search

shlee89 / athena

Apache License 2.0
13 stars 7 forks source link

Build and execute the Athena framework in a single mode #7

Closed benedhk closed 4 years ago

benedhk commented 5 years ago

First, I have build Athena with command mvn clean install -DskipTests and the result are "BUILD SUCCESS" I hope this can prove further steps from @jaiken06 #5 

[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 07:07 min
[INFO] Finished at: 2019-05-25T16:26:23+07:00
[INFO] Final Memory: 425M/1035M
[INFO] ------------------------------------------------------------------------
root@Linux:~/athena#
benedhk commented 5 years ago

So here's the detail process how i run Athena for the second time

  1. Run ONOS + Athena Framework and proxy 
    
root@Linux:~/athena/athena-tool/config# onos-karaf clean
clean
Removing data directories...
Creating local cluster configs for IP 127.0.0.1...
Staging builtin apps...
Customizing apps to be auto-activated: drivers,openflow,proxyarp,mobility,fwd...
Welcome to Open Network Operating System (ONOS)!
 ____  _  ______  ____     
/ __ \/ |/ / __ \/ __/   
/ /_/ /    / /_/ /\ \     
\____/_/|_/\____/___/

Documentation: wiki.onosproject.org
Tutorials: tutorials.onosproject.org Mailing lists: lists.onosproject.org

Come help out! Find out how at: contribute.onosproject.org

Hit '' for a list of available commands and '[cmd] --help' for help on a specific command. Hit '' or type 'system:shutdown' or 'logout' to shutdown ONOS.

onos> app activate org.onosproject.framework onos> app activate org.onosproject.athenaproxy

2. Run DB and Computing Cluster

root@Linux:~/athena/athena-tool/bin# ./athena-run-db-cluster starting a MongoDB instance as standalone mode... /root/Applications/mongodb-linux-x86_64-3.2.1/bin/mongod already running. root@Linux:~/athena/athena-tool/bin# ./athena-run-computing-cluster 127.0.0.1 starting a Spark instance as standalone mode... org.apache.spark.deploy.master.Master running as process 21990. Stop it first. org.apache.spark.deploy.worker.Worker running as process 22039. Stop it first. root@Linux:~/athena/athena-tool/bin# cd ..

3. Run Athena Real-time detection

root@Linux:~/athena/athena-tester/bin# ./athena-run-realtiime SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-simple-1.7.6.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-jdk14-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] Initialize EventDeliveryManager !! Register Online Athena Feature Register log4j:WARN No appenders could be found for logger (athena.util.ControllerConnector). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

4. Run Mininet

mininet> pingall Ping: testing ping reachability h1 -> h2 h3 h4 h2 -> h1 h3 h4 h3 -> h1 h2 h4 h4 -> h1 h2 h3 Results: 0% dropped (12/12 received) mininet>

5. Athena Real-time detection

root@Linux:~/athena/athena-tester/bin# ./athena-run-realtiime SLF4J: Class path contains multiple SLF4J bindings. SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-simple-1.7.6.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-jdk14-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class] SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation. SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory] Initialize EventDeliveryManager !! Register Online Athena Feature Register log4j:WARN No appenders could be found for logger (athena.util.ControllerConnector). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. {StableId=0, MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772163, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=1, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.8275862068965517, FSSTotalPairFlowVar=4.8, FSSbytePerPacket=0.0, FSSdurationSec=3, FSSbytePerPacketVar=0.0, FSSbytePerDuration=0.0, FSSTotalFlows=29.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.16551724137931034, FSSbyteCountVar=0.0, FSSPairFlow=true, FSSpacketCount=0, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=3, FSSTotalSingleFlowVar=1.0, FSSdurationNSec=339000000, FSSTotalSingleFlow=5.0, FSSTotalFlowsVar=5.8, FSSpacketCountVar=0.0, FSSpacketPerDuration=0.0, FSSpacketPerDurationVar=0.0, FSSTotalPairFlow=24.0, FSSActionDrop=false, FSSbytePerDurationVar=0.0, FSSbyteCount=0, FSSactionOutput=true}, MethDst=3, Mipv4SrcMask=32, Micmpv4Type=0, featureType=0, _id=5ce911e5a361924ce0642e9b, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-25 16:59:01.224} {StableId=0, MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772163, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=1, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.8275862068965517, FSSTotalPairFlowVar=4.8, FSSbytePerPacket=0.0, FSSdurationSec=3, FSSbytePerPacketVar=0.0, FSSbytePerDuration=0.0, FSSTotalFlows=29.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.16551724137931034, FSSbyteCountVar=0.0, FSSPairFlow=true, FSSpacketCount=0, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=3, FSSTotalSingleFlowVar=1.0, FSSdurationNSec=414000000, FSSTotalSingleFlow=5.0, FSSTotalFlowsVar=5.8, FSSpacketCountVar=0.0, FSSpacketPerDuration=0.0, FSSpacketPerDurationVar=0.0, FSSTotalPairFlow=24.0, FSSActionDrop=false, FSSbytePerDurationVar=0.0, FSSbyteCount=0, FSSactionOutput=true}, MethDst=3, Mipv4SrcMask=32, Micmpv4Type=8, featureType=0, _id=5ce911e5a361924ce0642e9e, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-25 16:59:01.224} {StableId=0, MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=1, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.8275862068965517, FSSTotalPairFlowVar=4.8, FSSbytePerPacket=0.0, FSSdurationSec=3, FSSbytePerPacketVar=0.0, FSSbytePerDuration=0.0, FSSTotalFlows=29.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.16551724137931034, FSSbyteCountVar=0.0, FSSPairFlow=true, FSSpacketCount=0, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=4, FSSTotalSingleFlowVar=1.0, FSSdurationNSec=383000000, FSSTotalSingleFlow=5.0, FSSTotalFlowsVar=5.8, FSSpacketCountVar=0.0, FSSpacketPerDuration=0.0, FSSpacketPerDurationVar=0.0, FSSTotalPairFlow=24.0, FSSActionDrop=false, FSSbytePerDurationVar=0.0, FSSbyteCount=0, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, Micmpv4Type=8, featureType=0, _id=5ce911e5a361924ce0642ea2, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-25 16:59:01.224}

