Version 8 (modified by waue, 15 years ago) (diff) |
---|
Slide
Security Event Center
merge algorithm pseudo code
Merge Algorithm output: correlated_event queue global: event_scenario , MO_win_size 1. pull the top event 2. if OO_events queue == NULL 3. new OO_events as event_scenario in event queue 4. OO_events inherit event 5. while event-queue ≠ NULL { 6. pull the top event 7. if event.timestamp < ( OO_events.end_time + win_size ) 8. Search a correlated_event in correlated_event queue that correlated_event.{ IP_dst, port_dst,signature } == event.{ IP_dst, port_dst, signature } 9. correlated_event _event.endtime <- max(event.endtime, MO_event.endtime) 10. correlated_event.reference append (event.id ) 11. correlated_event.IP_src <- correlated_event. IP_ src ∪ event. IP_ src correlated_event t.port_src <- correlated_event. port_src ∪ event. port_ src 12. else 13. new OO_events as event_scenario in event queue 14. OO_events inherit event } 15 return correlated_event queue …
php real code
<? function merge($timesize) { global $object,$obj_ctr,$DB; $mo_base_ctr=0; $mo_ptr = 0; //mo pointer $i = 0; //tmp //----------------database check---------------- $str="SELECT start_time,end_time,reference,ip_proto, event_name,ip_dst,ip_src,sid,dport,sport,sig_class_id, signature,sig_priority FROM accident_ticket WHERE end_time >= \"".$object[0]->start_time."\" ORDER BY start_time ASC"; $DB->query($str); $fixed_num = mysql_num_rows($DB->result); if($fixed_num == null ) { $fixed_num = 0; $obj_ptr=1; $mo_ctr=1; } else { $obj_ptr=$fixed_num; $mo_ctr=$fixed_num; } $mo[0] = new scenario(null,null,null,null,null,null,null,null,null,null,null,null,null); if($fixed_num > 0) { while(list($start_time,$end_time,$reference,$ip_proto,$event_name,$ip_dst, $ip_src,$sid,$dport,$sport,$sig_class_id,$signature,$sig_priority) = mysql_fetch_row($DB->result) ) { $mo[$mo_base_ctr]->start_time = $start_time; $mo[$mo_base_ctr]->end_time = $end_time; $mo[$mo_base_ctr]->reference = $reference; $mo[$mo_base_ctr]->ip_proto = $ip_proto; $mo[$mo_base_ctr]->event_name = $event_name; $mo[$mo_base_ctr]->ip_dst[0] = $ip_dst; $mo[$mo_base_ctr]->ip_src = split(",",$ip_src); $mo[$mo_base_ctr]->sid = split(",",$sid); $mo[$mo_base_ctr]->dport[0] = $dport; $mo[$mo_base_ctr]->sport = $sport; $mo[$mo_base_ctr]->sig_class_id = $sig_class_id; $mo[$mo_base_ctr]->signature = split(",",$signature); $mo[$mo_base_ctr]->sig_priority = $sig_priority; $mo[$mo_base_ctr]->cmp_time=nor_time($end_time); $mo_base_ctr++; } $object=array_merge($mo,$object); $str="DELETE FROM accident_ticket WHERE end_time >= \"".$object[0]->start_time."\""; $DB->query($str); $DB->reset_auto("accident_ticket"); } //if($DB->result) $DB->free_result(); //----------------database check---------------- //echo "timesize:".$timesize."<br>"; while( $obj_ptr < $obj_ctr ) { $object[$obj_ptr]->cmp_time=chk_time($object[$obj_ptr]->start_time,$timesize); //----remove timeout class---- for($i=$mo_ptr; $i<$mo_ctr ;$i++) { if( strcmp($object[$obj_ptr]->cmp_time,$object[$mo_ptr]->cmp_time) > 0 ) $mo_ptr++; else { $i=$mo_ctr; } } //----remove timeout class---- //====many2one check=== for($i=$mo_ptr; $i<$mo_ctr ;$i++) { if($object[$obj_ptr]->ip_dst[0] == $object[$i]->ip_dst[0]) { // if($object[$obj_ptr]->dport[0] == $object[$i]->dport[0]) // { if($object[$obj_ptr]->signature[0] == $object[$i]->signature[0]) { //-------------------------merge---------------------------- $object[$i]->reference=($object[$i]->reference).", ".($object[$obj_ptr]->reference); if( $object[$i]->ip_proto!=$object[$obj_ptr]->ip_proto ) $object[$i]->ip_proto="multiproto"; $object[$i]->ip_src=arr_merge($object[$obj_ptr]->ip_src,$object[$i]->ip_src); $object[$i]->sid=arr_merge($object[$obj_ptr]->sid,$object[$i]->sid); if( $object[$i]->sport!