-
Notifications
You must be signed in to change notification settings - Fork 359
6.3 ‐ How to deploy pre trained Deep Learning models for ESCU
NOTE: The following instructions are specifically for deploying pre-trained deep learning models using Splunk App for Data Science and Deep Learning (DSDL)5.0 in ESCU. The deployed models are then used with "apply" command in ESCU detections.
The steps are outlined as follows -
- Set up Splunk App for Data Science and Deep Learning (DSDL) 5.0
- Download the model artifacts
- Deploy model artifacts into Splunk app DSDL
- Install the DSDL app (https://splunkbase.splunk.com/app/4607/) 5.0 on Splunk instance and follow the steps in the Overview > User Guide.
- Additional information and FAQs are available here https://splunkbase.splunk.com/app/4607/#/details.
- Ensure the containers use Golden Image CPU 5.0.0
- Download the pre-trained model file .tar.gz from the link provided here.
| Detection | Model |
|---|---|
| Detect DGA domains using pre-trained model in DSDL | pre-trained model |
| Detect DNS Tunneling using TXT record responses | pre-trained model |
| Detect suspicious process names | pre-trained model |
| Detect DNS Data Exfiltration | pre-trained model |
- Download notebook .ipynb for the detection
| Detection | Notebook |
|---|---|
| Detect DGA domains using pre-trained model in DSDL | notebook |
| Detect DNS Tunneling using TXT record responses | notebook |
| Detect suspicious process names | notebook |
| Detect DNS Data Exfiltration | notebook |
- Download model configuration file .json for the detection
| Detection | .json file |
|---|---|
| Detect DGA domains using pre-trained model in DSDL | .json |
| Detect DNS Tunneling using TXT record responses | .json |
| Detect suspicious process names | .json |
| Detect DNS Data Exfiltration | .json |
- Follow the below steps only if you are deploying the model to use outside of ESCU. For ex: in a simple SPL search using |apply command. Place these .mlmodel files into app context /lookup directory. For ex: etc/apps/mltk-container/lookups
| Detection | .mlmodel file |
|---|---|
| Detect DGA domains using pre-trained model in DSDL | .mlmodel |
| Detect DNS Tunneling using TXT record responses | .mlmodel |
| Detect suspicious process names | .mlmodel |
| Detect DNS Data Exfiltration | .mlmodel |
- Login into the Splunk instance and launch the Splunk App for Data Science and Deep Learning (DSDL).
- Select Containers from the drop-down menu and it should list all the containers.
- Select Container Image as Golden image CPU 5.0.0 and Cluster target as per env setup and start the dev container.
- Wait for the container to start up and urls to populate for the container.
- Login into the Jupyter lab of dev container by clicking on the url, ex: http://{container_url}:port_num/lab?
- Use the password provided in the Overview > User Guide of DSDL app
- The below steps are performed within the Jupyter Lab of the container.
-
Upload the pre-trained model .tar.gz file into app/model/data path using the upload option in the Jupyter notebook.
-
Open a terminal on Jupyterlab and execute the following commands
tar -xf app/model/data/<pretrained_model_file_name>.tar.gz -C app/model/data/<pretrained_model_file_name>/This will extract the artifact
<pretrained_model_file_name>.tar.gzintoapp/model/data/<pretrained_model_file_name>/ -
Upload .ipynb notebook into notebooks folder using the upload option in Jupyter lab.
-
Also, upload .json model configuration into notebooks/data folder.
-
Save the notebook using the save option in Jupyter notebook.
-
- Start the container specific to the detection.