SPL File CyberSecTypes.spl

Content

Types

Types

PBDNSResponseMessage_t

This type is part of the PBFeatureExtractorInput_t type.

PBDNSResponseMessage_t = uint32 dstAddress, rstring questionName, list<rstring> answerData, list<rstring> nameserverData, list<rstring> additionalData, list<uint16> answerTypes, list<uint16> nameserverTypes, list<uint16> additionalTypes, list<uint32> answerTTLs, list<uint32> nameserverTTLs, list<uint32> additionalTTLs, uint8 responseCode;

PBFeatureExtractorInput_t

This type should be used the input type of the PredictiveBlacklistingFE operator.

Contains the set of attributes that are needed by the PredictiveBlacklistingFE operator. These attributes are populated by the following operators:

  • com.ibm.streamsx.network::DNSMessageParser
  • com.ibm.streamsx.network::IPSpatialEnricher
  • com.ibm.streamsx.network::IPASNEnricher
  • com.ibm.streams.cybersecurity.tagging::BWListTagger

PBFeatureExtractorInput_t = PBDNSResponseMessage_t, tuple<BWListTag_e bwTag, list<IPLocation_t> answerSpatialInfo, list<IPLocation_t> additionalSpatialInfo, list<IPASNInfo_t> answerASNInfo, list<IPASNInfo_t> additionalASNInfo>;

PBFeatureVector_t

This type is part of the PredictiveBlacklisting_t type.

PBFeatureVector_t = list<float64>;

PredictiveBlacklisting_t

This type should be used as the output type of the PredictiveBlacklistingFE operator and the input and output type of the PredictiveBlacklisting operator.

PredictiveBlacklisting_t = PBFeatureVector_t featureVector, rstring domain, rstring predictedClass, float64 confidence;

ProfilingDNSResponseMessageBase_t

This type is part of the DPDNSResponseMessage_t type.

ProfilingDNSResponseMessageBase_t = timestamp captureTime, uint32 dstAddress, rstring questionName, uint8 responseCode;

DPDNSResponseMessage_t

Domain Profiling

DPDNSResponseMessage_t = ProfilingDNSResponseMessageBase_t;

DPFeatureVector_t

This type is part of the DomainProfilingAnalysisInput_t type.

DPFeatureVector_t = list<float64>;

DomainProfilingInput_t

This type should be used as the input type of the DomainProfiling operator.

Contains the set of attributes that are needed by the DomainProfiling operator. These attributes are populated by the following operators:

  • com.ibm.streamsx.network::DNSMessageParser
  • com.ibm.streams.cybersecurity.tagging::BWListTagger

DomainProfilingInput_t = ProfilingDNSResponseMessageBase_t, tuple<BWListTag_e bwTag>;

DomainProfilingAnalysisInput_t

Domain Profiling Analysis input type

DomainProfilingAnalysisInput_t = DPFeatureVector_t featureVector, timestamp profileLastUpdate, rstring questionName;

DomainProfilingResult_t

This type should be used as the output type of the DomainProfiling operator.

DomainProfilingResult_t = DPFeatureVector_t featureVector, rstring domain, timestamp profileLastUpdate, rstring predictedClass;

HPDNSResponseMessage_t

Host Profiling

HPDNSResponseMessage_t = ProfilingDNSResponseMessageBase_t;

HPFeatureVector_t

This type is part of the HostProfilingAnalysisInput_t type.

HPFeatureVector_t = list<float64>;

HostProfilingInput_t

This type should be used as the input type of the HostProfiling operator.

Contains the set of attributes that are needed by the HostProfiling operator. These attributes are populated by the following operators:

  • com.ibm.streamsx.network::DNSMessageParser
  • com.ibm.streams.cybersecurity.tagging::BWListTagger

HostProfilingInput_t = ProfilingDNSResponseMessageBase_t, tuple<BWListTag_e bwTag>;

HostProfilingAnalysisInput_t

Host Profiling input type

HostProfilingAnalysisInput_t = HPFeatureVector_t featureVector, timestamp profileLastUpdate, uint32 dstAddress;

HostProfilingResult_t

This type should be used as the output type of the HostProfiling operator.

HostProfilingResult_t = HPFeatureVector_t featureVector, rstring host, timestamp profileLastUpdate, rstring predictedClass;

DNSTunnelingInput_t

DNS Tunneling input type

DNSTunnelingInput_t = rstring questionName, uint16 questionType, list<rstring> answerData, list<uint16> answerTypes;

DNSTunnelingResult_t

DNS Tunneling result type

DNSTunnelingResult_t = rstring predictedClass, list<rstring> predictedClasses, list<rstring> suspiciousText, list<rstring> benignText, uint64 suspiciousCount, uint64 benignCount;

BWListType_e

This enum type contains the valid output values of the BWListTagger operator.

BWListType_e = enum { domain, ip };

BWListTag_e

Tag type for the BWListTagger operator.

BWListTag_e = enum { nonMatched, whiteList, blackList };

BWListAction_e

Action Type for dynamically updating the BWListTagger operator

BWListAction_e = enum { add, remove };

BWListUpdate_t

Type for dynamically updating the BWListTagger operator

BWListUpdate_t = rstring domainIP, BWListAction_e action, BWListTag_e listTag;