6 research outputs found
Discriminative models for multi-instance problems with tree-structure
Modeling network traffic is gaining importance in order to counter modern
threats of ever increasing sophistication. It is though surprisingly difficult
and costly to construct reliable classifiers on top of telemetry data due to
the variety and complexity of signals that no human can manage to interpret in
full. Obtaining training data with sufficiently large and variable body of
labels can thus be seen as prohibitive problem. The goal of this work is to
detect infected computers by observing their HTTP(S) traffic collected from
network sensors, which are typically proxy servers or network firewalls, while
relying on only minimal human input in model training phase. We propose a
discriminative model that makes decisions based on all computer's traffic
observed during predefined time window (5 minutes in our case). The model is
trained on collected traffic samples over equally sized time window per large
number of computers, where the only labels needed are human verdicts about the
computer as a whole (presumed infected vs. presumed clean). As part of training
the model itself recognizes discriminative patterns in traffic targeted to
individual servers and constructs the final high-level classifier on top of
them. We show the classifier to perform with very high precision, while the
learned traffic patterns can be interpreted as Indicators of Compromise. In the
following we implement the discriminative model as a neural network with
special structure reflecting two stacked multi-instance problems. The main
advantages of the proposed configuration include not only improved accuracy and
ability to learn from gross labels, but also automatic learning of server types
(together with their detectors) which are typically visited by infected
computers
Symbolic Relational Deep Reinforcement Learning based on Graph Neural Networks
We focus on reinforcement learning (RL) in relational problems that are
naturally defined in terms of objects, their relations, and manipulations.
These problems are characterized by variable state and action spaces, and
finding a fixed-length representation, required by most existing RL methods, is
difficult, if not impossible. We present a deep RL framework based on graph
neural networks and auto-regressive policy decomposition that naturally works
with these problems and is completely domain-independent. We demonstrate the
framework in three very distinct domains and we report the method's competitive
performance and impressive zero-shot generalization over different problem
sizes. In goal-oriented BlockWorld, we demonstrate multi-parameter actions with
pre-conditions. In SysAdmin, we show how to select multiple objects
simultaneously. In the classical planning domain of Sokoban, the method trained
exclusively on 10x10 problems with three boxes solves 89% of 15x15 problems
with five boxes.Comment: RL4RealLife @ ICML2021; code available at
https://github.com/jaromiru/sr-dr
Hierarchical Multiple-Instance Data Classification with Costly Features
We extend the framework of Classification with Costly Features (CwCF) that
works with samples of fixed dimensions to trees of varying depth and breadth
(similar to a JSON/XML file). In this setting, the sample is a tree - sets of
sets of features. Individually for each sample, the task is to sequentially
select informative features that help the classification. Each feature has a
real-valued cost, and the objective is to maximize accuracy while minimizing
the total cost. The process is modeled as an MDP where the states represent the
acquired features, and the actions select unknown features. We present a
specialized neural network architecture trained through deep reinforcement
learning that naturally fits the data and directly selects features in the
tree. We demonstrate our method in seven datasets and compare it to two
baselines.Comment: RL4RealLife @ ICML2021; code available at
https://github.com/jaromiru/rcwc