vast visibility across space and time architecture usage
play

VAST: Visibility Across Space and Time Architecture & Usage - PowerPoint PPT Presentation

Mar 03, 2023 •25 likes •485 views

VAST: Visibility Across Space and Time Architecture & Usage Matthias Vallentin matthias@bro.org BroCon August 19, 2014 2 / 27 3 / 27 4 / 27 Outline 1. Introduction: VAST 2. Architecture Overview Example Workflow: Query Data Model

  1. VAST: Visibility Across Space and Time Architecture & Usage Matthias Vallentin matthias@bro.org BroCon August 19, 2014

  2. 2 / 27

  3. 3 / 27

  4. 4 / 27

  5. Outline 1. Introduction: VAST 2. Architecture Overview Example Workflow: Query Data Model Implementation 3. Using VAST 4. Demo 5 / 27

  6. VAST: Visibility Across Space and Time VAST 10.0.0.1 10.0.0.254 53/udp 10.0.0.2 10.0.0.254 80/tcp A unified platform for network forensics Data Goals ◮ Interactivity ◮ Sub-second response times VAST ◮ Iterative query refinement ◮ Scalability ◮ Scale with data & number of nodes ◮ Sustain high & continuous input rates Queries ◮ Strong and rich typing ◮ High-level types and operations ◮ Type safety 6 / 27

  7. VAST & Bro Bro ◮ Generates rich-typed logs representing summary of activity → How to process these huge piles of logs? ◮ Fine-grained events exist during runtime only → Make ephemeral events persistent? VAST: Visibility Across Space and Time ◮ Visibility across Space ◮ Unified data model: same expressiveness as Bro ◮ Combine host-based and network-based activity ◮ Visibility across Time ◮ Historical queries: retrieve data from the past ◮ Live queries: get notified when new data matches query 7 / 27

  8. VAST & Big Data Analytics MapReduce (Hadoop) Batch-oriented processing: full scan of data + Expressive: no restriction on algorithms - Speed & Interactivity: full scan for each query In-memory Cluster Computing (Spark) Load full data set into memory and then run query + Speed & Interactivity: fast on arbitrary queries over working set - Thrashing when working set too large Distributed Indexing (VAST) Distributed building and querying of bitmap indexes + Fast: only access space-efficient indexes + Caching of index hits enables iterative analyses - Reduced computational model (e.g., no joins in query language) 8 / 27

  9. Outline 1. Introduction: VAST 2. Architecture Overview Example Workflow: Query Data Model Implementation 3. Using VAST 4. Demo 8 / 27

  10. Outline 1. Introduction: VAST 2. Architecture Overview Example Workflow: Query Data Model Implementation 3. Using VAST 4. Demo 8 / 27

  11. High-Level Architecture of VAST Import 10.0.0.1 10.0.0.254 53/udp ◮ Unified data model 10.0.0.2 10.0.0.254 80/tcp Import ◮ Sources generate events Archive ◮ Stores raw data as events ◮ Compressed chunks & segments Index Archive Index ◮ Secondary indexes into archive ◮ Horizontally partitioned Export ◮ Interactive query console Export ◮ JSON/Bro output 9 / 27

  12. Query Language Boolean Expressions Examples ◮ Conjunctions && ◮ A && B || !(C && D) ◮ Disjunctions || ◮ orig_h == 10.0.0.1 && &time < now - 2h ◮ Negations ! ◮ &type == "conn" || :string +] "foo" ◮ Predicates ◮ duration > 60s && service == "tcp" ◮ LHS op RHS ◮ (expr) LHS: Extractors Relational Operators RHS: Value ◮ &type ◮ < , <= , == , >= , > ◮ T , F ◮ &time ◮ +42 , 1337 , 3.14 ◮ in , ni , [+ , +] ◮ x.y.z.arg ◮ !in , !ni , [- , -] ◮ "foo" ◮ :type ◮ 10.0.0.0/8 ◮ ~ , !~ ◮ 80/tcp , 53/? ◮ {1, 2, 3} 10 / 27

