In November 2024, Cablebs Netlm released: Easy Automated Network Assistant. Netlm is a set of tools that collect measles from the network and transmit it as a text to a large language model outside the box (LLM) trained in the natural language of the analysis. This approach works well and has an additional benefit, allowing people to communicate with their English router for the conversation.
The next step, which is the subject of this blog post, was to train a model on the network connection itself instead of describing a text. Our model is trained on raw network packages, as it deals with the beam sequence as a language by dealing with each package as a sentence in the context of the comprehensive network conversation. This approach has led to a dedicated structure that allows us to build a real intuition to understand the network traffic in more detail.
What we did
Our model takes a PCAP package and leads to its understanding of what is happening in the network traffic in the form of a transmission (or inclusion) of each package. In LLMS, words and ideas are represented internally using implications, which are set to reflect the ideas they represent. If you are considering packages as their own ideas, you can also represent these ideas numbered, with inclusions, which can be considered translations of packages on the network into something that the device can understand.
As a test, we used these implications to classify traffic into categories, focusing on two cases of initial use: determining the type of Internet of Things devices on the network and discovering safety attacks. For each case of these cases of use, the implications have been converted to create a possibility to distribute the targeted groups, which allowed us to classify traffic into two or more categories (or stickers). Our classification success rate with all these cases was more than 90 %.
Overview of architecture
To capture the full meaning of PCAP, the most important aspects are the timing and content of each package and the relationship between packages; Architecture needs the opposite of this.
The first step is to divide each package into its component protocols, each of which is passed through a dedicated layer that learned to extract features of this protocol. The packages are then sent through a long -term long -term memory network (LSTM), a type of machine learning layer that outperforms the extraction of temporal relationships between time steps and convert them to take previous time steps in mind. Then we pass through this time -perceive representatives through the self -accompanying class that surpass the role and meaning of each package in the broader context of the surrounding packages.
Figure 1: A high -level overview of the path that the package takes as it is dealt with by our model and what it represents in each step
The form of the form, the final inclusion, is the menu, one for each package, which is an understanding of the original computer. To find out how you can use these implications, imagine a classification task. These implications will be used to predict a specific A PCAP category to which it belongs. For example, if we train the model on predicting any type of Internet of Things devices we are looking for, the output of this classification will be a possibility to potential stickers (for example, a 80 % smart camera, 10 % of smart lamps, and another 10 %).
When designing our structure, we wanted to make sure our model is where it will be more effective. Many network analysis tools are very large and live in the cloud, which have some potential defects:
There are privacy concerns about sending possible secret information to the cloud. Sending all traffic to the cloud is a large waste of display of the frequency range on the source. The analysis system fails if the connections decrease and the cloud cannot be reached.
We focused on a local solution, making the model as lightweight as possible, so that it can be played on CPE and the function even without accessing the broader internet.
Continuing development
But there is more that can be done with these implications!
Package transformer. When we take a wider offer for the PCAP understanding unit in Figure 1 above, it is similar to the transformer’s encryption mass. For the normal language processing tasks (NLP), in models such as BERT, the encrypted is used to understand the inputs and then classify, just like our model. For text production, most modern LLMS uses the structure of decoding only. This works well for the text because the text does not need any additional processing or understanding. Therefore, if we feed our inclusion in the unit of coding (along with the text and any other related measurements), we will be able to create a multimedia LLM that has a deep understanding of network communications and we can explain the questions about them.
Network agent. This PCAP understanding unit can also be used as a network to understand the network within a larger agent system. In this way, the understanding agent will be called when the coordination agent believes that there is a need to consider in detail in the network movement.
Building for the future
As our industry advances forward, flexible and flexible systems can communicate better with consumers. Systems that understand network problems and diagnosis/reform can solve customer problems more quickly and provide customer service costs.
This innovative approach is strong and lightweight and able to run directly on CPE. So, instead of trying to pressure the most energy as possible in the devices (which is expensive, thirsty for energy and takes a long time), we can work more intelligently using this new structure on any existing devices.
To continue developing our model, we need more data. If you are a member of Cablelabs or part of our sellers community, this is where you can help. If you have any appropriate or uncomplicated computers and want to contribute to developing this model or cooperation, tell us that.