=$object[$obj_ptr]->sport ) $object[$i]->sport="multiport"; if( $object[$i]->sig_class_id != $object[$obj_ptr]->sig_class_id ) $object[$i]->sig_class_id=0; if( $object[$i]->sig_priority > $object[$obj_ptr]->sig_priority ) $object[$i]->sig_priority=$object[$obj_ptr]->sig_priority; if((time_smaller($object[$obj_ptr]->start_time,$object[$i]->start_time))==1) { $object[$i]->start_time = $object[$obj_ptr]->start_time; } if((time_smaller($object[$i]->end_time,$object[$obj_ptr]->end_time))==1) { $object[$i]->end_time = $object[$obj_ptr]->end_time; } $object[$i]->cmp_time=nor_time($object[$i]->end_time); $i=$mo_ctr; //-------------------------merge---------------------------- } // } } } if($i!=$mo_ctr+1) { $object[$mo_ctr]->start_time=$object[$obj_ptr]->start_time; $object[$mo_ctr]->end_time=$object[$obj_ptr]->end_time; $object[$mo_ctr]->reference=$object[$obj_ptr]->reference; $object[$mo_ctr]->ip_proto=$object[$obj_ptr]->ip_proto; $object[$mo_ctr]->event_name=$object[$obj_ptr]->event_name; $object[$mo_ctr]->ip_dst=arr_cover($object[$obj_ptr]->ip_dst,$object[$mo_ctr]->ip_dst); $object[$mo_ctr]->ip_src=arr_cover($object[$obj_ptr]->ip_src,$object[$mo_ctr]->ip_src); $object[$mo_ctr]->sid=arr_cover($object[$obj_ptr]->sid,$object[$mo_ctr]->sid); $object[$mo_ctr]->dport=arr_cover($object[$obj_ptr]->dport,$object[$mo_ctr]->dport); $object[$mo_ctr]->sport=$object[$obj_ptr]->sport; $object[$mo_ctr]->sig_class_id=$object[$obj_ptr]->sig_class_id; $object[$mo_ctr]->signature=arr_cover($object[$obj_ptr]->signature,$object[$mo_ctr]->signature); $object[$mo_ctr]->sig_priority=$object[$obj_ptr]->sig_priority; $object[$mo_ctr]->cmp_time=nor_time($object[$mo_ctr]->end_time); $mo_ctr++; } //====many2one check=== $obj_ptr++; } $obj_ctr=$mo_ctr; }; ?>
ICAS
Map code
public static class ICAS_M extends MapReduceBase implements Mapper<LongWritable, Text, Text, Text> { String getip(String str) { String[] ret = str.split(":"); return ret[0]; } public void map(LongWritable key, Text value, OutputCollector<Text, Text> output, Reporter reporter) throws IOException { // [3] sig [4]class [5]y [6]m [7]d [8]h [9]M [10]s [11]s [12]d [13]t String line = value.toString(); String[] str = line.split(";"); String source_ip = getip(str[11]); String dest_ip = getip(str[12]); String fkey = dest_ip ; String date = str[5] + "/" + str[6] + "/" + str[7] + "_" + str[8] + ":" + str[9] + ":" + str[10]; // source @ date @ sig @ sig @ class @ type String fvalue = source_ip + "@" + date + "@" + "str[3]" +"@" +str[4] + "@"+ str[13]; output.collect(new Text(fkey), new Text(fvalue)); } }
Reduce code
public static class ICAS_R extends TableReduce<Text, Text> { public void reduce(Text key, Iterator<Text> values, OutputCollector<ImmutableBytesWritable, BatchUpdate> output, Reporter reporter) throws IOException { HTable table = new HTable("ICAS"); String source_ip; String date; String sig_class; String type; String signature; String rawstr = new String(values.next().getBytes()); String[] str = rawstr.split("@"); source_ip = str[0]; date = str[1]; signature = str[2]; sig_class = str[3]; type = str[4]; // values.next().getByte() can get value and transfer to byte form, while (values.hasNext()) { // source_ip + "@" + date + "@" + class + "@" + type; rawstr = new String(values.next().getBytes()); str = rawstr.split("@"); source_ip = source_ip + " ; " + str[0]; date = date + " ; " + str[1]; signature = signature + ";" + str[2]; } reporter.setStatus("amp emitting cell for row'" + key.toString() + "'"); BatchUpdate map = new BatchUpdate(key.toString()); // map.setTimestamp(timestamp); map.put("signature:", Bytes.toBytes(signature)); map.put("source_ip:", Bytes.toBytes(source_ip)); map.put("infor:date", Bytes.toBytes(date)); map.put("infor:class", Bytes.toBytes(sig_class)); map.put("infor:type", Bytes.toBytes(type)); table.commit(map); // ImmutableBytesWritable Hkey = new ImmutableBytesWritable(Bytes // .toBytes(key.toString())); // output.collect(Hkey, map); } }
Attachments (1)
- ntu_090805.pdf (2.8 MB) - added by waue 15 years ago.