6. Athena ML Task

root@Linux:~/athena/athena-tester/bin# source ./athena-run-ml-task /root/Applications/spark-1.6.1-bin-hadoop2.6/bin Initialize EventDeliveryManager !! Register Online Athena Feature Register log4j:WARN No appenders could be found for logger (athena.util.ControllerConnector). log4j:WARN Please initialize the log4j system properly. log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info. {StableId=0, MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=1, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.8275862068965517, FSSTotalPairFlowVar=4.8, FSSbytePerPacket=0.0, FSSdurationSec=0, FSSbytePerPacketVar=0.0, FSSbytePerDuration=0.0, FSSTotalFlows=29.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.16551724137931034, FSSbyteCountVar=0.0, FSSPairFlow=true, FSSpacketCount=0, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=4, FSSTotalSingleFlowVar=1.0, FSSdurationNSec=739000000, FSSTotalSingleFlow=5.0, FSSTotalFlowsVar=5.8, FSSpacketCountVar=0.0, FSSpacketPerDuration=0.0, FSSpacketPerDurationVar=0.0, FSSTotalPairFlow=24.0, FSSActionDrop=false, FSSbytePerDurationVar=0.0, FSSbyteCount=0, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, Micmpv4Type=0, featureType=0, _id=5ce913fba361924ce0643278, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-25 17:07:55.67} {MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772163, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=1, MinPort=1, MethSrc=1, feature={FRbytePerDuration=0.0, FRpacketPerDuration=0.0, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=0, FRdurationSec=0, FRbyteCount=0, FRdurationNSec=807000000}, MethDst=3, Mipv4SrcMask=32, Micmpv4Type=8, featureType=1, _id=5ce913fba361924ce0643293, featureCategory=7, timestamp=2019-05-25 17:07:55.699} {MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772162, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=1, MinPort=1, MethSrc=1, feature={FRbytePerDuration=0.0, FRpacketPerDuration=0.0, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=0, FRdurationSec=0, FRbyteCount=0, FRdurationNSec=822000000}, MethDst=2, Mipv4SrcMask=32, Micmpv4Type=8, featureType=1, _id=5ce913fba361924ce0643294, featureCategory=7, timestamp=2019-05-25 17:07:55.699} {MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772163, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=1, MinPort=1, MethSrc=1, feature={FRbytePerDuration=0.0, FRpacketPerDuration=0.0, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=0, FRdurationSec=0, FRbyteCount=0, FRdurationNSec=791000000}, MethDst=3, Mipv4SrcMask=32, Micmpv4Type=0, featureType=1, _id=5ce913fba361924ce064329e, featureCategory=7, timestamp=2019-05-25 17:07:55.705} {MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=1, MinPort=1, MethSrc=1, feature={FRbytePerDuration=0.0, FRpacketPerDuration=0.0, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=0, FRdurationSec=0, FRbyteCount=0, FRdurationNSec=802000000}, MethDst=4, Mipv4SrcMask=32, Micmpv4Type=8, featureType=1, _id=5ce913fba361924ce0643295, featureCategory=7, timestamp=2019-05-25 17:07:55.7} {MethType=2048, queryIdentifier=1, Micmpv4Code=0, dataType=OFE, SdatapathId=1, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=1, MinPort=1, MethSrc=1, feature={FRbytePerDuration=0.0, FRpacketPerDuration=0.0, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=0, FRdurationSec=0, FRbyteCount=0, FRdurationNSec=775000000}, MethDst=4, Mipv4SrcMask=32, Micmpv4Type=0, featureType=1, _id=5ce913fba361924ce06432a5, featureCategory=7, timestamp=2019-05-25 17:07:55.709}



As the output above, 
1. Does it mean that Athena runs correctly? 
2. How Athena generate its detection result with evaluation metrics (False Positive, False Negative, etc)?

Thanks in advance
shlee89 commented 5 years ago

Hi,

Yes, If the Athena application displays feature events, you successfully initiate the Athena DDoS detector. Also, I think that the athena features might be stored at Athena Database as well.

If you want to calculate detection rate and false positive rate, you would run "batch mode" not "run-time mode" which you have done. Please follow the code for "batch mode" in the example application.

On 26 May 2019, at 6:20 PM, Ben notifications@github.com wrote:

As the output above,

Does it mean that Athena runs correctly? How Athena generate its detection result with evaluation metrics (False Positive, False Negative, etc)? Thanks in advance

benedhk commented 5 years ago

Sorry for asking such trivial question, but I just want to know what major difference between ./athena-run-realtiime and ./athena-run-ML-task? How do i select Athena features and set parameters for ML algorithm? and which file to configure?

Thank you, I appreciate your response

shlee89 commented 5 years ago

The first one is for handling events to be analyzed as much as possible, but the later one distributes jobs across spark instances for a large-scale analysis. That's are a trade off relationship in terms of the both responsive and sacalable.

On Sun, May 26, 2019, 6:29 PM Ben notifications@github.com wrote:

Sorry for asking suck trivial question, but I just want to know what major difference between ./athena-run-realtiime and ./athena-run-ML-task?

Thanks for your quick response

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGMKZT5ZD73ZHK76J5LPXJKANA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWIBYGQ#issuecomment-495983642, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGKN2D7TYL77H5WWAN3PXJKANANCNFSM4HPWIBZQ .

benedhk commented 5 years ago

Hey again,

I have watched Athena tutorial videos and followed all the steps. but when I run Athena DDOS detector ./run.sh, the output produced with the one in the video tutorial is different here's the output of mine:

 MipProto=6, MinPort=4, MethSrc=1, feature={FSSPairFlowRatio=0.2857142857142857, FSSTotalPairFlowVar=0.0, FSSbytePerPacket=34703.13714841949, FSSdurationSec=320, FSSbytePerPacketVar=0.19145894969896918, FSSbytePerDuration=2112044.0199801694, FSSTotalFlows=7.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.0, FSSbyteCountVar=2085458.5375416586, FSSPairFlow=true, FSSpacketCount=19519, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=1, FSSTotalSingleFlowVar=0.0, FSSdurationNSec=718000000, FSSTotalSingleFlow=5.0, FSSTotalFlowsVar=0.0, FSSpacketCountVar=59.9882376004705, FSSpacketPerDuration=60.86031965776788, FSSpacketPerDurationVar=-0.0027631022958114, FSSTotalPairFlow=2.0, FSSActionDrop=false, FSSbytePerDurationVar=414033.1592954179, FSSbyteCount=677370534, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, featureType=0, _id=5cee2534bbaf183f014d44c2, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-29 13:22:44.317}
{StableId=0, MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=51244, MtcpSrc=20, SdatapathId=1, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=6, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.00847457627118644, FSSTotalPairFlowVar=0.0, FSSbytePerPacket=34703.13714841949, FSSdurationSec=320, FSSbytePerPacketVar=0.19153404636486404, FSSbytePerDuration=2112044.0199801694, FSSTotalFlows=236.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.0, FSSbyteCountVar=2086276.5248087859, FSSPairFlow=true, FSSpacketCount=19519, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=2, FSSTotalSingleFlowVar=0.0, FSSdurationNSec=718000000, FSSTotalSingleFlow=234.0, FSSTotalFlowsVar=0.0, FSSpacketCountVar=60.01176701313983, FSSpacketPerDuration=60.86031965776788, FSSpacketPerDurationVar=-0.0026885347353221446, FSSTotalPairFlow=2.0, FSSActionDrop=false, FSSbytePerDurationVar=414195.5571585944, FSSbyteCount=677370534, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, featureType=0, _id=5cee2534bbaf183f014d451f, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-29 13:22:44.338}
{StableId=0, MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=51244, MtcpSrc=20, SdatapathId=2, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=6, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.008368200836820083, FSSTotalPairFlowVar=0.0, FSSbytePerPacket=34699.736796270685, FSSdurationSec=320, FSSbytePerPacketVar=0.20095169747946787, FSSbytePerDuration=2111796.6622708156, FSSTotalFlows=239.0, FSSidleTimeout=0, FSSPairFlowRatioVar=-2.7771000400128216E-5, FSSbyteCountVar=2074073.698576721, FSSPairFlow=true, FSSpacketCount=19521, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=4, FSSTotalSingleFlowVar=0.7798791187365959, FSSdurationNSec=757000000, FSSTotalSingleFlow=237.0, FSSTotalFlowsVar=0.7798791187365959, FSSpacketCountVar=59.660752583349584, FSSpacketPerDuration=60.859155061308094, FSSpacketPerDurationVar=-0.0037968826528660153, FSSTotalPairFlow=2.0, FSSActionDrop=false, FSSbytePerDurationVar=411724.66048772534, FSSbyteCount=677373562, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, featureType=0, _id=5cee2534bbaf183f014d46ed, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-29 13:22:44.376}

