ML-Powered Detection

hdds_viewer uses ONNX Runtime for machine learning inference, enabling real-time anomaly detection on DDS/RTPS traffic.

Overview

The ML system provides:

• Traffic classification - Normal, degraded, attack patterns
• Anomaly scoring - Confidence-based severity assessment
• Feature extraction - 50+ statistical features from message traces

Model Architecture

Ensemble Model

The default model is an ensemble of:

Combined accuracy: 99.58% on validation set.

Input Features (50+)

Features are extracted from sliding windows of messages:

Timing Features

• Inter-arrival time (mean, std, min, max, p50, p95, p99)
• Jitter (variance in arrival times)
• Burst detection (messages within 1ms window)

Volume Features

• Message rate (per topic, per type)
• Payload size statistics
• Sequence number gaps

Pattern Features

• Periodicity score (FFT-based)
• Entropy of payload sizes
• Topic distribution histogram

QoS Features

• Reliability hash variance
• Durability distribution
• History depth utilization

Model Files

Models are located in:

Model Versions

Inference Pipeline

Raw Frames → Feature Extraction → Normalization → ONNX Inference → Results
     │              │                  │               │            │
     │        [50+ features]     [StandardScaler]  [ensemble.onnx] [Anomaly]
     │                                                              │
     └──────────────────────────────────────────────────────────────┘
                              ~2ms per batch

Performance

Configuration

Enable/Disable ML

# ~/.config/hdds-viewer/config.toml
[ml]
enabled = true
model_path = "~/.config/hdds-viewer/models/ensemble_v1.onnx"
batch_size = 100
anomaly_threshold = 0.85  # Confidence threshold

CLI Options

# Enable ML detection
hdds-viewer --analyze capture.hddscap --ml-detect

Dump features to CSV (for model training)
hdds-viewer --analyze capture.hddscap --dump-features features.csv

Set custom threshold
hdds-viewer --analyze capture.hddscap --ml-threshold 0.90

Training Custom Models

Export Features

# Export training data
hdds-viewer --analyze captures/*.hddscap --dump-features training.csv

Train with Python

import pandas as pd
from sklearn.ensemble import RandomForestClassifier
import skl2onnx

Load features
df = pd.read_csv('training.csv')
X = df.drop('label', axis=1)
y = df['label']

Train model
model = RandomForestClassifier(n_estimators=100)
model.fit(X, y)

Export to ONNX
from skl2onnx import convert_sklearn
onnx_model = convert_sklearn(model, initial_types=[...])
with open('custom_model.onnx', 'wb') as f:
    f.write(onnx_model.SerializeToString())

Use Custom Model

[ml]
model_path = "/path/to/custom_model.onnx"
scaler_path = "/path/to/custom_scaler.json"

Feature Extraction API

For plugin developers:

use viewer_ml::features::FeatureExtractor;

let extractor = FeatureExtractor::new();
let features = extractor.extract(&frames)?;

// features: ndarray::Array1<f64> with 50+ values

Detection Categories

Validation Results

From validation on 10,000 labeled samples:

Confusion Matrix

Predicted
             Norm  Anom
Actual Norm  4923   15
       Anom    27  5035

Troubleshooting

Model Not Found

Error: ML model not found at ~/.config/hdds-viewer/models/ensemble_v1.onnx

Solution: Download models from release or disable ML:

# Download models
hdds-viewer --download-models

Or disable ML
hdds-viewer --no-ml

ONNX Runtime Error

Error: ONNX Runtime initialization failed

Solution: Check ONNX Runtime compatibility:

# Verify ONNX Runtime version
hdds-viewer --version --verbose