  13. Outline 1. Introduction: VAST 2. Architecture Overview Example Workflow: Query Data Model Implementation 3. Using VAST 4. Demo 10 / 27

  14. Query 11 / 27 Client

  15. Query client 1. Send query string to search Search 11 / 27 Client

  16. Query client Index 1. Send query string to search Partitions Indexers Search src == 10.0.0.1 && port == 53/udp 11 / 27 Client

  17. Query client Index 1. Send query string to search search Partitions 1. Parse and validate query string 2. Spawn dedicated query Indexers Search Query src == 10.0.0.1 && port == 53/udp 11 / 27 Client

  18. Query client Index 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string 2. Spawn dedicated query Indexers Search Query src == 10.0.0.1 && port == 53/udp 11 / 27 Client

  19. Query client Index 1. Send query string to search 2. Receive query actor src == 10.0.0.1 && port == 53/udp search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query 11 / 27 Client

  20. Query client Index 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string src == 10.0.0.1 port == 53/udp 2. Spawn dedicated query 3. Forward query to index Indexers Search Query 11 / 27 Client

  21. Query client Index 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query 11 / 27 Client

  22. Query client Index 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query 11 / 27 Client

  23. Query client Index 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query 11 / 27 Client

  24. Query client Index Archive 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query query 1. Receive hits from index 11 / 27 Client

  25. Query client Index Archive 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query query 1. Receive hits from index 2. Ask archive for segments 11 / 27 Client

  26. Query client Index Archive 1. Send query string to search 2. Receive query actor search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query query 1. Receive hits from index 2. Ask archive for segments 3. Extract events, check candidates 11 / 27 Client

  27. Query client Index Archive 1. Send query string to search 2. Receive query actor 3. Extract results from query search Partitions 1. Parse and validate query string 2. Spawn dedicated query 3. Forward query to index Indexers Search Query query 1. Receive hits from index 2. Ask archive for segments 3. Extract events, check candidates 4. Send results to client 11 / 27 Client

  28. Outline 1. Introduction: VAST 2. Architecture Overview Example Workflow: Query Data Model Implementation 3. Using VAST 4. Demo 11 / 27

  29. VAST Architecture 10.0.0.1 10.0.0.254 53/udp 10.0.0.2 10.0.0.254 80/tcp Import Archive Index Export 12 / 27

  30. Data Representation Terminology ◮ Data : C ++ structures (e.g., 64ull ) ◮ Type : interpretation of data (e.g., count ) Event ID TYPE TIME “foo” 3.14 7 ms ◮ Value : data + type ◮ Event : value + meta data ◮ Type with a unique name (e.g., conn ) Chunk ◮ Meta data META ◮ A timestamp ◮ A unique ID i where i ∈ [1 , 2 64 − 1) Segment ◮ Schema : collection of event types ◮ Chunk : serialized & compressed events META ◮ Meta data: schema + time range + IDs ◮ Fixed number of events, variable size ◮ Segment : sequence of chunks ◮ Meta data: union of chunk meta data ◮ Fixed size, variable number of chunks 13 / 27

  31. Types: Interpretation of Data TYPE bool string vector set int regex record count address TYPE TYPE … double subnet field 1 field n table time range port TYPE TYPE KEY VALUE time point none container types compound types basic types recursive types 14 / 27

