Stuck on an issue?
Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Poseidon Machine Learning decisions and faucet.yaml configuration changes (Query)
See original GitHub issueHey guys,
So I have got Poseidon up and running. I have two clients, with one using tcpreplay to replay a basic web browsing pcap that I recorded.
I changed the source and destination addresses of every packet in the pcap to match the source and destination addresses of my two clients, so the traffic would be sent through the switch rather than being dropped.
Whilst replaying the pcap (on loop, I have run it for over 30 minutes), Poseidon shows the following:
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,184 - INFO - EndpointWrapper:140 - ====START
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,184 - INFO - EndpointWrapper:103 - *******KNOWN*********
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,184 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,184 - INFO - EndpointWrapper:103 - *******UNKNOWN*********
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,185 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,185 - INFO - EndpointWrapper:103 - *******MIRRORING*********
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,185 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,185 - INFO - EndpointWrapper:103 - *******SHUTDOWN*********
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,185 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,186 - INFO - EndpointWrapper:103 - *******REINVESTIGATING*********
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,186 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,186 - INFO - EndpointWrapper:144 - ****************
2018-06-25T11:55:24+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:24,186 - INFO - EndpointWrapper:145 - ====STOP
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,210 - INFO - EndpointWrapper:140 - ====START
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,210 - INFO - EndpointWrapper:103 - *******KNOWN*********
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,210 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,211 - INFO - EndpointWrapper:103 - *******UNKNOWN*********
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,211 - INFO - EndpointWrapper:131 - U:8f5f7c2f2b9b706ff239393cdaccf697f70a88f3:UNKNOWN->NONE:{'mac': 'b8:27:eb:1b:de:9d', 'ip': '192.168.1.11', 's': '123917682136133', 'p': '1', 'v': 'VLAN330'}
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,237 - INFO - EndpointWrapper:103 - *******MIRRORING*********
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,237 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,237 - INFO - EndpointWrapper:103 - *******SHUTDOWN*********
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,237 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,239 - INFO - EndpointWrapper:103 - *******REINVESTIGATING*********
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,239 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,239 - INFO - EndpointWrapper:144 - ****************
2018-06-25T11:55:29+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:29,239 - INFO - EndpointWrapper:145 - ====STOP
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,192 - INFO - EndpointWrapper:140 - ====START
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,192 - INFO - EndpointWrapper:103 - *******KNOWN*********
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,193 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,193 - INFO - EndpointWrapper:103 - *******UNKNOWN*********
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,193 - INFO - EndpointWrapper:131 - U:8f5f7c2f2b9b706ff239393cdaccf697f70a88f3:UNKNOWN->MIRRORING:{'mac': 'b8:27:eb:1b:de:9d', 'ip': '192.168.1.11', 's': '123917682136133', 'p': '1', 'v': 'VLAN330'}
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,199 - INFO - EndpointWrapper:103 - *******MIRRORING*********
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,199 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,199 - INFO - EndpointWrapper:103 - *******SHUTDOWN*********
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,199 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,199 - INFO - EndpointWrapper:103 - *******REINVESTIGATING*********
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,199 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,199 - INFO - EndpointWrapper:144 - ****************
2018-06-25T11:55:30+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:30,200 - INFO - EndpointWrapper:145 - ====STOP
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,182 - INFO - EndpointWrapper:140 - ====START
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,183 - INFO - EndpointWrapper:103 - *******KNOWN*********
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,183 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,183 - INFO - EndpointWrapper:103 - *******UNKNOWN*********
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,183 - INFO - EndpointWrapper:135 - None
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,183 - INFO - EndpointWrapper:103 - *******MIRRORING*********
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,184 - INFO - EndpointWrapper:131 - M:8f5f7c2f2b9b706ff239393cdaccf697f70a88f3:MIRRORING->NONE:{'mac': 'b8:27:eb:1b:de:9d', 'ip': '192.168.1.11', 's': '123917682136133', 'p': '1', 'v': 'VLAN330'}
2018-06-25T11:55:31+00:00 172.17.0.1 plugin[1503]: 2018-06-25 10:55:31,199 - INFO - EndpointWrapper:103 - *******SHUTDOWN*********
So as far as I am aware, the mirroring means it is sending the traffic to the Machine Learning containers to make decisions about it, whether it is normal or abnormal etc. The mirroring then stops and the whole process begins to repeat again in a few minutes time.
