Operator HostProfiling

The HostProfiling operator analyzes DNS response traffic and reports whether or not the behaviour of the hosts are suspicious. This is done by building a profiling of the DNS response records over a period of time. At the end of that period, the operator submits a tuple predicting whether the profiled host is "suspicious" or "benign".

Behavior in a consistent region

The operator is not supported in a consistent region. A warning occurs when you compile your streams processing application.
The operator cannot be the start of a consistent region. An error occurs when you compile your streams processing application.

Summary

Ports: This operator has 1 input port and 1 output port.
Windowing: This operator optionally accepts a windowing configuration.
Parameters: This operator supports 1 parameter.
Optional: warmupFile
Metrics: This operator does not report any metrics.

Properties

Implementation: C++
Threading: Never - Operator never provides a single threaded execution context.

Input Ports

Ports (0)

Ingests tuples containing DNS response records. The input tuple must contain, at a minimum, the following attributes:

timestamp captureTime
rstring dstAddress
rstring domain
uint8 responseCode
BWListTag_e bwTag

For convenience, the com.teracloud.streams.cybersecurity.types::HostProfilingInput_t type contains all of the necessary attributes needed by the HostProfiling operator.

Windowing

Supports a partitioned, tumbling window. All eviction policies are supported.

Properties

Optional: false

ControlPort: false
TupleMutationAllowed: true
WindowingMode: OptionallyWindowed
WindowPunctuationInputMode: Oblivious

Output Ports

Assignments: This operator allows any SPL expression of the correct type to be assigned to output attributes.

Output Functions

HP Functions

<any T> T AsIs()

The default function for output attributes. By default, this function assigns the output attribute to the value of the input attribute with the same name.

list<float64> getFeatureVector()

Returns the feature vector.

timestamp getProfileLastUpdate()

Returns the latest timestamp of the windowed DNS response records.

<any T> T getHost()

Returns the profiled host.

<any T> T getWindowedTuples()

Returns a list of the input tuples that were used as part of the profile. The expected output type is an SPL:list containing the input tuples. For example, the return type may be: SPL::list<HostProfilingInput_t>.

rstring getPredictedClass()

Returns a prediction for the profiled domain. This function will return either "suspicious" or "benign".

Ports (0)

Submits a tuple containing a prediction for the profiled host. This port submits a tuple each time the tumbling window is evicted. Custom output functions are used to specify the value of the output tuple attributes. The output tuple attributes whose assignments are not specified are assigned from the input attribute.

For convenience, the com.teracloud.streams.cybersecurity.types::HostProfilingResult_t type can be used as the output tuple type of this operator. This type contains contains attributes that can be assigned from the output functions.

Properties

Optional: false

TupleMutationAllowed: true
WindowPunctuationOutputMode: Generating

Parameters

Optional: warmupFile

warmupFile

This parameter specifies the path to the warmup file used to initialize the operator. This toolkit contains a default warmup file, which can be found here: "<TOOLKIT_ROOT_DIR>/etc/app/hp/HostProfilingWarmup.txt".

Properties

Type: rstring
Cardinality: 1
Optional: true
ExpressionMode: AttributeFree

Libraries

No description for library.: Library Name: csa, re2; Library Path: ../../impl/lib/csa/, ../../impl/lib/re2/; Include Path: ../../impl/include/re2/, ../../impl/include/csa/, ../../impl/include/csa/hp/, ../../impl/include/