Besides incoming blacklisted connections, external to internal traffic isn't super useful in any of our analysis modules. And incoming blacklisted connections is of questionable usefulness as well since the things that normally scan everything on the internet will also normally end up on blacklists. We're not trying to detect someone attacking coming in. We're trying to detect already compromised
what is the name of the switch for mirroring (name defined in the faucet.yaml, not dns, for example)
the port that Poseidon uses for mirroring needs to be controlled by Faucet, therefore it needs to be an openflow port
the port that Poseidon uses needs to be configured in faucet.yaml to be output_only: true and no native vlan (a port for mirroring from Faucet's perspective)
A project can identify an app from its network traffic. Extract 8 features from network packets, use 5 different parameters SVM algorithms on Spark to train a model. The accuracy is around 88.4%.
Besides incoming blacklisted connections, external to internal traffic isn't super useful in any of our analysis modules. And incoming blacklisted connections is of questionable usefulness as well since the things that normally scan everything on the internet will also normally end up on blacklists. We're not trying to detect someone attacking coming in. We're trying to detect already compromised