Loading in 5 sec....

Learning and Inference in the Knowledge PlanePowerPoint Presentation

Learning and Inference in the Knowledge Plane

- 83 Views
- Uploaded on
- Presentation posted in: General

Learning and Inference in the Knowledge Plane

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Learning and Inference in the Knowledge Plane

Thomas G. Dietterich

School of EECS

Oregon State University

Corvallis, Oregon 97331

http://www.eecs.oregonstate.edu/~tgd

Traffic

Network

Model

Performance

Measures

Configurations

Example: configuration/traffic model captures the tripartite relationship between network configurations, traffic properties, and network performance measures.

Configuration X + Traffic Y ) Performance level Z

Traffic

Performance

Measures

Configurations

traffic mix

performance objectives

Network Model

Configuration

Engine

proposed network configuration

- Learn network model
- measure…
- configuration information
- traffic properties (protocol mix, session lengths, error rates …)
- performance measures (throughput, E2E delays, errors, application-level measures)

- fit model

- measure…

- Improving the configuration engine
- Learn repair rules
- Observe operator-initiated repairs

- Learn heuristics for rapidly finding good solutions
- Cache previous good solutions

- Learn repair rules

Traffic

Sensor

Performance

Measures

Configurations

Variables Measured, Error Bounds, Costs

Sensor Model

Network Model

Sensor Model

Network Model

observed anomaly or user’s complaint

Diagnosis Engine

Sensors

Interventions

diagnosis and recommended repair

DE chooses measurement or intervention

DE executes measurement or intervention

DE outputs diagnosis

User makes complaint

DE receives results

- Every node stores a conditional probability distribution:

- Interventions:
- Observation: Observe Radio
- Repair attempts: Fill gas tank
- Observe & Repair: Inspect fuel pump, replace if bad

- Algorithm:
- Compute P(component is bad | evidence)
- Repair component that maximizes P(bad)/cost
- Choose observation that maximizes value of information

Choose SparkPlugs as next component to repair. Repair it. Update probabilities, and repeat.

- Learn sensor model
- Basic sensor model is manually engineered
- Learn error bounds and costs (e.g., time delay, traffic impact)

Monitor network for unusual traffic, configurations, and routes

Measure of “Normalness”

Traffic

Measure of “Normalness”

Configurations

Measure of “Normalness”

Routes

Anomalies are phenomena to be understood, not alarms to be raised.

- Learn these models by observing traffic, configurations, routes

- Spatially Distributed
- Replicated/Cached

- Hierarchical
- Multiple levels of abstraction

- Constantly Maintained

- Existing formulations: constraint-satisfaction problems (CSP) with objective function
- Systematic and repair-based methods
- Some ideas for how to incorporate learning

- Special cases where optimal diagnosis is tractable
- Single fault; all actions are repair attempts
- Single fault; all actions are pure observations

- Widely-used heuristic
- One-step value of information (greedy approx)

- Fully-general approach
- Partially-observable Markov Decision Process
- Some approximation algorithms are available

- Unsupervised Learning Methods
- Clustering
- Probability Density Estimation
- One-class Classification Formulation

- What are the right variables to model?
- Packet-level statistics (RTT, throughput, jitter, …)
- Connection-level statistics
- Routing statistics
- Application statistics

- What levels reveal anomalies?
- What levels can best be related to performance goals and configuration settings?

- Network components
- Switches, routers, firewalls, web servers, file servers, wireless access points, …

- LANs and WANs
- Autonomous Systems
- What are the right levels of abstraction?
- Can these things be observed?

- Network models are relational
- (traffic, configuration, performance)
- network structure is a graph
- routes are paths with attached properties

- Relational modeling is a relatively young area of ML

- Distributed model construction
- Bottom-up summary statistics (easy)
- Mixed (bottom-up/top-down) information flow (unexplored)
- Essential for higher-level modeling
- Opportunities for data sharing at lower levels

- Distributed configuration
- Distributed diagnosis
- Opportunities for inference sharing

- Standard AI Models assume a fixed set of classes/categories/faults/components
- How do we reason about the possible existence of new classes, new components, new protocols (including intrusions/worms)?
- How do we evaluate such systems?

- Subscription?
- Applications subscribe to regular model updates/summaries
- Applications specify the models they want the KP to build/maintain

- Query?
- Applications make queries to models?

- KP provides inference services in addition to model services
- WHY? client sends end-user complaint to TP where inference engine operates

- Inference is performed on end-user machine?
- WHY? client does inference, just sends queries to TPs
- Some inference about end-user’s machine needs to happen locally. Maybe view as local TP?

- WHY? client does inference, just sends queries to TPs

- KP Applications will be driven by learned models
- traffic models
- sensor models
- models of “normalness”

- Models are acquired by mix of human authoring and machine learning
- Main research challenges arise from multiple levels of abstraction and world-wide distribution

- Example: HP Labs email loop detection system
- Bronstein, Das, Duro, Friedrich, Kleyner, Mueller, Singhal, Cohen (2001)
- Convert mail log data into four “detectors” and combine using a Bayesian network

- Variables to be measured:
- Raw sensors: mail log (when received, from, to, size, time of delivery attempt, status of attempt)
- Derived variables (10-minute windows)
- IM: # incoming msgs
- IMR: # incoming msgs / # outgoing msgs
- PEAK: magnitude of peak bin in message size histogram
- SHARPNESS: ratio of magnitude of peak bin to average size of four neighboring non-empty bins (excluding 2 nearest-nbr bins on either side of peak bin)

- Summary statistics
- mean and standard deviation of the derived variables trimmed to remove outliers beyond ±3.5 σ

- Provide a language so that I can define
- raw features
- derived features
- summary statistics

- Provide subscription service so that I can collect the summary statistics
- automatic or semi-automatic support for aggregating summary statistics from multiple sources (e.g., multiple border SMTP servers)

- Provide subscription service so that I can sample the derived features (to build a supervised training data set)

- Routines for aggregating statistics
- Example: given
- S1 = i x1,i and N1
- S2 = j x2,j and N2, from two independent sources

- I can compute
- S3 = S1 + S2 and N3 = N1 + N2

- From these, I can compute the mean value:
- = S3/N3

- Example: given
- To compute variance, I need SS1 = i x21,i

- Given summary statistics, compute probabilities in a Bayesian network

Mail Loop

IM

IMR

PEAK

SHARPNESS

- Andrew Moore (CMU): For nearly every learning algorithm, there is a set of statistics sufficient to permit that algorithm to fit its models
- There is usually a scalable way of collecting and aggregating these sufficient statistics

- Design the services for defining sensors, defining derived variables, defining sufficient statistics, and defining aggregation methods
- Scalable, secure, etc.

- Abstract (or aggregate) model could treat conclusions/assertions of other models as input variables
- “One model’s inference is another model’s raw data”
- probably requires associated meta-data: provenance, age of original data
- major issue: assessing the independence of multiple data sources (don’t want to double-count evidence): requires knowledge of KP/network topology

- Multiple KPs and/or multiple KPapps may register for the same sufficient statistics
- Fuse their subscriptions to save computation
- Keep meta data on non-independence