I don't know how long this output will be produced.. Why doesn't Athena block malicious host like in the video tutorial? If Athena can block the host, how can Athena know that the host is dangerous even though DDOS attacks carried out using hyenae can spoof the source IP address?

Thanks in advance

shlee89 commented 5 years ago

Hi,

The messages are Athena events from the framework, which means you successfully installed, built, and executed Athena in a real-time mode. If you want to "detect" suspicious flows, you need to create "a model" first. The messages you sent to me are just Athena events. Did you put athena events to a detection model?

On Wed, May 29, 2019, 3:31 PM Ben notifications@github.com wrote:

Hey again,

I have watched Athena tutorial videos and followed all the steps. but when I run Athena DDOS detector ./run.sh, the output produced with the one in the video tutorial is different here's the output of mine:

MipProto=6, MinPort=4, MethSrc=1, feature={FSSPairFlowRatio=0.2857142857142857, FSSTotalPairFlowVar=0.0, FSSbytePerPacket=34703.13714841949, FSSdurationSec=320, FSSbytePerPacketVar=0.19145894969896918, FSSbytePerDuration=2112044.0199801694, FSSTotalFlows=7.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.0, FSSbyteCountVar=2085458.5375416586, FSSPairFlow=true, FSSpacketCount=19519, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=1, FSSTotalSingleFlowVar=0.0, FSSdurationNSec=718000000, FSSTotalSingleFlow=5.0, FSSTotalFlowsVar=0.0, FSSpacketCountVar=59.9882376004705, FSSpacketPerDuration=60.86031965776788, FSSpacketPerDurationVar=-0.0027631022958114, FSSTotalPairFlow=2.0, FSSActionDrop=false, FSSbytePerDurationVar=414033.1592954179, FSSbyteCount=677370534, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, featureType=0, _id=5cee2534bbaf183f014d44c2, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-29 13:22:44.317} {StableId=0, MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=51244, MtcpSrc=20, SdatapathId=1, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=6, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.00847457627118644, FSSTotalPairFlowVar=0.0, FSSbytePerPacket=34703.13714841949, FSSdurationSec=320, FSSbytePerPacketVar=0.19153404636486404, FSSbytePerDuration=2112044.0199801694, FSSTotalFlows=236.0, FSSidleTimeout=0, FSSPairFlowRatioVar=0.0, FSSbyteCountVar=2086276.5248087859, FSSPairFlow=true, FSSpacketCount=19519, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=2, FSSTotalSingleFlowVar=0.0, FSSdurationNSec=718000000, FSSTotalSingleFlow=234.0, FSSTotalFlowsVar=0.0, FSSpacketCountVar=60.01176701313983, FSSpacketPerDuration=60.86031965776788, FSSpacketPerDurationVar=-0.0026885347353221446, FSSTotalPairFlow=2.0, FSSActionDrop=false, FSSbytePerDurationVar=414195.5571585944, FSSbyteCount=677370534, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, featureType=0, _id=5cee2534bbaf183f014d451f, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-29 13:22:44.338} {StableId=0, MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=51244, MtcpSrc=20, SdatapathId=2, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, AappId=43, MipProto=6, MinPort=1, MethSrc=1, feature={FSSPairFlowRatio=0.008368200836820083, FSSTotalPairFlowVar=0.0, FSSbytePerPacket=34699.736796270685, FSSdurationSec=320, FSSbytePerPacketVar=0.20095169747946787, FSSbytePerDuration=2111796.6622708156, FSSTotalFlows=239.0, FSSidleTimeout=0, FSSPairFlowRatioVar=-2.7771000400128216E-5, FSSbyteCountVar=2074073.698576721, FSSPairFlow=true, FSSpacketCount=19521, FSSpriority=10, FSShardTimeout=0, FSSactionOutputPort=4, FSSTotalSingleFlowVar=0.7798791187365959, FSSdurationNSec=757000000, FSSTotalSingleFlow=237.0, FSSTotalFlowsVar=0.7798791187365959, FSSpacketCountVar=59.660752583349584, FSSpacketPerDuration=60.859155061308094, FSSpacketPerDurationVar=-0.0037968826528660153, FSSTotalPairFlow=2.0, FSSActionDrop=false, FSSbytePerDurationVar=411724.66048772534, FSSbyteCount=677373562, FSSactionOutput=true}, MethDst=4, Mipv4SrcMask=32, featureType=0, _id=5cee2534bbaf183f014d46ed, featureCategory=0, AappName=org.onosproject.fwd, timestamp=2019-05-29 13:22:44.376}

I don't know how long this output will be produced.. Why doesn't Athena block malicious host like in the video tutorial? If Athena can block the host, how can Athena know that the host is dangerous even though DDOS attacks carried out using hyenae using fake random source IP address?

Thanks in advance

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGJ2XT32R5AFBPC6EZ3PXYPMFA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWOJ7SY#issuecomment-496803787, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGM57VUHQUM7AU5SP7DPXYPMFANCNFSM4HPWIBZQ .

benedhk commented 5 years ago

Thanks for the response

I'm sorry, I don't quite understand by put Athena events to a detection model? I just run Athena's script which you provided in the ~/athena/athena-tester

What do i need to do so Athena can generate the exact same message as you just did in the tutorial video? How to create a detection model as you mentioned before? Which method do i need to uncomment in order to generate detection rate or block "malicious" host?

    public void start() {
//        saveMoelTestsComplete();
//        restoreAndValidateModelComplete();

//        serializationTest();
//        testOnlineDelivery();
//        restoreAndValidateModel();
//        saveMoelTests();
//        testkMenas();
//        tesetGaussian();
//        tesetDecisionTree();
//        testNaiveBayes();
//        tesetRandomForest();
//        testGBTs();
//        testSVMs();
//        testLR();
//        testLinearRegression();
//        evaluationDDoS();
////        evaluationDDoS_Model();
//        evaluationDDoS_Test();
//        copyDBElement(8, "127.0.0.1", "DDoSTrainSet", AthenaFeatureField.FLOW_STATS);
//        flowruleInstalltest();
//        onlineDetectionTest();

        Sample sample = new Sample();
//        sample.evaluationDDoS_Model();
        sample.testOnlineDelivery();
//        sample.requestFeatures();

//        evaluationDDoS_Model();
    }

I need basic understanding so that I can run Athena just like you did I would greatly appreciate it if you could guide me on how to run Athena in 'batch mode'.

