packages:
- keras: pip install keras
- tensorflow: https://www.tensorflow.org/install/pip
- scikit-learn: pip install sklearn --> 0.20.1

## Task

The outlier detector needs to detect computer network intrusions using TCP dump data for a local-area network (LAN) simulating a typical U.S. Air Force LAN. A connection is a sequence of TCP packets starting and ending at some well defined times, between which data flows to and from a source IP address to a target IP address under some well defined protocol. Each connection is labeled as either normal, or as an attack. 

There are 4 types of attacks in the dataset:
- DOS: denial-of-service, e.g. syn flood;
- R2L: unauthorized access from a remote machine, e.g. guessing password;
- U2R:  unauthorized access to local superuser (root) privileges;
- probing: surveillance and other probing, e.g., port scanning.
    
The dataset contains about 5 million connection records.

There are 3 types of features:
- basic features of individual connections, e.g. duration of connection
- content features within a connection, e.g. number of failed log in attempts
- traffic features within a 2 second window, e.g. number of connections to the same host as the current connection

The outlier detector is only using the continuous (18 out of 41) features.

## Train locally

Train on small dataset of normal traffic.

In [1]:
!python train.py \
--dataset 'kddcup99' \
--samples 50000 \
--hidden_layers 1 \
--latent_dim 2 \
--hidden_dim 9 \
--epochs 10 \
--batch_size 32 \
--print_progress \
--save_path './models/'

Using TensorFlow backend.

Load dataset

Generate training batch

Initiate outlier detector model
_________________________________________________________________
Layer (type)                 Output Shape              Param #   
encoder_input (InputLayer)   (None, 18)                0         
_________________________________________________________________
encoder (Model)              [(None, 2), (None, 2), (N 211       
_________________________________________________________________
decoder (Model)              (None, 18)                207       
Total params: 418
Trainable params: 418
Non-trainable params: 0
_________________________________________________________________

Train outlier detector
Train on 50000 samples, validate on 50000 samples
Epoch 1/10
2018-11-29 15:33:46.085934: I tensorflow/core/platform/cpu_feature_guard.cc:141] Your CPU supports instructions that this TensorFlow binary was not compiled to use: AVX2 FMA
Epoch 2/10
Epoch 3/10
Epoch 4/10
Epoch 5/10
Epoch 6

## Test using Kubernetes cluster on GCP or Minikube

Pick Kubernetes cluster on GCP or Minikube.

In [2]:
minikube = False

In [3]:
if minikube:
    !minikube start --memory 4096 --feature-gates=CustomResourceValidation=true \
    --extra-config=apiserver.Authorization.Mode=RBAC
else:
    !gcloud container clusters get-credentials standard-cluster-1 --zone europe-west1-b --project seldon-demos

Fetching cluster endpoint and auth data.
kubeconfig entry generated for standard-cluster-1.


Create a cluster-wide cluster-admin role assigned to a service account named “default” in the namespace “kube-system”.

In [4]:
!kubectl create clusterrolebinding kube-system-cluster-admin --clusterrole=cluster-admin \
--serviceaccount=kube-system:default

clusterrolebinding.rbac.authorization.k8s.io/kube-system-cluster-admin created


In [5]:
!kubectl create namespace seldon

namespace/seldon created


Add current context details to the configuration file in the seldon namespace.

In [6]:
!kubectl config set-context $(kubectl config current-context) --namespace=seldon

Context "gke_seldon-demos_europe-west1-b_standard-cluster-1" modified.


Create tiller service account and give it a cluster-wide cluster-admin role.

In [7]:
!kubectl -n kube-system create sa tiller
!kubectl create clusterrolebinding tiller --clusterrole cluster-admin --serviceaccount=kube-system:tiller
!helm init --service-account tiller

serviceaccount/tiller created
clusterrolebinding.rbac.authorization.k8s.io/tiller created
$HELM_HOME has been configured at /home/arnaud/.helm.

Tiller (the Helm server-side component) has been installed into your Kubernetes Cluster.
Happy Helming!


Check deployment rollout status and deploy seldon/spartakus helm charts.

In [8]:
!kubectl rollout status deploy/tiller-deploy -n kube-system

Waiting for deployment "tiller-deploy" rollout to finish: 0 of 1 updated replicas are available...
deployment "tiller-deploy" successfully rolled out


In [9]:
!helm install ../../../helm-charts/seldon-core-crd --name seldon-core-crd \
    --set usage_metrics.enabled=true

NAME:   seldon-core-crd
LAST DEPLOYED: Thu Nov 29 15:38:46 2018
NAMESPACE: seldon
STATUS: DEPLOYED

RESOURCES:
==> v1/ServiceAccount
NAME                        SECRETS  AGE
seldon-spartakus-volunteer  1        0s

==> v1beta1/ClusterRole
NAME                        AGE
seldon-spartakus-volunteer  0s

