IBM Streams 4.2.1

Operator DomainProfiling

Primitive operator image not displayed. Problem loading file: ../../image/tk$$$DomainProfiling.svg

The DomainProfiling operator analyzes DNS response traffic and reports whether or not the behaviour of the domain is suspicious. This is done by building a profiling of the DNS response records over a period of time. At the end of that period, the operator submits a tuple predicting whether the domain that was profiled is "suspicious" or "benign".

Behavior in a consistent region

  • The operator is not supported in a consistent region. A warning occurs when you compile your streams processing application.
  • The operator cannot be the start of a consistent region. An error occurs when you compile your streams processing application.


This operator has 1 input port and 1 output port.
This operator optionally accepts a windowing configuration.
This operator supports 1 parameter.

Optional: warmupFile

This operator does not report any metrics.


Never - Operator never provides a single threaded execution context.

Input Ports

Ports (0)
Ingests tuples containing DNS response records. The input tuple must contain, at a minimum, the following attributes:
  • timestamp captureTime
  • rstring dstAddress
  • rstring domain
  • uint8 responseCode
  • BWListTag_e bwTag

For convenience, the type contains all of the necessary attributes needed by the DomainProfiling operator.


Supports a partitioned, tumbling window. All eviction policies are supported.


Output Ports

This operator allows any SPL expression of the correct type to be assigned to output attributes.
Output Functions
DP Functions
<any T> T AsIs()

The default function for output attributes. By default, this function assigns the output attribute to the value of the input attribute with the same name.

timestamp getProfileLastUpdate()

Returns the latest timestamp of the windowed DNS response records.

rstring getDomain()

Returns the profiled domain.

<any T> T getWindowedTuples()

Returns a list of the input tuples that were used as part of the profile. The expected output type is an SPL:list containing the input tuples. For example, the return type may be: SPL::list<DomainProfilingInput_t>.

rstring getPredictedClass()

Returns a prediction for the profiled domain. This function will return either "suspicious" or "benign".

list<float64> getFeatureVector()

Returns the feature vector.

Ports (0)

Submits a tuple containing a prediction for the profiled domain. This port submits a tuple each time the tumbling window is evicted. