behavioral query
play

Behavioral Query 12/12/2019 Jiaping Gui , Xusheng Xiao , Ding Li - PowerPoint PPT Presentation

Dec 29, 2023 •457 likes •629 views

Progressive Processing of System- Behavioral Query 12/12/2019 Jiaping Gui , Xusheng Xiao , Ding Li , Chung Hwan Kim , and Haifeng Chen NEC Laboratories America, Inc. Case Western Reserve University 1 www.nec-labs.com

  1. Progressive Processing of System- Behavioral Query 12/12/2019 Jiaping Gui ∗ , Xusheng Xiao ‡ , Ding Li ∗ , Chung Hwan Kim ∗ , and Haifeng Chen ∗ ∗ NEC Laboratories America, Inc. ‡ Case Western Reserve University 1 www.nec-labs.com

  2. Motivation  Threat detection and investigation is an important security solution in enterprises Alert Storing Monitoring Investigation Agents Data collector DB Defense 2

  3. Motivation  Alert investigation … query revise revise query  Process ─ Query 1: select processes that accessed sensitive data in DB ─ Query 2: check whether unsigned program executed probing commands ─ Query 3: get source process that opened/created unsigned program ─ … May take a long execution time 3

  4. Challenges ─ Long waiting time for even a single query • A huge amount of data in DB …  > 100GB/200 computers/day • Query multiple hosts’ or multiple days’ data  Some advanced attack behaviors may span over several months  Check other machines if the same suspicious behaviors exist ─ Making interactive querying difficult … query Searching … revise revise query 4

  5. Challenges  Optimize the query execution o > 30% improvement (parallel execution) 1-host query into 4 sub-queries 1-host query into 8 sub-queries  Some sub-queries may still take a long time even with optimization o Especially when querying multiple hosts ’/days’ data o Bounded by hardware (bottleneck)  Sub-query costs: DB connection, query parsing, thread overhead  Hardware limitation: CPU, disk, etc. 5

  6. Insight  Partial results are very helpful to make a decision!  Process ─ Query 1: select processes that accessed sensitive data in DB ─ Query 2: check whether unsigned program executed probing commands ─ Query 3: get source process that opened/created unsigned program … Pause and revise query when seeing unsigned program 6

  7. Approach  Progressive Querying ─ Progressively update results during the execution instead of until the end Results Results  Quality metrics 30s Results 20s o Q.1: results updated within the update 10s cycle 30s o Q.2: small overhead on the total ① init execution time … t 1 t 2 t 3 t 2 t 3 t 3 t 1 ④ ② ③ ⑥ ⑤ 7

  8. Progressive Querying: straightforward solutions  Naïve solution  Whole-query update ─ Partition the query into sub-queries, ─ # sub-queries = # worker each with time window 1s threads • e.g., 1-day query = 3600*24 subqueries ─ 532s (1 worker thread) ─ >28hrs (1 worker thread) ─ 214s (5 worker threads) ─ 6.7hrs (5 worker threads)  Q.1: only 1 update  Q.1: update fast  Q.2: low overhead  Q.2: unacceptable overhead More intelligent solutions are desired! Ideal: sub-queries finish exactly before each update cycle • Practical: average finish time is close to update cycle • 8

  9. Progressive Querying Sub-queries  Intelligent solutions ─ Query partition • Fixed workload • Fixed time window • Adaptive learning  Fixed Strategy: cache mechanism / system dynamics are not considered non-cache o Event processing rate (#events/s): cache >> non cache o Sub- queries’ execution time varies much  average time is far from update frequency cache 9

  10. Progressive Querying  Adaptive learning  spatial & temporal ─ Goal: adjust event processing rate dynamically • Cache • Non-cache ─ Gradient descent algorithm • Learn different event processing rates  Reflect the system runtime environment 10

  11. Results: Progressive Querying  Comparison ─ Fixed time window ─ Fixed workload ─ Adaptive learning Average sub-query execution time  Adaptive learning ─ Closest proximity of average sub-query time to update frequency ─ E.g., with update cycle 10s, if we have 1000 sub-queries to execute, it can save us > 3 hours compared to fixed strategy 11

  12. Results: Progressive Querying  Comparison ─ Fixed time window ─ Fixed workload ─ Adaptive learning  Adaptive learning ─ Closest proximity of average sub-query time to update frequency ─ Best response rate: result update at each Response rate cycle 12

  13. Results: Progressive Querying  Comparison ─ Fixed time window ─ Fixed workload ─ Adaptive learning Overhead  Adaptive learning ─ Closest proximity of average sub-query time to update frequency ─ Best response rate: result update at each cycle ─ Comparable overhead 13

  14. Conclusion  A systematic approach to optimize query execution on suspicious system behaviors ─ Parallel execution ─ Performance: sequential with cost >= Sequential >= Parallel >= Time window  A comprehensive comparison on progressively processing return results ─ Fixed time window (processing rate & data rate) ─ Fixed workload (all hosts/single host) ─ Adaptive (different learning rates)  best performance 14