From my understanding, Poseidon once it makes decisions, should be changing the configuration of the faucet.yaml is that correct?
My faucet.yaml is the following:
dps:
zodiac-fx-1:
dp_id: 0x70b3d56cd445
hardware: ZodiacFX
proactive_learn: true
interfaces:
1:
native_vlan: 100
acl_in: mir2
2:
native_vlan: 100
acl_in: mir1
3:
native_vlan: 100
vlans:
100:
name: FX
acls:
mir1:
- rule:
actions:
allow: 1
mirror: 3
mir2:
- rule:
actions:
allow: 1
mirror: 3
and I have also tried the following yaml shown in a cyberreboot video (in which Poseidon updates it to have a mirror port):
dps:
zodiac-fx-1:
dp_id: 0x70b3d56cd445
hardware: ZodiacFX
interfaces:
1:
native_vlan: closed
2:
native_vlan: closed
3:
native_vlan: 101
vlans:
closed:
vid: 330
open:
vid: 130
Neither of these yamls get any configuration changes from Poseidon. What is the criteria for a change, how could I provoke this? I want to look more into the Machine Learning side of Poseidon and understand how it is working, what sort of traffic would be determined as abnormal?
Also I am only running this within the Poseidon application, is there some basic Machine Learning implemented here and is it learning from live traffic, or do I need to install PoseidonML first and do some training?
Thanks in advance
Issue Analytics
- State:
- Created 5 years ago
- Comments:22 (12 by maintainers)
Top Results From Across the Web
Faucet Documentation - Read the Docs
Change the configuration file prometheus loads by editing the file ... In independent mode each decision about the network (learning, ...
Read more >Poseidon: A Machine Learning Approach to Network Device ...
Poseidon takes cues from Faucet to discover new devices on the network, both at Layers 2 and 3. It then takes those cues...
Read more >Untitled
Pythagore math 93, Club fire and ice muskogee, Hack slot machines with phone, Os coelhos malucos! How to use sourcetree with github, Auditu...
Read more >Untitled
Hex bug ball machine? Buylane dresses, Chant d'automne commentaire, Dalgatov milaya, Natacha postel vinay, Single mother dating a single man, ...
Read more >Untitled
Lpm unsika, Pfrimmer deep muscle therapy, Lewitzer mix zu verkaufen, Canopy los veranos, 4s champion for sale, Stoian jan eugen.
Read more >
Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free
Top Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Thank you, that helps so much.
We will certainly look into the normal/abnormal part of the model and share any ideas we come up with once we get some initial training and role classification tested!
I am happy for this issue to be closed.
@jaiken06 sure thing.
For a): correct, the role/category/class is the labels array in
label_assignments.jsonand those should be distinct according to the type of traffic you would expect coming from the devices within that role/category/class. This could be a combination of device type and the end user behind it (or the lack thereof). For example an android phone and an apple phone might behave differently. Similarly, a windows workstation in the HR department versus a windows workstation in the engineering department might look very different from traffic patterns. So you’ll want to think about the type of devices and users on those devices for the network you’re deploying this on and make roles/categories/classes based on that for training. These are the ones we used for our trained model that is already provided: https://github.com/CyberReboot/PoseidonML/blob/master/NodeClassifier/config.jsonFor your second question about abnormal, I’m honestly not sure, that second part of the model (the first being the role classification) didn’t perform well at all in our initial testing. If you have ideas on improvements or want to collaborate on enhancing that, we’d very much welcome that.
For b): yes, the intend is for Poseidon to take action based on the feedback from the machine learning results, however so far the results are far to high on false positives for that action to be automated. We hope at some point we’ll have the models improved enough that we could take additional actions such as block/throttle/sandbox/etc.
Does that help?