Operator DomainProfiling

Specialized toolkits - release 4.3.1.0-prod20190605 > com.ibm.streams.cybersecurity 2.1.1 > com.ibm.streams.cybersecurity.analytics > DomainProfiling

Primitive operator image not displayed. Problem loading file: ../../image/tk$com.ibm.streams.cybersecurity/op$com.ibm.streams.cybersecurity.analytics$DomainProfiling.svg

The DomainProfiling operator analyzes DNS response traffic and reports whether or not the behaviour of the domain is suspicious. This is done by building a profiling of the DNS response records over a period of time. At the end of that period, the operator submits a tuple predicting whether the domain that was profiled is "suspicious" or "benign".

Behavior in a consistent region

  • The operator is not supported in a consistent region. A warning occurs when you compile your streams processing application.
  • The operator cannot be the start of a consistent region. An error occurs when you compile your streams processing application.

Summary

Ports
This operator has 1 input port and 1 output port.
Windowing
This operator optionally accepts a windowing configuration.
Parameters
This operator supports 1 parameter.

Optional: warmupFile

Metrics
This operator does not report any metrics.

Properties

Implementation
C++
Threading
Never - Operator never provides a single threaded execution context.

Input Ports

Ports (0)
Ingests tuples containing DNS response records. The input tuple must contain, at a minimum, the following attributes:
  • timestamp captureTime
  • rstring dstAddress
  • rstring domain
  • uint8 responseCode
  • BWListTag_e bwTag

For convenience, the com.ibm.streams.cybersecurity.types::DomainProfilingInput_t type contains all of the necessary attributes needed by the DomainProfiling operator.

Windowing

Supports a partitioned, tumbling window. All eviction policies are supported.

Properties

Output Ports

Assignments
This operator allows any SPL expression of the correct type to be assigned to output attributes.
Output Functions
DP Functions
<any T> T AsIs()

The default function for output attributes. By default, this function assigns the output attribute to the value of the input attribute with the same name.

timestamp getProfileLastUpdate()

Returns the latest timestamp of the windowed DNS response records.

rstring getDomain()

Returns the profiled domain.

<any T> T getWindowedTuples()

Returns a list of the input tuples that were used as part of the profile. The expected output type is an SPL:list containing the input tuples. For example, the return type may be: SPL::list<DomainProfilingInput_t>.

rstring getPredictedClass()

Returns a prediction for the profiled domain. This function will return either "suspicious" or "benign".

list<float64> getFeatureVector()

Returns the feature vector.

Ports (0)

Submits a tuple containing a prediction for the profiled domain. This port submits a tuple each time the tumbling window is evicted. Custom output functions are used to specify the value of the output tuple attributes. The output tuple attributes whose assignments are not specified are assigned from the input attribute.

For convenience, the com.ibm.streams.cybersecurity.types::DomainProfilingResult_t type can be used as the output tuple type of this operator. This type contains contains attributes that can be assigned from the output functions.

Properties

Parameters

Optional: warmupFile

warmupFile

This parameter specifies the path to the warmup file used to initialize the operator. This toolkit contains a default warmup file, which can be found here: "<TOOLKIT_ROOT_DIR>/etc/app/dp/DomainProfilingWarmup.txt".

Properties

Libraries

No description for library.
Library Name: csa, re2
Library Path: ../../impl/lib/csa/, ../../impl/lib/re2/
Include Path: ../../impl/include/re2/, ../../impl/include/csa/, ../../impl/include/csa/dp/, ../../impl/include/