One thing I'm confused about is when I make changes to Main.java, all the scripts in athena-tester which run in run-time mode produce the same output ("athena event" that you mentioned). Even if I add some dummy line to Main.java, the script should run with an error output instead of runs smoothly and produce the same output again.

I have my Visual Studio Code open Main.java code and add some dummy line dummyline

athena-tester script

root@Linux:~/athena/athena-tester# ./run.sh
SLF4J: Class path contains multiple SLF4J bindings.
SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-log4j12-1.7.10.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-simple-1.7.6.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: Found binding in [jar:file:/root/athena/athena-tester/target/lib/slf4j-jdk14-1.7.21.jar!/org/slf4j/impl/StaticLoggerBinder.class]
SLF4J: See http://www.slf4j.org/codes.html#multiple_bindings for an explanation.
SLF4J: Actual binding is of type [org.slf4j.impl.Log4jLoggerFactory]
Initialize EventDeliveryManager !!
Register Online Athena Feature
Register
{MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=43988, MtcpSrc=80, SdatapathId=3, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=6, MinPort=4, MethSrc=1, feature={FRbytePerDuration=26.123856252486405, FRpacketPerDuration=0.2652168147460549, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=4, FRdurationSec=15, FRbyteCount=394, FRdurationNSec=82000000}, MethDst=4, Mipv4SrcMask=32, featureType=1, _id=5cefc12da361924dc6e7456e, featureCategory=7, timestamp=2019-05-30 18:40:29.553}
{MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=44016, MtcpSrc=80, SdatapathId=3, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=6, MinPort=4, MethSrc=1, feature={FRbytePerDuration=30.272762197464463, FRpacketPerDuration=0.30733768728390315, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=4, FRdurationSec=13, FRbyteCount=394, FRdurationNSec=15000000}, MethDst=4, Mipv4SrcMask=32, featureType=1, _id=5cefc12da361924dc6e74571, featureCategory=7, timestamp=2019-05-30 18:40:29.565}
{MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=44014, MtcpSrc=80, SdatapathId=3, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=6, MinPort=4, MethSrc=1, feature={FRbytePerDuration=28.038713350412753, FRpacketPerDuration=0.2846569883290635, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=4, FRdurationSec=14, FRbyteCount=394, FRdurationNSec=52000000}, MethDst=4, Mipv4SrcMask=32, featureType=1, _id=5cefc12da361924dc6e74570, featureCategory=7, timestamp=2019-05-30 18:40:29.564}
{MethType=2048, queryIdentifier=1, dataType=OFE, MtcpDst=43988, MtcpSrc=80, SdatapathId=2, Mipv4Dst=167772164, Mipv4Src=167772161, Mipv4DstMask=32, MipProto=6, MinPort=1, MethSrc=1, feature={FRbytePerDuration=26.096171678367995, FRpacketPerDuration=0.2649357530798781, FRidleTimeout=0, FRhardTimeout=0, FRreason=2, FRpacketCount=4, FRdurationSec=15, FRbyteCount=394, FRdurationNSec=98000000}, MethDst=4, Mipv4SrcMask=32, featureType=1, _id=5cefc12da361924dc6e74575, featureCategory=7, timestamp=2019-05-30 18:40:29.566}

Do you have any idea why this might be happening?

Thank you!

shlee89 commented 5 years ago

Could you send me a code that you are currently working on and expected outputs? I would inspect your code and can give you how to resolve the problem.

On Fri, May 31, 2019, 6:02 PM Ben notifications@github.com wrote:

Update. Recently I trying to run Main.java using IntelliJ IDEA (Java IDE) and nothing has changed since then. I've tried to uncomment some of the method from method start() and it still produces the same output which is "Athena event" [image: image] https://user-images.githubusercontent.com/36702155/58693652-75345e00-83bb-11e9-8f5e-8c9b81fbb784.png [image: image] https://user-images.githubusercontent.com/36702155/58693730-97c67700-83bb-11e9-9127-b94f769d1aa2.png

On the other hand, when I hover my cursor over machineLearningManager objects, some pop up appears said that field machineLearningManager is never used. I thought it must be the main object for Main.java class. So what does it mean?

[image: image] https://user-images.githubusercontent.com/36702155/58693963-23400800-83bc-11e9-8ef4-a66ce084f779.png

Forgive me I'm not Java expert, I'm still learning here

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGK74LUYKGURUC5XY63PYDSRBA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWUU3UQ#issuecomment-497634770, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGM7TRM5C4YS6LV3NOTPYDSRBANCNFSM4HPWIBZQ .

benedhk commented 5 years ago

Thank you!

Basically, I just playing around with Athena's default code, so not much has changed application.zip

Some of the script from athena-tester

root@Linux:~/athena/athena-tester# cat run.sh
#spark-submit --class "athena.user.application.SparkApplication" target/spark-application-1.6.0.jar
java -cp "./target/athena-tester-1.6.0.jar:./target/lib/*" athena.user.application.Main
root@Linux:~/athena/athena-tester# cat run_application_mode.sh 
#mvn clean install -DskipTests
spark-submit --class "athena.user.application.Main" --driver-memory 8G --executor-memory 8G --master spark://127.0.0.1:7077 target/athena-tester-1.6.0.jar
root@Linux:~/athena/athena-tester/bin# cat athena-run-realtiime 
#!/bin/bash
source $ATHENA_ROOT/athena-tool/config/athena-config-env-single
java -cp "$ATHENA_ROOT/athena-tester/target/athena-tester-1.6.0.jar:$ATHENA_ROOT/athena-tester/target/lib/*" athena.user.application.Main
/bin# cat athena-run-ml-task 
#!/bin/bash
SPARK_DIR=`sudo find ~ -type d | grep spark-1.6.1-bin-hadoop2.6/bin`
echo $SPARK_DIR
source $ATHENA_ROOT/athena-tool/config/athena-config-env-single
$SPARK_DIR/spark-submit --class "athena.user.application.Main" --master spark://$MD1:7077 $ATHENA_ROOT/athena-tester/target/athena-tester-1.6.0.jar

My main objective is to know how to block "malicious" host and generate its detection rate For a basic understanding, I would use your backup detection model I'd gladly appreciate your help

shlee89 commented 5 years ago

What was your expected result?

On Fri, May 31, 2019, 6:20 PM Ben notifications@github.com wrote:

Thank you!