  15. 15

  16. www.nec-labs.com

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log

Improve Query Performance with the Query Log Analyzer Kees Vegter Field Engineer Query Log Analyzer kees@neo4j.com Query Log dbms.logs.query.enabled=true # If the execution of query takes more time than this threshold, # the query is

1.12k views • 27 slides
Query Processing Relevance feedback; query expansion; Web Search 1 Overview Indexes Query

Query Processing Relevance feedback; query expansion; Web Search 1 Overview Indexes Query

Query Processing Relevance feedback; query expansion; Web Search 1 Overview Indexes Query Indexi xing Ranki king Applica cation Results Documents User Information Query y Query analys ysis proce cess ssing Multimedia

740 views • 32 slides
Query Op)miza)on 1 Query op)miza)on Given an SQL query,

Query Op)miza)on 1 Query op)miza)on Given an SQL query,

Query Op)miza)on 1 Query op)miza)on Given an SQL query, the query op)mizer tries to figure out the order of opera)ons that will make the

550 views • 23 slides
Query Execu*on Declara*ve Query (SQL) We start from

Query Execu*on Declara*ve Query (SQL) We start from

SQL The Query Language R & G - Chapter 5 2 Query Execu*on Declara*ve Query (SQL) We start from here Query Op*miza*on and Execu*on (Rela*onal)

808 views • 44 slides
Query Execution 2 and Query Optimization Instructor: Matei Zaharia cs245.stanford.edu Query

Query Execution 2 and Query Optimization Instructor: Matei Zaharia cs245.stanford.edu Query

Query Execution 2 and Query Optimization Instructor: Matei Zaharia cs245.stanford.edu Query Execution Overview Query representation (e.g. SQL) Logical query plan (e.g. relational algebra) Query optimization Optimized logical plan Physical

1.17k views • 92 slides
Query Execu:on Declara:ve Query (SQL) We start from

Query Execu:on Declara:ve Query (SQL) We start from

SQL The Query Language R & G - Chapter 5 Based on Slides from UC Berkeley and book. 2 Query Execu:on Declara:ve Query (SQL) We start from

689 views • 34 slides
Query Execu:on Declara:ve Query (SQL) We start from

Query Execu:on Declara:ve Query (SQL) We start from

SQL III The Query Language R & G - Chapter 5 Based on Slides from UC Berkeley and book. Query Execu:on Declara:ve Query (SQL) We start from here

1.02k views • 64 slides
Query Understanding: A Manifesto Daniel Tunkelang queryunderstanding.com Overview What is

Query Understanding: A Manifesto Daniel Tunkelang queryunderstanding.com Overview What is

Query Understanding: A Manifesto Daniel Tunkelang queryunderstanding.com Overview What is query understanding? Query performance prediction. Query rewriting. Query suggestions. Search is a conversation. tl;dr: Query

940 views • 37 slides
Perfect Query FORMULA 5 critical sections in every successful query letter (c) 2019

Perfect Query FORMULA 5 critical sections in every successful query letter (c) 2019

Perfect Query FORMULA 5 critical sections in every successful query letter (c) 2019 GetaBookDeal101.com is this you Why am I not hearing back? the query conundrum giving up too early the query conundrum blaming the system the query

974 views • 61 slides
Module 13: Optimizing Query Performance Overview Introduction to the Query Optimizer

Module 13: Optimizing Query Performance Overview Introduction to the Query Optimizer

Module 13: Optimizing Query Performance Overview Introduction to the Query Optimizer Obtaining Execution Plan Information Using an Index to Cover a Query Indexing Strategies Overriding the Query Optimizer Introduction to

450 views • 34 slides
Introduction Query Execution Engine Implements a set of physical operators 2 key

Introduction Query Execution Engine Implements a set of physical operators 2 key

Overview of Query Optimization in Relational Systems An overview of current query optimization techniques Overview of Query Optimization Provides fundamentals of query in Relational Systems optimization Presenter: Albert Wong

294 views • 4 slides
Chapter 3: Top-k Query Processing and Indexing 3.1 Top-k Algorithms 3.2 Approximate Top-k Query

Chapter 3: Top-k Query Processing and Indexing 3.1 Top-k Algorithms 3.2 Approximate Top-k Query

Chapter 3: Top-k Query Processing and Indexing 3.1 Top-k Algorithms 3.2 Approximate Top-k Query Processing 3.3 Index Access Scheduling 3.4 Index Organization and Advanced Query Types 3-1 IRDM WS 2005 3.1 Top-k Query Processing with Scoring

592 views • 36 slides
CSE 232A Graduate Database Systems Arun Kumar Topic 4: Query Optimization Chapters 12 and

CSE 232A Graduate Database Systems Arun Kumar Topic 4: Query Optimization Chapters 12 and