  32. VAST Architecture 10.0.0.1 10.0.0.254 53/udp 10.0.0.2 10.0.0.254 80/tcp Import Archive Index Export 15 / 27

  33. Index Hits: Sets of Events 0 . Bitvector : sets of events 0 ◮ Query result ≡ set of event IDs from [1 , 2 64 − 1) 0 0 0 → Model as bit vector : [4 , 7 , 8] = 0000100110 · · · 1 = 1 0 0 Bitstream : encoded append-only sequence of bits 0 0 ◮ EWAH (no patents unlike WAH, PLWAH, COMPAX) 1 . ◮ Compact, space-efficient representation 2 64 − 1 ◮ Bitwise operations do not require decoding Data Bitmap B 0 B 1 B 2 B 3 2 0 0 1 0 Bitmap : maps values to bitstreams 1 0 1 0 0 2 0 0 1 0 ◮ push_back(T x ) : append value x of type T 0 1 0 0 0 0 1 0 0 0 ◮ lookup(T x , Op ◦ ) : get bitstream for x under ◦ 1 0 1 0 0 3 0 0 0 1 16 / 27

  34. Composing Results via Bitwise Operations Combining Predicates ◮ Query Q = X ∧ Y ∧ Z ◮ x = 1 . 2 . 3 . 4 ∧ y < 42 ∧ z ∈ ” foo ” ◮ Bitmap index lookup yields X → B 1 , Y → B 2 , and Z → B 3 ◮ Result R = B 1 & B 2 & B 3 B 1 B 2 B 3 R & & = 17 / 27

  35. Outline 1. Introduction: VAST 2. Architecture Overview Example Workflow: Query Data Model Implementation 3. Using VAST 4. Demo 17 / 27

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

1 Usages for From-Region visibility Conservative Visibility Sets Amortization: Exact

1 Usages for From-Region visibility Conservative Visibility Sets Amortization: Exact

From-Region Visibility and Overview Ray Space Factorization Short introduction to the problem Daniel Cohen-Or Dual Space &amp; Parameter/Ray Space Tel-Aviv University Ray space factorization (SIGGRAPH03) From Point Visibility

546 views • 13 slides
Optimizing for Space and Time Optimizing for Space and Time Usage with Speculative Par Usage

Optimizing for Space and Time Optimizing for Space and Time Usage with Speculative Par Usage

Optimizing for Space and Time Optimizing for Space and Time Usage with Speculative Par Usage with Speculative Partial ial Redundancy E Redundancy E limination limination Bernhard Scholz, University of Sydney, Australia Nigel Horspool,

661 views • 33 slides
Topic 9: Visibility Elementary visibility computations: Clipping Backface culling

Topic 9: Visibility Elementary visibility computations: Clipping Backface culling

Topic 9: Visibility Elementary visibility computations: Clipping Backface culling Algorithms for visibility determination Z-Buffer Painters algorithm Space partitions: BSP, AABB, OOBB, octrees Visibility Problem What is NOT

382 views • 22 slides
Windows endpoint analytics Why uberAgent in one word visibility Why uberAgent in one

Windows endpoint analytics Why uberAgent in one word visibility Why uberAgent in one

Helge Klein, vast limits Security visibility through Windows endpoint analytics Why uberAgent in one word visibility Why uberAgent in one slide Everybody monitors servers But what about the end users device? Organizations

582 views • 31 slides
Geometry of Optimal Coverage for Space-based Targets for Space based Targets with Visibility

Geometry of Optimal Coverage for Space-based Targets for Space based Targets with Visibility

Geometry of Optimal Coverage for Space-based Targets for Space based Targets with Visibility Constraints Dr. Belinda G. Marchand Assistant Professor The University of Texas at Austin; The Aerospace Corporation Member of the Technical Staff

373 views • 35 slides
Space: Space: System Architecture System Architecture vs Optimization vs Optimization

Space: Space: System Architecture System Architecture vs Optimization vs Optimization

Space: Space: System Architecture System Architecture vs Optimization vs Optimization Vladimir Grebenyuk Raytheon Canada Limited Space: The Space: The First Steps First Steps October 4,1957 April 12, 1961 July 20,

819 views • 52 slides
Architecture: Culture and Space Architecture: Culture and Space Architecture: Culture and Space

Architecture: Culture and Space Architecture: Culture and Space Architecture: Culture and Space

