wiki:waue/2009/SEC_to_ICAS

Version 7 (modified by waue, 15 years ago) (diff)

--

the slide

powerpoint

Security Event Center

merge algorithm pseudo code

Merge Algorithm 
output: correlated_event queue
global: event_scenario , MO_win_size

1. pull the top event
2. if OO_events queue == NULL
3. new OO_events as event_scenario in event queue
4. OO_events inherit event
5. while event-queue ≠ NULL
{
6. pull the top event
7. if event.timestamp < ( OO_events.end_time + win_size )
8. Search a correlated_event in correlated_event queue that correlated_event.{ IP_dst,
port_dst,signature } == event.{ IP_dst, port_dst, signature }
9. correlated_event _event.endtime <- max(event.endtime, MO_event.endtime)
10. correlated_event.reference append (event.id )
11. correlated_event.IP_src <- correlated_event. IP_ src ∪ event. IP_ src
correlated_event t.port_src <- correlated_event. port_src ∪ event. port_ src
12. else
13. new OO_events as event_scenario in event queue
14. OO_events inherit event
}
15 return correlated_event queue

…

php real code

<?

function merge($timesize)
{
  global $object,$obj_ctr,$DB;
  
  $mo_base_ctr=0;
  $mo_ptr = 0;  //mo pointer
  $i = 0; //tmp
  
  //----------------database check----------------
  $str="SELECT start_time,end_time,reference,ip_proto,
        event_name,ip_dst,ip_src,sid,dport,sport,sig_class_id,
        signature,sig_priority FROM accident_ticket 
        WHERE end_time >= \"".$object[0]->start_time."\" ORDER BY start_time ASC";
  $DB->query($str);
  $fixed_num = mysql_num_rows($DB->result);

  if($fixed_num == null ) 
  {
    $fixed_num = 0;
    $obj_ptr=1;
    $mo_ctr=1;
  }
  else
  {
    $obj_ptr=$fixed_num;
    $mo_ctr=$fixed_num;
  }
  $mo[0] = new scenario(null,null,null,null,null,null,null,null,null,null,null,null,null);
  if($fixed_num > 0)
  {
    while(list($start_time,$end_time,$reference,$ip_proto,$event_name,$ip_dst,
                $ip_src,$sid,$dport,$sport,$sig_class_id,$signature,$sig_priority) 
                = mysql_fetch_row($DB->result) )
    {
      $mo[$mo_base_ctr]->start_time = $start_time;
      $mo[$mo_base_ctr]->end_time = $end_time;
      $mo[$mo_base_ctr]->reference = $reference;
      $mo[$mo_base_ctr]->ip_proto = $ip_proto;
      $mo[$mo_base_ctr]->event_name = $event_name;
      $mo[$mo_base_ctr]->ip_dst[0] = $ip_dst;
      $mo[$mo_base_ctr]->ip_src = split(",",$ip_src);
      $mo[$mo_base_ctr]->sid = split(",",$sid);
      $mo[$mo_base_ctr]->dport[0] = $dport;
      $mo[$mo_base_ctr]->sport = $sport;
      $mo[$mo_base_ctr]->sig_class_id = $sig_class_id;
      $mo[$mo_base_ctr]->signature = split(",",$signature);
      $mo[$mo_base_ctr]->sig_priority = $sig_priority;
      $mo[$mo_base_ctr]->cmp_time=nor_time($end_time);
      $mo_base_ctr++; 
    }
    $object=array_merge($mo,$object);
    $str="DELETE FROM accident_ticket WHERE end_time >= \"".$object[0]->start_time."\"";
    $DB->query($str);
    $DB->reset_auto("accident_ticket");
  }
  //if($DB->result) $DB->free_result();
  //----------------database check----------------
  //echo "timesize:".$timesize."<br>";            
  while( $obj_ptr < $obj_ctr )
  {

    $object[$obj_ptr]->cmp_time=chk_time($object[$obj_ptr]->start_time,$timesize);
    //----remove timeout class----
    for($i=$mo_ptr; $i<$mo_ctr ;$i++)
    {

      if( strcmp($object[$obj_ptr]->cmp_time,$object[$mo_ptr]->cmp_time) > 0 ) $mo_ptr++;
      else 
      {
        $i=$mo_ctr;

      }
    }
    //----remove timeout class----
    //====many2one check===
    for($i=$mo_ptr; $i<$mo_ctr ;$i++)
    {
      if($object[$obj_ptr]->ip_dst[0] == $object[$i]->ip_dst[0])
      {
 //       if($object[$obj_ptr]->dport[0] == $object[$i]->dport[0])
 //       {
          if($object[$obj_ptr]->signature[0] == $object[$i]->signature[0])
          {
            //-------------------------merge----------------------------
            $object[$i]->reference=($object[$i]->reference).", ".($object[$obj_ptr]->reference);
            if( $object[$i]->ip_proto!=$object[$obj_ptr]->ip_proto ) $object[$i]->ip_proto="multiproto";
            $object[$i]->ip_src=arr_merge($object[$obj_ptr]->ip_src,$object[$i]->ip_src);
            $object[$i]->sid=arr_merge($object[$obj_ptr]->sid,$object[$i]->sid);
            if( $object[$i]->sport!=$object[$obj_ptr]->sport ) $object[$i]->sport="multiport";
            if( $object[$i]->sig_class_id != $object[$obj_ptr]->sig_class_id ) $object[$i]->sig_class_id=0;
            if( $object[$i]->sig_priority > $object[$obj_ptr]->sig_priority ) $object[$i]->sig_priority=$object[$obj_ptr]->sig_priority;
            if((time_smaller($object[$obj_ptr]->start_time,$object[$i]->start_time))==1)
            {
              $object[$i]->start_time = $object[$obj_ptr]->start_time;
            }
            if((time_smaller($object[$i]->end_time,$object[$obj_ptr]->end_time))==1)
            {
              $object[$i]->end_time = $object[$obj_ptr]->end_time;
            }
            $object[$i]->cmp_time=nor_time($object[$i]->end_time);
            $i=$mo_ctr;
            //-------------------------merge----------------------------
          }
 //       }
      }
    }
    if($i!=$mo_ctr+1)
    {