==> v1beta1/ClusterRoleBinding
NAME                        AGE
seldon-spartakus-volunteer  0s

==> v1/ConfigMap
NAME                     DATA  AGE
seldon-spartakus-config  3     1s

==> v1beta1/Deployment
NAME                        DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
seldon-spartakus-volunteer  1        0        0           0          1s

==> v1beta1/CustomResourceDefinition
NAME                                         KIND
seldondeployments.machinelearning.seldon.io  CustomResourceDefinition.v1beta1.apiextensions.k8s.io


NOTES:
NOTES: TODO




In [10]:
!helm install ../../../helm-charts/seldon-core --name seldon-core \
        --namespace seldon \
        --set ambassador.enabled=true

NAME:   seldon-core
LAST DEPLOYED: Thu Nov 29 15:38:53 2018
NAMESPACE: seldon
STATUS: DEPLOYED

RESOURCES:
==> v1beta1/Role
NAME          AGE
seldon-local  1s
ambassador    1s

==> v1beta1/RoleBinding
NAME        AGE
ambassador  1s

==> v1/RoleBinding
NAME    KIND                                      SUBJECTS
seldon  RoleBinding.v1.rbac.authorization.k8s.io  1 item(s)

==> v1/Service
NAME                          CLUSTER-IP    EXTERNAL-IP  PORT(S)                        AGE
seldon-core-ambassador        10.7.254.141  <nodes>      80:32259/TCP,443:31042/TCP     1s
seldon-core-ambassador-admin  10.7.253.103  <nodes>      8877:30731/TCP                 1s
seldon-core-seldon-apiserver  10.7.255.107  <nodes>      8080:32055/TCP,5000:31847/TCP  1s
seldon-core-redis             10.7.243.130  <none>       6379/TCP                       1s

==> v1beta1/Deployment
NAME                                DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
seldon-core-ambassador              1        1      

Check deployment rollout status for seldon core.

In [11]:
!kubectl rollout status deploy/seldon-core-seldon-cluster-manager -n seldon
!kubectl rollout status deploy/seldon-core-seldon-apiserver -n seldon

Waiting for deployment "seldon-core-seldon-cluster-manager" rollout to finish: 0 of 1 updated replicas are available...
deployment "seldon-core-seldon-cluster-manager" successfully rolled out
deployment "seldon-core-seldon-apiserver" successfully rolled out


If Minikube used: create docker image for outlier detector inside Minikube using s2i.

In [12]:
if minikube:
    !eval $(minikube docker-env) && s2i build . seldonio/seldon-core-s2i-python3:0.4-SNAPSHOT seldonio/outlier-vae:0.1

Install outlier detector helm charts and set "threshold" and reservoir_size" hyperparameter values.

In [13]:
!helm install ../../../helm-charts/seldon-outlier-detection \
    --set model.image.name=seldonio/outlier-vae:0.1 \
    --set model.threshold=10 \
    --set model.reservoir_size=50000 \
    --name outlier-detector --set oauth.key=oauth-key \
    --set oauth.secret=oauth-secret \
    --namespace=seldon

NAME:   outlier-detector
LAST DEPLOYED: Thu Nov 29 15:39:30 2018
NAMESPACE: seldon
STATUS: DEPLOYED

RESOURCES:
==> v1alpha2/SeldonDeployment
NAME              KIND
outlier-detector  SeldonDeployment.v1alpha2.machinelearning.seldon.io




## Port forward Ambassador

Run command in terminal:

```
kubectl port-forward $(kubectl get pods -n seldon -l service=ambassador -o jsonpath='{.items[0].metadata.name}') -n seldon 8003:8080
```

## Define requests and payload

In [14]:
import json
import requests

def get_payload(arr):
    features = ["srv_count","serror_rate","srv_serror_rate","rerror_rate","srv_rerror_rate","same_srv_rate",
             "diff_srv_rate","srv_diff_host_rate","dst_host_count","dst_host_srv_count","dst_host_same_srv_rate",
             "dst_host_diff_srv_rate","dst_host_same_src_port_rate","dst_host_srv_diff_host_rate",
             "dst_host_serror_rate","dst_host_srv_serror_rate","dst_host_rerror_rate","dst_host_srv_rerror_rate"]
    datadef = {"names":features,"ndarray":arr.tolist()}
    payload = {"meta":{},"data":datadef}
    return payload

In [15]:
def rest_request_ambassador(deploymentName,request,endpoint="localhost:8003"):
    response = requests.post(
                "http://"+endpoint+"/seldon/"+deploymentName+"/api/v0.1/predictions",
                json=request)
    print(response.status_code)
    print(response.text)
    return response.json()