Basically, I just playing around with Athena's default code, so not much has changed application.zip https://github.com/shlee89/athena/files/3240583/application.zip

Some of the script from athena-tester

root@Linux:~/athena/athena-tester# cat run.sh

spark-submit --class "athena.user.application.SparkApplication" target/spark-application-1.6.0.jar

java -cp "./target/athena-tester-1.6.0.jar:./target/lib/*" athena.user.application.Main

root@Linux:~/athena/athena-tester# cat run_application_mode.sh

mvn clean install -DskipTests

spark-submit --class "athena.user.application.Main" --driver-memory 8G --executor-memory 8G --master spark://127.0.0.1:7077 target/athena-tester-1.6.0.jar

root@Linux:~/athena/athena-tester/bin# cat athena-run-realtiime

!/bin/bash

source $ATHENA_ROOT/athena-tool/config/athena-config-env-single java -cp "$ATHENA_ROOT/athena-tester/target/athena-tester-1.6.0.jar:$ATHENA_ROOT/athena-tester/target/lib/*" athena.user.application.Main

/bin# cat athena-run-ml-task

!/bin/bash

SPARK_DIR=sudo find ~ -type d | grep spark-1.6.1-bin-hadoop2.6/bin echo $SPARK_DIR source $ATHENA_ROOT/athena-tool/config/athena-config-env-single $SPARK_DIR/spark-submit --class "athena.user.application.Main" --master spark://$MD1:7077 $ATHENA_ROOT/athena-tester/target/athena-tester-1.6.0.jar

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGJY5TJTKKG7KWCTKADPYDUV5A5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWUWJJI#issuecomment-497640613, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGOB3ARYZY3WQE2QLVDPYDUV5ANCNFSM4HPWIBZQ .

benedhk commented 5 years ago

I expected it could detect and block "malicious" host and generate its detection rate using Kmeans. at least it resulting in another output besides "Athena event"

shlee89 commented 5 years ago

I reviewed your code.

"testOnlineDelivery" is a test code for Athena event delivery. This function is only delivering Athena features according to your own constraints defined by "FeatureConstraint" class.

If you want to detect & block malicious host, you need to run "onlineDetectionTest" function, which basically dispatches every Athena events and pass the events to a detection model.

As you can see at Main.java:184 and Main.java:186, "registerOnlineValidation" function receives a detection model, an event handler, and other necessary classes. Athena automatically evaluates incoming athena events matched with "featureConstraint" and give you detection results to the event hander (InternalonlineMLEventListener). It means that the detection results will be delivered to "getValidationResultOnlineResult" function in InternalonlineMLEventListener. By modifying this function, you can create your own code for handling "malicious flows".

In summary, you just run "onlineDetectionTest()" function to detect malicious flows only if you already have a detection model.

On 31 May 2019, at 9:23 PM, Ben notifications@github.com wrote:

I expected it could detect and block "malicious" host and generate its detection rate at least it resulting in another output than "Athena event"

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGM6HN5URXDGLIN6H7DPYEKDLA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWVCIDI#issuecomment-497689613, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGLUZCSV6I7FVKOQWOLPYEKDLANCNFSM4HPWIBZQ.

benedhk commented 5 years ago

Thank you so much for the explanation!

I just tried "onlineDetectionTest()" function using your models detection "AthenaModel.KMeansDetectionModel (20111119-DDoS.mongoBackup)" which has created in KAIST NSS testing environment and it generates a lot of false alarms.

[Instance in 192.168.1.3]sIP=10.0.0.9;dIP=10.0.0.1;loc=of:0000000000000009;detection results = 1.0
host.9=>0(0) 1(139) Host 10.0.0.9 has been blocked (Malicious host!)
2(0) 3(42) 4(0) 5(225) 6(0) 7(30) 8(0) 9(0) 
[Instance in 192.168.1.3]sIP=10.0.0.9;dIP=10.0.0.1;loc=of:0000000000000009;detection results = 3.0
host.1=>0(0) 1(143) Host 10.0.0.1 has been blocked (Malicious host!)
2(0) 3(40) 4(0) 5(228) 6(0) 7(36) 8(0) 9(0) 
[Instance in 192.168.1.3]sIP=10.0.0.1;dIP=10.0.0.9;loc=of:0000000000000001;detection results = 1.0
host.9=>0(0) 1(139) Host 10.0.0.9 has been blocked (Malicious host!)
2(0) 3(42) 4(0) 5(226) 6(0) 7(30) 8(0) 9(0) 
[Instance in 192.168.1.3]sIP=10.0.0.9;dIP=10.0.0.1;loc=of:0000000000000009;detection results = 5.0
host.1=>0(0) 1(143) Host 10.0.0.1 has been blocked (Malicious host!)
2(0) 3(40) 4(0) 5(228) 6(0) 7(37) 8(0) 9(0) 
[Instance in 192.168.1.3]sIP=10.0.0.1;dIP=10.0.0.9;loc=of:0000000000000001;detection results = 7.0
host.1=>0(0) 1(143) Host 10.0.0.1 has been blocked (Malicious host!)
2(0) 3(40) 4(0) 5(229) 6(0) 7(37) 8(0) 9(0) 
[Instance in 192.168.1.3]sIP=10.0.0.1;dIP=10.0.0.9;loc=of:0000000000000001;detection results = 5.0
host.9=>0(0) 1(139) Host 10.0.0.9 has been blocked (Malicious host!)

In this case, I created a local testing environment (all-in-one machine) with a network interface connected to WiFi. Here I only run 2 hosts where host 1 (10.0.0.1) acts as an HTTP server while host 2 (10.0.0.9) acts as an HTTP client. However, Athena detected it as a Malicious host. I assume that I supposed to make my own detection models, right? So how do I create it? What function do I need to create my own detection models using KMeans?

Thanks! Ben

shlee89 commented 5 years ago

Good to hear that.

Yes, we created the sample DDoS detection trained within our experiment environment. In the case that you want to distinguish malicious traffic on “your own environment”, you need to create a new model, which are trained on your environment. Athena is a framework, not a simple detection method. This is our motivation to develop and open Athena framework.

In order to create your own model, you need to specify 1) which hosts are generating malicious traffics, 2) appropriate Athena features to distinguish benign & malicious traffic, 3) weights to each Athena feature. These all necessary examples are in “model creation function” in the sample code.

On Jun 2, 2019, at 4:24 PM, Ben notifications@github.com wrote:

Thank you so much for the explanation!

I just tried "onlineDetectionTest()" function using your models detection "AthenaModel.KMeansDetectionModel (20111119-DDoS.mongoBackup)" which has created in KAIST NSS testing environment and it generates a lot of false alarms.