CSE 232A Graduate Database Systems Arun Kumar Topic 4: Query Optimization Chapters 12 and 15 of Cow Book Slide ACKs: Jignesh Patel, Paris Koutris 1 Lifecycle of a Query Query Result Query Database Server Query Execute Parser

735 views • 50 slides
Query Optimization Through the Looking Glass Some Lessons From Building an LLVM-Based Query

Query Optimization Through the Looking Glass Some Lessons From Building an LLVM-Based Query

Query Optimization Through the Looking Glass Some Lessons From Building an LLVM-Based Query Compiler Viktor Leis Technische Universitt Mnchen Introduction: Query Optimization HJ B cardinality cost INL B T SELECT ... estimation

679 views • 25 slides
Mediator y e r u Q d e t a l u Query m r o e f K L M R Reformulated Query O

Mediator y e r u Q d e t a l u Query m r o e f K L M R Reformulated Query O

Motivation Approach Search Scoring Experiments Related Work Conclusions O r b i t z F l i g h t lowestFare(MXP,HYD) S e a r c h Mediator y e r u Q d e t a l u Query m r o e

242 views • 21 slides
CAS CS 460/660 Introduction to Database Systems Query Evaluation II 1.1 Cost-based Query

CAS CS 460/660 Introduction to Database Systems Query Evaluation II 1.1 Cost-based Query

CAS CS 460/660 Introduction to Database Systems Query Evaluation II 1.1 Cost-based Query Sub-System Select * Queries From Blah B Where B.blah = blah Query Parser Query Optimizer Plan Plan Cost Catalog Manager Generator Estimator

711 views • 44 slides
Presentation of the paper Proof-of-Execution: Reaching Consensus through Fault-Tolerant

Presentation of the paper Proof-of-Execution: Reaching Consensus through Fault-Tolerant

Presentation of the paper Proof-of-Execution: Reaching Consensus through Fault-Tolerant Speculation Presenter: Haojun (Howard) Zhu Background Due to time-tested safe design of PBFT and due to the limiting designs of other BFT protocols,

536 views • 26 slides
Educating voters about their options COVID-19 and Election Administration: Approaches for

Educating voters about their options COVID-19 and Election Administration: Approaches for

Educating voters about their options COVID-19 and Election Administration: Approaches for Election Officials June 4, 2020 Housekeeping Be gracious about work-from-home setups Restart Zoom if needed Slides and captioned recordings

942 views • 47 slides
Pro Bono Design & Management Accelerator 1 Decem ecember er 12, 2 2018 2 Session 3

Pro Bono Design & Management Accelerator 1 Decem ecember er 12, 2 2018 2 Session 3

Pro Bono Design & Management Accelerator 1 Decem ecember er 12, 2 2018 2 Session 3 Impact Evaluation & Data Tracking 3 Coach introductions Peter James Senior Manager of Research & Evaluation Rene J. Schomp Senior Staff

957 views • 70 slides
11/12/2020 Disciplinary Removals of Students with Disabilities COUNTING THE DAYS Special

11/12/2020 Disciplinary Removals of Students with Disabilities COUNTING THE DAYS Special

11/12/2020 Disciplinary Removals of Students with Disabilities COUNTING THE DAYS Special Education Mediation Services Hello! A few details before we get started Locate the orange arrow (in the upper right hand corner of the screen), this

523 views • 12 slides
Suite March 2018 Webinar Instructions Presenters Chris Andrews, The Cloudburst Group

Suite March 2018 Webinar Instructions Presenters Chris Andrews, The Cloudburst Group

Housing Trust Fund and eCon Planning Suite March 2018 Webinar Instructions Presenters Chris Andrews, The Cloudburst Group HUD Staff Beth Hendrix, OBGA Jessica Suimanjaya, OAHP 2 Webinar Instructions Webinar will last

589 views • 39 slides
Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents

Applying Trust Policies for Protecting Applying Trust Policies for Protecting Mobile Agents Against DoS Mobile Agents Against DoS Biljana Cubaleska 1 , Markus Schneider 2 1 University of Hagen, Dept. Of Communication Systems, Germany 2

511 views • 21 slides
Welcome! Todays Agenda: Introduction Hardware Trust No One / An Efficient

Welcome! Todays Agenda: Introduction Hardware Trust No One / An Efficient

/INFOMOV/ Optimization & Vectorization J. Bikker - Sep-Nov 2018 - Lecture 12: Multithreading Welcome! Todays Agenda: Introduction Hardware Trust No One / An Efficient Pattern Experiments Final

517 views • 31 slides
Trusted Component Deployment Trusted Components Bernd Schoeller January 30 th , 2006 Code from

Trusted Component Deployment Trusted Components Bernd Schoeller January 30 th , 2006 Code from

Trusted Component Deployment Trusted Components Bernd Schoeller January 30 th , 2006 Code from the Web Can I trust the software on my machine, knowing that there are very bad people out there ? risk of malicious code risk of

392 views • 28 slides

More recommend