In [16]:
def send_feedback_rest(deploymentName,request,response,reward,truth,endpoint="localhost:8003"):
    feedback = {
        "request": request,
        "response": response,
        "reward": reward,
        "truth": {"data":{"ndarray":truth.tolist()}}
    }
    ret = requests.post(
         "http://"+endpoint+"/seldon/"+deploymentName+"/api/v0.1/feedback",
        json=feedback)
    return

## Load and test network intrusion data

In [17]:
from utils import get_kdd_data, generate_batch

data = get_kdd_data() # load dataset
print(data.shape)

(4898431, 19)


Generate a random batch from the data

In [18]:
import numpy as np

samples = 1
fraction_outlier = 0.
X, labels = generate_batch(data,samples,fraction_outlier)
print(X.shape)
print(labels.shape)

(1, 18)
(1,)


Test the rest requests with the generated data

In [19]:
request = get_payload(X)

In [20]:
response = rest_request_ambassador("outlier-detector",request,endpoint="localhost:8003")

200
{
  "meta": {
    "puid": "ogokbjd1lb1o237smkktehul1e",
    "tags": {
    },
    "routing": {
    },
    "requestPath": {
      "outlier-vae": "seldonio/outlier-vae:0.1"
    },
    "metrics": [{
      "key": "is_outlier",
      "type": "GAUGE",
      "value": "NaN",
      "tags": {
      }
    }, {
      "key": "mse",
      "type": "GAUGE",
      "value": "NaN",
      "tags": {
      }
    }, {
      "key": "observation",
      "type": "GAUGE",
      "value": 0.0,
      "tags": {
      }
    }, {
      "key": "threshold",
      "type": "GAUGE",
      "value": 10.0,
      "tags": {
      }
    }, {
      "key": "label",
      "type": "GAUGE",
      "value": "NaN",
      "tags": {
      }
    }, {
      "key": "accuracy_tot",
      "type": "GAUGE",
      "value": "NaN",
      "tags": {
      }
    }, {
      "key": "precision_tot",
      "type": "GAUGE",
      "value": "NaN",
      "tags": {
      }
    }, {
      "key": "recall_tot",
      "type": "GAUGE",
      "value": "NaN",
    

In [21]:
send_feedback_rest("outlier-detector",request,response,0,labels,endpoint="localhost:8003")

## Analytics

Install the helm charts for prometheus and the grafana dashboard

In [22]:
!helm install ../../../helm-charts/seldon-core-analytics --name seldon-core-analytics \
    --set grafana_prom_admin_password=password \
    --set persistence.enabled=false \
    --namespace seldon

NAME:   seldon-core-analytics
LAST DEPLOYED: Thu Nov 29 15:43:28 2018
NAMESPACE: seldon
STATUS: DEPLOYED

RESOURCES:
==> v1/Secret
NAME                 TYPE    DATA  AGE
grafana-prom-secret  Opaque  1     1s

==> v1/ServiceAccount
NAME        SECRETS  AGE
prometheus  1        1s

==> v1beta1/ClusterRole
NAME        AGE
prometheus  1s

==> v1beta1/ClusterRoleBinding
NAME        AGE
prometheus  1s

==> v1beta1/Deployment
NAME                     DESIRED  CURRENT  UP-TO-DATE  AVAILABLE  AGE
alertmanager-deployment  1        1        1           0          1s
grafana-prom-deployment  1        1        1           0          1s
prometheus-deployment    1        1        1           0          1s

==> v1beta1/DaemonSet
NAME                      DESIRED  CURRENT  READY  UP-TO-DATE  AVAILABLE  NODE-SELECTOR  AGE
prometheus-node-exporter  1        1        0      1           0          <none>         1s

==> v1/ConfigMap
NAME                       DATA  AGE
alertmanager-server-conf   1     1s
g

## Port forward Grafana dashboard

Run command in terminal:

```
kubectl port-forward $(kubectl get pods -n seldon -l app=grafana-prom-server -o jsonpath='{.items[0].metadata.name}') -n seldon 3000:3000
```

You can then view an analytics dashboard inside the cluster at http://localhost:3000/dashboard/db/prediction-analytics?refresh=5s&orgId=1. Your IP address may be different. get it via minikube ip. Login with:

Username : admin

password : password (as set when starting seldon-core-analytics above)

Import the outlier-detector dashboard from ../../../helm-charts/seldon-core-analytics/files/grafana/configs.

## Run simulation

- Sample random network intrusion data with a certain outlier probability.
- Get payload for the observation.
- Make a prediction.
- Send the "true" label with the feedback.

View the progress on the grafana "Outlier Detection" dashboard.

In [34]:
import time
n_requests = 100
samples = 1
for i in range(n_requests):
    fraction_outlier = .1
    X, labels = generate_batch(data,samples,fraction_outlier)
    request = get_payload(X)
    response = rest_request_ambassador("outlier-detector",request,endpoint="localhost:8003")
    send_feedback_rest("outlier-detector",request,response,0,labels,endpoint="localhost:8003")
    #time.sleep(1)