Hi,
I want to use the HTM.JAVA framework to predict what will happen the next step based on the sequence of behaviors, the sequence consists of different behaviors in a time order, such as : A->B->C->A->D…
how can I encode the relations between the behaivors, I have two types of encoding strategies:
decompse the sequence into tuples such as A->B, B->C, C->A…and encode the tuple as a SDR;
encode each separate behavior as a SDR, and the whole sequence is converted to a sequence of SDRs.
I want to know, which will be better for the prediction accuracy?
If I use the first strategy, how can I encode the relation into a SDR?
thanks
I have no practical experience but I think the second one is how you’re supposed to do it.
Just make sure to encode to represent semantic information properly.
(i.e. behaviors with a common feature should have some common bits on)
Infact, I am not sure about the spatial patterns, I want to model the cyber attacking steps triggered by specified attacker, the sequence is sort of the steps that left by attacker when they infiltrating the networks. So, I want HTM can learn the sequence and forcast the next step attacker mostly do.
but I am not very sure how to define the sematics between the steps, the steps are the evidence of the attacking strategy. I don’t know what is the better way to encode the sequence to leverage the abilities of the HTM in the pattern learning and prediction.
please give me the advices, thank you very much!~~
I found that the behaviors will be always encoded with common bits on as long as the two behaviors are sent to the spatial pooller one after another. In other words, the data with simmiliar semantic should be encoded in a fixed order. Yes? That will conflict with the real order in a specified sequence. The concepts described above are learned by reading the HTM.java example (gym) , maybe misreading, I hope the correct explanations, thanks very much!~~
yes, I have downloaded the network intrusion dataset, about serveral GBs of original network traffic data that contains various types of attacks. I have extracted the behaviors from the dataset.
but, the attack actions are extracted into sessions between each pair of hosts. So, there will be many sessions, I want to convert the sessons into bit arrays and learn the patterns using HTM.
Maybe, there is a need to filter out the sessons really belong to a specified attack scenario that can train the system, and the attack scenario should happen many times, so, we can gather enough data about that attack.
In real network environment, the attacker may use many types of attack technologies only once in a intrusion progress, mybe this is what you are concerning, me too.
I have another question: Is HTM technology suitable for the online learning tasks about the intrusion behavior pattern extracting in a real time manner? The behaviors maybe diverting all the time due to the uncertainty of the hacker. but, there will be a pattern definitely that describing the strategy of the intrusion.
do not need retraining is a very good property of the HTM, however, it makes me concern about the “forgetfulness” of the HTM.
donot need retraining, means it can continuously learn a streaming data, at the same time, it is implying that it cannot store the learned patterns forever, because the data will drive the HTM to forget the pattern that not appear in the data any more. If the data patterns change frequently, maybe, the HTM will learn nothing at all.
I want to use the HTM in my studies about the online intrusion predictions, but I just cannot find a appropriate way.
This to me is the key for HTM to be effective at this. There needs to be sequential patterns either to non-hacking behavior or to hacking behavior, or ideally both. If there are certain behaviors made by hackers, you could have dedicated HTM models which are trained only on these sequences. If there are other common behaviors made by non-hackers you should have an HTM model (/models) trained for them too.
I’d recommend feeding the live data you have into all trained models, with learning turned off for all models. Then you monitor which models are showing higher & lower levels of anomalies. If a hacker model is showing lower anomaly scores that the non-hacker models, that means that the current inputs are more familiar to that model than others – and it maybe a hacker. Likewise if the model(s) of common non-hacker behavior are showing lower anomaly scores then the hacker model(s), the current behavior appears not to be a hacker – or at least not a known hacker pattern.