[Instance in 192.168.1.3]sIP=10.0.0.9;dIP=10.0.0.1;loc=of:0000000000000009;detection results = 1.0 host.9=>0(0) 1(139) Host 10.0.0.9 has been blocked (Malicious host!) 2(0) 3(42) 4(0) 5(225) 6(0) 7(30) 8(0) 9(0) [Instance in 192.168.1.3]sIP=10.0.0.9;dIP=10.0.0.1;loc=of:0000000000000009;detection results = 3.0 host.1=>0(0) 1(143) Host 10.0.0.1 has been blocked (Malicious host!) 2(0) 3(40) 4(0) 5(228) 6(0) 7(36) 8(0) 9(0) [Instance in 192.168.1.3]sIP=10.0.0.1;dIP=10.0.0.9;loc=of:0000000000000001;detection results = 1.0 host.9=>0(0) 1(139) Host 10.0.0.9 has been blocked (Malicious host!) 2(0) 3(42) 4(0) 5(226) 6(0) 7(30) 8(0) 9(0) [Instance in 192.168.1.3]sIP=10.0.0.9;dIP=10.0.0.1;loc=of:0000000000000009;detection results = 5.0 host.1=>0(0) 1(143) Host 10.0.0.1 has been blocked (Malicious host!) 2(0) 3(40) 4(0) 5(228) 6(0) 7(37) 8(0) 9(0) [Instance in 192.168.1.3]sIP=10.0.0.1;dIP=10.0.0.9;loc=of:0000000000000001;detection results = 7.0 host.1=>0(0) 1(143) Host 10.0.0.1 has been blocked (Malicious host!) 2(0) 3(40) 4(0) 5(229) 6(0) 7(37) 8(0) 9(0) [Instance in 192.168.1.3]sIP=10.0.0.1;dIP=10.0.0.9;loc=of:0000000000000001;detection results = 5.0 host.9=>0(0) 1(139) Host 10.0.0.9 has been blocked (Malicious host!) In this case, I created a local testing environment (all-in-one machine) with a network interface connected to WiFi. Here I only run 2 hosts where host 1 (10.0.0.1) acts as an HTTP server while host 2 (10.0.0.9) acts as an HTTP client. However, Athena detected it as a Malicious host. I assume that I suppose to make my own detection models, right? So how do I create it? What function do I need to create my own detection models using KMeans?

Thanks! Ben

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGMOWAUDNNUJV76GY5DPYNYUTA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWXPUIY#issuecomment-498006563, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGKZ5OPB2QKUCWU3WALPYNYUTANCNFSM4HPWIBZQ.

benedhk commented 5 years ago

Do you have any documentation or manual or flowchart about Athena so that I can easily follow along with the tutorial on how to make a simple DDoS detection app?

Regarding how to make detection models, By default, there are three functions in the sample code namely requestFeatures(), generateModel(), and testOnlineDelivery(). Do I have to run all these three functions simultaneously by calling it in Main.java ??

Apologies for asking again and again

shlee89 commented 5 years ago

I recommend you to read the paper published in DSN'17 first. Since Athena APIs are providing abstracted environment, you can implement your own application by modifying existing examples. Currently, we don't have more detailed document.

A model creation example code is located in "saveMoelTestsComplete", which generates a detection model with K-means algorithm and stores a model data to local storage.

On 2 Jun 2019, at 5:23 PM, Ben notifications@github.com wrote:

Do you have any documentation or manual or flowchart about Athena so that I can easily follow along with the tutorial on how to make a simple DDoS detection app?

Regarding how to make detection models, By default, there are three functions in the sample code namely requestFeatures(), generateModel(), and testOnlineDelivery(). Do I have to run all these three functions simultaneously by calling it in Main.java ??

Apologies for asking again and again

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGKHXKBWDTMS2I3P733PYN7RNA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODWXQRPQ#issuecomment-498010302, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGILWPCLFNS4BZMXRL3PYN7RNANCNFSM4HPWIBZQ.

benedhk commented 5 years ago

HI Seunghyeon I managed to run "saveMoelTestsComplete" but I couldn't find where the model data is located and what's the format name of the model data file?

here's the output from "saveMoelTestsComplete"

19/06/19 01:22:36 INFO TaskSetManager: Starting task 43.0 in stage 0.0 (TID 43, localhost, partition 43,ANY, 2656 bytes)
19/06/19 01:22:36 INFO TaskSetManager: Finished task 40.0 in stage 0.0 (TID 40) in 4912 ms on localhost (40/1072)
19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_2_42 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)
19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_3_42 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)
19/06/19 01:22:39 INFO TaskSetManager: Starting task 44.0 in stage 0.0 (TID 44, localhost, partition 44,ANY, 2656 bytes)
19/06/19 01:22:39 INFO TaskSetManager: Finished task 42.0 in stage 0.0 (TID 42) in 2477 ms on localhost (41/1072)
19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_2_41 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)
19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_3_41 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)
19/06/19 01:22:39 INFO TaskSetManager: Starting task 45.0 in stage 0.0 (TID 45, localhost, partition 45,ANY, 2656 bytes)
19/06/19 01:22:39 INFO TaskSetManager: Finished task 41.0 in stage 0.0 (TID 41) in 4364 ms on localhost (42/1072)
19/06/19 01:22:40 INFO BlockManagerInfo: Added rdd_2_37 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)
19/06/19 01:22:40 INFO BlockManagerInfo: Added rdd_3_37 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)
19/06/19 01:22:40 INFO TaskSetManager: Starting task 46.0 in stage 0.0 (TID 46, localhost, partition 46,ANY, 2656 bytes)
19/06/19 01:22:40 INFO TaskSetManager: Finished task 37.0 in stage 0.0 (TID 37) in 8222 ms on localhost (43/1072)
19/06/19 01:22:45 INFO BlockManagerInfo: Added rdd_2_44 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)
19/06/19 01:22:45 INFO BlockManagerInfo: Added rdd_3_44 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB)

SPARK UI image

I would gladly appreciate if you could help me to solve this problem

Thanks!

shlee89 commented 5 years ago

Hi Ben,

Good to hear that!

'machineLearningManager.saveDetectionModel(kMeansDetectionModel, null);' This function saves a detection model with "model" and "path" parameters. You can specify a path for where you want to save the model. Simply, "saveDetectionModel(model, path_to_save_model)

Here is the reference "https://github.com/shlee89/athena/blob/e806c0a5077507e115b278d03834c45229c65096/athena/src/main/java/athena/northbound/MachineLearningManager.java https://github.com/shlee89/athena/blob/e806c0a5077507e115b278d03834c45229c65096/athena/src/main/java/athena/northbound/MachineLearningManager.java"

You don't need to use SPARK GUI for saving models.