Architecture: Culture and Space Architecture: Culture and Space Architecture: Culture and Space Architecture: Culture and Space Building Religion Building Religion architecture is important to the study of history for several reasons:

1.29k views • 58 slides
IAMI / VAST, Vietnam Grid enabled Medical Informatics In Vietnam (VAST/IAMI, formerly VAST/

IAMI / VAST, Vietnam Grid enabled Medical Informatics In Vietnam (VAST/IAMI, formerly VAST/

IAMI / VAST, Vietnam Grid enabled Medical Informatics In Vietnam (VAST/IAMI, formerly VAST/ IOIT-HCM) Tran Van Lang, Dao Van Tuyet, et all tuyetdv@vast-hcm.ac.vn ISGC 2010, ASGC March 10, 2010 1 Outline 1 Overview 2 Activities of IAMI

337 views • 18 slides
SEO // visibility is online currency no visibility = no clicks unattractive or spammy titles

SEO // visibility is online currency no visibility = no clicks unattractive or spammy titles

SEO for Visibility, Action &amp; Conversion // Kevin Mullett cirrusabs.com twitter.com/cirrusabs facebook.com/cirrusabs youtube.com/user/cirrusabs linkedin.com/companies/cirrus-abs SEO // visibility is online currency no visibility = no

450 views • 27 slides
Visibility measurement using digital camera Vladimr Brzda Department of Electrical

Visibility measurement using digital camera Vladimr Brzda Department of Electrical

Visibility measurement using digital camera Vladimr Brzda Department of Electrical Engineering 7.11. 2013 INTRODUCTION Visibility is a quantity describing density of fog and clouds which have the highest impact on Free Space Optical

393 views • 7 slides
S Space-in-Time and Time-in-Space Self-Organizing Maps i Ti d Ti i S S lf O i i M for

S Space-in-Time and Time-in-Space Self-Organizing Maps i Ti d Ti i S S lf O i i M for

S Space-in-Time and Time-in-Space Self-Organizing Maps i Ti d Ti i S S lf O i i M for Exploring Spatiotemporal Patterns Gennady Andrienko &amp; Natalia Andrienko http://geoanalytics.net htt // l ti t Sebastian Bremm, Tobias Schreck,

632 views • 29 slides
Visibility Committee Module #2 Making Use of the Media Created from the Visibility Committee

Visibility Committee Module #2 Making Use of the Media Created from the Visibility Committee

Visibility Committee Module #2 Making Use of the Media Created from the Visibility Committee List of Recommendations 2013-2014 1 TV, Radio, Newspapers, Facebook, Twitter and brochures are all vehicles you can use to increase your visibility

470 views • 8 slides
Lecture 14 Space-Time The Wedding of Time and Space Announcements References: Today:

Lecture 14 Space-Time The Wedding of Time and Space Announcements References: Today:

Lecture 14 Space-Time The Wedding of Time and Space Announcements References: Today: Wedding of Space and Time: Time dilation, Length Contraction March (Ch 10), Lightman (Ch 3) Next time: Energy and Mass: E = mc 2 March (Ch

450 views • 4 slides
Link prediction The link prediction space is vast and imbalanced : real approaches focus only in

Link prediction The link prediction space is vast and imbalanced : real approaches focus only in

Link prediction The link prediction space is vast and imbalanced : real approaches focus only in the 2-hop social neighborhood, i.e., friends-of- friends . A new source of promising candidates for link prediction: the places visited by each user.