      $object[$mo_ctr]->start_time=$object[$obj_ptr]->start_time;
      $object[$mo_ctr]->end_time=$object[$obj_ptr]->end_time;
      $object[$mo_ctr]->reference=$object[$obj_ptr]->reference;
      $object[$mo_ctr]->ip_proto=$object[$obj_ptr]->ip_proto;
      $object[$mo_ctr]->event_name=$object[$obj_ptr]->event_name;
      $object[$mo_ctr]->ip_dst=arr_cover($object[$obj_ptr]->ip_dst,$object[$mo_ctr]->ip_dst);
      $object[$mo_ctr]->ip_src=arr_cover($object[$obj_ptr]->ip_src,$object[$mo_ctr]->ip_src);
      $object[$mo_ctr]->sid=arr_cover($object[$obj_ptr]->sid,$object[$mo_ctr]->sid);
      $object[$mo_ctr]->dport=arr_cover($object[$obj_ptr]->dport,$object[$mo_ctr]->dport);
      $object[$mo_ctr]->sport=$object[$obj_ptr]->sport;
      $object[$mo_ctr]->sig_class_id=$object[$obj_ptr]->sig_class_id;
      $object[$mo_ctr]->signature=arr_cover($object[$obj_ptr]->signature,$object[$mo_ctr]->signature);
      $object[$mo_ctr]->sig_priority=$object[$obj_ptr]->sig_priority;
      $object[$mo_ctr]->cmp_time=nor_time($object[$mo_ctr]->end_time);
      $mo_ctr++;

    }
    //====many2one check===
    $obj_ptr++;
  } 
  $obj_ctr=$mo_ctr;
};


?>

ICAS

Map

  public static class ICAS_M extends MapReduceBase implements
      Mapper<LongWritable, Text, Text, Text> {

    String getip(String str) {
      String[] ret = str.split(":");
      return ret[0];
    }

    public void map(LongWritable key, Text value,
        OutputCollector<Text, Text> output, Reporter reporter)
        throws IOException {
      // [3] sig [4]class [5]y [6]m [7]d [8]h [9]M [10]s [11]s [12]d [13]t

      String line = value.toString();
      String[] str = line.split(";");
      String source_ip = getip(str[11]);
      String dest_ip = getip(str[12]);
      String fkey = dest_ip ;

      String date = str[5] + "/" + str[6] + "/" + str[7] + "_" + str[8]
          + ":" + str[9] + ":" + str[10];
      // source @ date @ sig @ sig @ class @ type
      String fvalue = source_ip + "@" + date + "@" + "str[3]" +"@" +str[4] 
            + "@"+ str[13];
      output.collect(new Text(fkey), new Text(fvalue));
    }
  }


Reduce

  public static class ICAS_R extends TableReduce<Text, Text> {

    public void reduce(Text key, Iterator<Text> values,
        OutputCollector<ImmutableBytesWritable, BatchUpdate> output,
        Reporter reporter) throws IOException {
      HTable table = new HTable("ICAS");
      String source_ip;
      String date;
      String sig_class;
      String type;
      String signature;
      
      String rawstr = new String(values.next().getBytes());
      String[] str = rawstr.split("@");
      source_ip = str[0];
      date = str[1];
      signature = str[2];
      sig_class = str[3];
      type = str[4];
      // values.next().getByte() can get value and transfer to byte form,
      while (values.hasNext()) {
        // source_ip + "@" + date + "@" + class + "@" + type;
        rawstr = new String(values.next().getBytes());
        str = rawstr.split("@");
        source_ip = source_ip + " ; " + str[0];
        date = date + " ; " + str[1];
        signature = signature + ";" + str[2];
      }
      reporter.setStatus("amp emitting cell for row'" + key.toString()
          + "'");
      BatchUpdate map = new BatchUpdate(key.toString());
      // map.setTimestamp(timestamp);
      map.put("signature:", Bytes.toBytes(signature));
      map.put("source_ip:", Bytes.toBytes(source_ip));
      map.put("infor:date", Bytes.toBytes(date));
      map.put("infor:class", Bytes.toBytes(sig_class));
      map.put("infor:type", Bytes.toBytes(type));
      table.commit(map);
      // ImmutableBytesWritable Hkey = new ImmutableBytesWritable(Bytes
      // .toBytes(key.toString()));
      // output.collect(Hkey, map);

    }
  }

Attachments (1)