On 19 Jun 2019, at 3:42 AM, Ben notifications@github.com wrote:

HI Seunghyeon I managed to run "saveMoelTestsComplete" but I couldn't find where the model data is located and what's the format name of the model data file?

here's the output from "saveMoelTestsComplete"

19/06/19 01:22:36 INFO TaskSetManager: Starting task 43.0 in stage 0.0 (TID 43, localhost, partition 43,ANY, 2656 bytes) 19/06/19 01:22:36 INFO TaskSetManager: Finished task 40.0 in stage 0.0 (TID 40) in 4912 ms on localhost (40/1072) 19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_2_42 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) 19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_3_42 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) 19/06/19 01:22:39 INFO TaskSetManager: Starting task 44.0 in stage 0.0 (TID 44, localhost, partition 44,ANY, 2656 bytes) 19/06/19 01:22:39 INFO TaskSetManager: Finished task 42.0 in stage 0.0 (TID 42) in 2477 ms on localhost (41/1072) 19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_2_41 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) 19/06/19 01:22:39 INFO BlockManagerInfo: Added rdd_3_41 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) 19/06/19 01:22:39 INFO TaskSetManager: Starting task 45.0 in stage 0.0 (TID 45, localhost, partition 45,ANY, 2656 bytes) 19/06/19 01:22:39 INFO TaskSetManager: Finished task 41.0 in stage 0.0 (TID 41) in 4364 ms on localhost (42/1072) 19/06/19 01:22:40 INFO BlockManagerInfo: Added rdd_2_37 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) 19/06/19 01:22:40 INFO BlockManagerInfo: Added rdd_3_37 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) 19/06/19 01:22:40 INFO TaskSetManager: Starting task 46.0 in stage 0.0 (TID 46, localhost, partition 46,ANY, 2656 bytes) 19/06/19 01:22:40 INFO TaskSetManager: Finished task 37.0 in stage 0.0 (TID 37) in 8222 ms on localhost (43/1072) 19/06/19 01:22:45 INFO BlockManagerInfo: Added rdd_2_44 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) 19/06/19 01:22:45 INFO BlockManagerInfo: Added rdd_3_44 in memory on localhost:39009 (size: 16.0 B, free: 508.6 MB) SPARK UI https://user-images.githubusercontent.com/36702155/59710437-2ef05300-9233-11e9-8158-ec5cd12603fe.png I would gladly appreciate if you could help me to solve this problem

Thanks!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGKLMVRNOCWH5KGNLR3P3EUBPA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODX7SUYQ#issuecomment-503261794, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGPFRONQSNVXWLJ2FGTP3EUBPANCNFSM4HPWIBZQ.

benedhk commented 5 years ago

As you said before, In order to create your own model, you need to specify 1) which hosts are generating malicious traffics, 2) appropriate Athena features to distinguish benign & malicious traffic, 3) weights to each Athena feature. when I look into "saveMoelTestsComplete()", According to my understanding.

this first method refers to which hosts are generating malicious traffic, right? what does it mean by its parameters such as 0x000000f or 0x6? where should I specify its IP address for the malicious/benign host?

   Marking marking = new Marking();
        marking.setSrcMaskMarking(0x0000000f, 0x6);
        marking.setDstMaskMarking(0x0000000f, 0x6);

second method refers to what appropriate Athena features to distinguish benign & malicious traffic and weight to each athena features (correct me if im wrong)

AthenaMLFeatureConfiguration athenaMLFeatureConfiguration = new AthenaMLFeatureConfiguration();
        athenaMLFeatureConfiguration.addWeight(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_PAIR_FLOW),
                1000);
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_BYTE_COUNT));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_PACKET_COUNT));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_PAIR_FLOW_RATIO));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_PAIR_FLOW));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_DURATION_SEC));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_BYTE_COUNT_VAR));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_PACKET_COUNT_VAR));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_BYTE_PER_PACKET));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_PACKET_PER_DURATION));
        athenaMLFeatureConfiguration.addTargetFeatures(new AthenaFeatureField(AthenaFeatureField.FLOW_STATS_BYTE_PER_DURATION));
        athenaMLFeatureConfiguration.setNormalization(true);

I have waited for 1 hour+ but the the process of making model data has not been completed yet. how can I speed up the process of making this model?

THanks.

benedhk commented 5 years ago

Next, I'm trying to run evaluationDDoS_Model() and this produces an error output Exception in thread "main" com.mongodb.MongoCommandException: Command failed with error -1: 'Collection [featureStore.model] not found.' on server 127.0.0.1:27017. The full response is { "ok" : 0.0, "errmsg" : "Collection [featureStore.model] not found." }

What should i do in order to run evaluationDDoS_Model() ?

benedhk commented 5 years ago

Hi there, was this ever followed up?

Thanks in advance!

shlee89 commented 5 years ago

Hi Ben,

I missed your question.

1) Marking indicates a malicious host. This is a kind of helper function to specify malicious host automatically. The first param indicates "mask" and the second parameter is "comparator". By using the first parameter, Athena masks incoming IP address with predefined mask value. For example, 0x0000000f (your mask value) & 192.168.0.6 is 0.0.0.6 (only last 8 bits are remained). Then, comparing this value (0.0.0.6) with the second parameter (0.0.0.6). So, the masked value and the second parameter is identical. In this case, Athena regards this flow as a malicious one.

2,3 ) That's are totally up to what you want to train. I recommended you to research attack cases and extract features corresponding with Athena features.

Before loading a detection model, you need to "save" a trained model. In your application, you will build your own trained models with parameters. Like the below, you can save your model to a local file system.

KMeansDetectionModel kMeansDetectionModel = (KMeansDetectionModel) machineLearningManager.generateAthenaDetectionModel(featureConstraint, athenaMLFeatureConfiguration, kMeansDetectionAlgorithm, indexing, marking); kMeansDetectionModel.getSummary().printSummary();

    machineLearningManager.saveDetectionModel(kMeansDetectionModel, [PATH_AS_YOU_WANT]);

On 25 Jun 2019, at 1:09 PM, Ben notifications@github.com wrote:

Hi there, was this ever followed up?

Thanks in advance!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGNHW7EM7SBUSPKXK2TP4GLAFA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYO56GA#issuecomment-505274136, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGP4FEBYPLLC2MFWS73P4GLAFANCNFSM4HPWIBZQ.

benedhk commented 5 years ago

Thanks for your explanation!

What does it mean by "detection results = 5.0" what metrics does it use?

[Instance in 10.23.80.39]sIP=10.0.0.22;dIP=10.0.0.2;loc=of:0000000000000016;detection results = 5.0
host.22=>0(0) 1(0) 2(0) 3(0) 4(0) 5(45) 6(0) 7(0) 8(0) 9(0) 
[Instance in 10.23.80.39]sIP=10.0.0.22;dIP=10.0.0.2;loc=of:0000000000000016;detection results = 5.0
host.2=>0(0) 1(0) 2(0) 3(0) 4(0) 5(45) 6(0) 7(0) 8(0) 9(0) 
[Instance in 10.23.80.39]sIP=10.0.0.2;dIP=10.0.0.22;loc=of:0000000000000002;detection results = 5.0
host.2=>0(0) 1(0) 2(0) 3(0) 4(0) 5(46) 6(0) 7(0) 8(0) 9(0) 
[Instance in 10.23.80.39]sIP=10.0.0.2;dIP=10.0.0.22;loc=of:0000000000000002;detection results = 5.0
host.2=>0(0) 1(0) 2(0) 3(0) 4(0) 5(47) 6(0) 7(0) 8(0) 9(0) 
[Instance in 10.23.80.39]sIP=10.0.0.2;dIP=10.0.0.22;loc=of:0000000000000002;detection results = 5.0
host.22=>0(0) 1(0) 2(0) 3(0) 4(0) 5(46) 6(0) 7(0) 8(0) 9(0) 
[Instance in 10.23.80.39]sIP=10.0.0.22;dIP=10.0.0.2;loc=of:0000000000000016;detection results = 5.0
host.22=>0(0) 1(0) 2(0) 3(0) 4(0) 5(47) 6(0) 7(0) 8(0) 9(0) 
[Instance in 10.23.80.39]sIP=10.0.0.22;dIP=10.0.0.2;loc=of:0000000000000016;detection results = 5.0
benedhk commented 5 years ago