764 views • 9 slides
Columbia University Fiscal Year 2019 Space Inventory and Functional Usage Training May 2019

Columbia University Fiscal Year 2019 Space Inventory and Functional Usage Training May 2019

Columbia University Fiscal Year 2019 Space Inventory and Functional Usage Training May 2019 Background 1. Background 2. Space Survey Overview 3. Space Survey Process -Complete Space Survey 4. Project Support 5. Questions 6. Appendices

775 views • 61 slides
The Narratjve of Dance and Space: The intersectjon between dance movement and architecture to

The Narratjve of Dance and Space: The intersectjon between dance movement and architecture to

The Narratjve of Dance and Space: The intersectjon between dance movement and architecture to create spatjal temporal experiences. Rejectjng Architecture as Pure Form: Looking at a New Medium of Exploratjon Architecture is never autonomous,

213 views • 7 slides
Online Algorithms for Searching and Exploration in the Plane Subir Kumar Ghosh School of

Online Algorithms for Searching and Exploration in the Plane Subir Kumar Ghosh School of

Online Algorithms for Searching and Exploration in the Plane Subir Kumar Ghosh School of Technology &amp; Computer Science Tata Institute of Fundamental Research Mumbai 400005, India Overview 1. What is online algorithm? 2. Efficiency of

660 views • 45 slides
Clicker 1 Topic 23 Red Black Trees 2000 elements are inserted one at a time into an initially

Clicker 1 Topic 23 Red Black Trees 2000 elements are inserted one at a time into an initially

Clicker 1 Topic 23 Red Black Trees 2000 elements are inserted one at a time into an initially empty binary search tree &quot;People in every direction using the traditional, naive algorithm. What is No words exchanged No time to exchange

250 views • 11 slides
CSCI 5417 Information Retrieval Systems Jim Martin Lecture 7 9/13/2011 Today Review

CSCI 5417 Information Retrieval Systems Jim Martin Lecture 7 9/13/2011 Today Review

CSCI 5417 Information Retrieval Systems Jim Martin Lecture 7 9/13/2011 Today Review Efficient scoring schemes Approximate scoring Evaluating IR systems 9/14/11 CSCI 5417 2 1 Normal Cosine Scoring 9/14/11 CSCI 5417 3

552 views • 22 slides
Unobtrusive JavaScript 1 CS380 The six global DOM objects 2 CS380 The window object 3

Unobtrusive JavaScript 1 CS380 The six global DOM objects 2 CS380 The window object 3

Unobtrusive JavaScript 1 CS380 The six global DOM objects 2 CS380 The window object 3 the entire browser window; the top-level object in DOM hierarchy technically, all global code and variables become part of the window object

508 views • 24 slides
Pursuit-evasion games and visibility Danny Dyer Department of Mathematics and Statistics

Pursuit-evasion games and visibility Danny Dyer Department of Mathematics and Statistics

Pursuit-evasion games and visibility Danny Dyer Department of Mathematics and Statistics Memorial University of Newfoundland Graphs, groups, and more: celebrating Brian Alspachs 80th and Dragan Maru si cs 65th birthdays Koper,

751 views • 64 slides
Visibility-based probabilistic roadmaps for motion planning Miguel Vargas Material taken form:

Visibility-based probabilistic roadmaps for motion planning Miguel Vargas Material taken form:

Visibility-based probabilistic roadmaps for motion planning Miguel Vargas Material taken form: T. Simon, J.-P. Laumond, C. Nissoux. Visibility-based probabilistic roadmaps for motion planning. Advanced Robotics, Volume 14, Number 6,

365 views • 14 slides
Session topics The plane sweep paradigm Visibility of a point Computational Geometry

Session topics The plane sweep paradigm Visibility of a point Computational Geometry

Session topics The plane sweep paradigm Visibility of a point Computational Geometry Problem description and motivation Solution with a rotating sweepline Maxima of a point set Exercise session #3 Homework number 2 1

321 views • 4 slides
Neutron Interferometry Search for Strongly- Coupled Chameleons W.M. Snow (Indiana University) M.

Neutron Interferometry Search for Strongly- Coupled Chameleons W.M. Snow (Indiana University) M.

Neutron Interferometry Search for Strongly- Coupled Chameleons W.M. Snow (Indiana University) M. Arif, M. Huber, D.L. Jacobson (NIST) D. Pushkin (Institute for Quantum Computing) What is a neutron interferometer? Use for chameleon search:

429 views • 9 slides

More recommend