Machine Learning Parameters
Machine Learning Parameters
The ML Parameters tab is used to modify the settings for Machine Learning Applications.
One important parameter, commonly used in many anomaly detection methods, is the Contamination level. Due to its significance, this parameter can be adjusted independently of the other settings.
The ML Parameters option is accessible from the Administration tab by clicking the 
button in the left-side panel of the Web Interface.
Configuration files for the Machine Learning methods
Because Machine Learning techniques for anomaly detection can be quite sophisticated in terms of their configuration, we have added the posibility of uploading JSON configuration files which describes the parameters, choices, settings and preferences that are applied to the machine learning methods. The NETALERT system comes with predefined configuration files.
Below the Contamination level, the JSON configuration file currently in use is displayed. The Contamination level is highlighted due to its significance in many anomaly detection tasks. All other parameters are included within the JSON configuration files.
Configuration files can be uploaded for the following anomaly detection tasks:
| Name | Description |
|---|---|
| Kerberos | Represents the configuration file for the model that detects anomalous Kerberos traffic. It corresponds to the netalert-kerberos.yaml configuration file from APP_ML |
| Lateral | Represents the configuration file for the model that detects Lateral Movement attacks. It corresponds to the netalert-lateral.yaml configuration file from APP_ML |
| UDP | Represents the configuration file for the models that detect anomalous UDP traffic (both the UDP network model and the UDP device models). It corresponds to the netalert-udp.yaml configuration file from APP_ML |
| TCP | Represents the configuration file for the models that detect anomalous TCP traffic (both the TCP network model and the TCP device models). It corresponds to the netalert.yaml configuration file from APP_ML |
| Scan | Represents the configuration file for the model that detects scans. It corresponds to the netalert-scan.yaml configuration file from APP_ML |
| DNS | Represents the configuration file for the DNS anomaly detection system. It corresponds to the config.py file from the netalert-app-static application |
| SMTP | Represents the configuarion file for the SMTP anomaly detection system. It corresponds to the config.py file from the netalert-app-static application |
| ProphetConfig | Represents the configuration file for the Prophet timeseries anomaly detection library. It is used by both the DNS and SMTP systems. It corresponds to the prophet-dns.json and prophet-smtp.json files, respectively |
| MLConfig | Represents the configuration file for the main netalert-app-ml application. Corresponds to the app_config_editable.yaml file |
All configuration files can utilize any of the machine learning methods outlined in the final section of this page.
For example, below is an expanded view of one of the JSON files, specifically the one for Kerberos.
To upload a new configuration file, use the 
button on the top left of the ML Parameters list:
To edit a selected configuration file, press 
button located in the top-right corner of each JSON file within the ML Parameters list.
Options for the Machine Learning configuration files
Depending on the Machine Learning techniques used for anomaly detection, the configuration files contain different settings and parameters. In this section we detail the method currently deployed in NETALERT and link to their configuration manuals.
The following Machine Learning methods are currently deployed in NETALERT:
- from PyOD, the method k-Nearest Neighbors Detector (kNN)
- from PyOD, the method IsolationForest Outlier Detector (IForest)
- from PyOD, the method Copula Based Outlier Detector (COPOD)
- from PyOD, the method Lightweight on-line detector of anomalies (Loda)
- from PyOD, the method Outlier Detection with Minimum Covariance Determinant (MCD)
- from PyOD, the method Local Outlier Factor (LOF)
- from PyOD, the method Histogram-based Outlier Detection (HBOS)
- from Graphomaly, the Keras extended Autoencoder (AE) method
- from Graphomaly, the Keras extended Variational Autoencoder (VAE) method
- from Prophet, using the uncertainty intervals to model the outlier detection problem
ML voting schemes
In many cases, multiple ML algorithms are executed for the same anomaly detection problem to determine if an anomaly exists and assess its severity. The voting options are typically located at the end of ML configuration files, with the default setting set to soft.
To get the full range of options for the voting schemes please check the voting classifier.
Go back to the Administration index.