Hi Seunghyon

To give me a clear example of how to make a model detection

May I see the "saveMoelTestsComplete()" code which you used to make the model like in the tutorial video (SIngle mode)

Thanks!

shlee89 commented 5 years ago

The number means a cluster ID. A result indicates that an host has been classified into a specific cluster.

Example codes are on the github repository. I think that you successfully built your own model as well as tested traffic on your testing environment.

On 27 Jun 2019, at 11:59 AM, Ben notifications@github.com wrote:

Hi Seunghyon

To give me a clear example of how to make a model detection

May I see the "saveMoelTestsComplete()" code which you used to make the model like in the tutorial video (SIngle mode)

Thanks!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGIR3O26SGHWDH222EDP4QUHRA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODYVQSFI#issuecomment-506136853, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGOOZHCNHEKRNPCLTP3P4QUHRANCNFSM4HPWIBZQ.

benedhk commented 5 years ago

Hi again,

Recently i tried to make my own model but when i specify features constraint condition with target athena value as IPV4, it result in an error output Do you have any idea why this might happening?

Here's my code

  FeatureConstraint featureConstraint = new FeatureConstraint(FeatureConstraintOperatorType.LOGICAL,
                new FeatureConstraintOperator(FeatureConstraintOperator.LOGICAL_AND));

        FeatureConstraint featureConstraint3 = new FeatureConstraint(FeatureConstraintType.INDEX,
                FeatureConstraintOperatorType.COMPARABLE,
                new FeatureConstraintOperator(FeatureConstraintOperator.COMPARISON_EQ),
                new AthenaIndexField(AthenaIndexField.MATCH_IPV4_SRC),
                new TargetAthenaValue(AthenaValueGenerator.parseIPv4ToAthenaValue("10.0.0.5")));
        FeatureConstraint featureConstraint4 = new FeatureConstraint(FeatureConstraintType.INDEX,
                FeatureConstraintOperatorType.COMPARABLE,
                new FeatureConstraintOperator(FeatureConstraintOperator.COMPARISON_GT),
                new AthenaIndexField(AthenaIndexField.MATCH_IP_PROTO),
                new TargetAthenaValue(AthenaValueGenerator.generateAthenaValue("0")));

Output

Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: 2
    at athena.northbound.impl.MachineLearningManagerImpl.getqueryFromRequestOperatorComparison(MachineLearningManagerImpl.java:1490)
    at athena.northbound.impl.MachineLearningManagerImpl.generatequery(MachineLearningManagerImpl.java:1417)
    at athena.northbound.impl.MachineLearningManagerImpl.getqueryFromRequestOperatorLogical(MachineLearningManagerImpl.java:1512)
    at athena.northbound.impl.MachineLearningManagerImpl.generatequery(MachineLearningManagerImpl.java:1420)
    at athena.northbound.impl.MachineLearningManagerImpl.SCGenerator(MachineLearningManagerImpl.java:730)
    at athena.northbound.impl.MachineLearningManagerImpl.generateAthenaDetectionModel(MachineLearningManagerImpl.java:754)
    at athena.user.application.Main.saveMoelTestsComplete(Main.java:745)
    at athena.user.application.Main.start(Main.java:153)
    at athena.user.application.Main.main(Main.java:138)
Command execution failed.
benedhk commented 5 years ago

Hi there

Could you please kindly answer my question above?

Thanks in advance Ben

shlee89 commented 5 years ago

Hi ben,

If you want to use logical "and" operation, you need to append each constraint to "logical end feature constration".

According to your source code, you need to

featureConstraint.append(new TargetAthenaValue(featureConstraint3)) featureConstraint.append(new TargetAthenaValue(featureConstraint4))

You can find out detailed example on here (https://github.com/shlee89/athena/blob/master/athena-tester/src/main/java/athena/user/application/Sample.java https://github.com/shlee89/athena/blob/master/athena-tester/src/main/java/athena/user/application/Sample.java), please see the requestFeatures() function.

Any problems, let me know.

Thanks!

On 9 Jul 2019, at 4:20 AM, Ben notifications@github.com wrote:

Hi there

Could you please kindly answer my question above?

Thanks in advance Ben

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGK7UCMCURQH7WM3E5LP6OHQHA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZOCYIY#issuecomment-509357091, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGKZ3SN2TXSDHYT64SLP6OHQHANCNFSM4HPWIBZQ.

benedhk commented 4 years ago

Hey there now I feel that I am more familiar with this framework, but i wanna know something...

Do we have to configure data pre-processing or its just optional?

Thanks!

shlee89 commented 4 years ago

Good to hear that!

Yeah, pre-processing options are just optional. However, if you want to build your own model be strong, you need to find optimal values for "pre-processing parameters".

On 12 Jul 2019, at 10:58 PM, Ben notifications@github.com wrote:

Hey there now I feel that I am more familiar with this framework, but i wanna know something...

Do we have to configure data pre-processing or its just optional?

Thanks!

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGL63G7V2SRJODFH7BLP7CEYDA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGODZZ2TRA#issuecomment-510896580, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGODYL2N2L7XJ4UGICLP7CEYDANCNFSM4HPWIBZQ.

benedhk commented 4 years ago

Before I close this issue

I want to say thank you for taking the time to help me build my own Athena's app. I know you are busy, so I really appreciate your time and effort. Overall I'm having a good time learning something new!

Many thanks Ben.

shlee89 commented 4 years ago

Good to hear that!

You can re-open the issue, if you encounter unexpected problems.

Thanks.

On Sat, Jul 27, 2019, 11:14 PM Ben notifications@github.com wrote:

Before I close this issue

I want to say thank you for taking the time to help me build my own Athena's app. I know you are busy, so I really appreciate your time and effort. Overall I'm having a good time learning something new!

Many thanks Ben.

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/shlee89/athena/issues/7?email_source=notifications&email_token=ABOCAGIBRJ6D5A32DCNVMZ3QBRJ4VA5CNFSM4HPWIBZ2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOD26MG5I#issuecomment-515687285, or mute the thread https://github.com/notifications/unsubscribe-auth/ABOCAGKINABEZQI4M6VILNDQBRJ4VANCNFSM4HPWIBZQ .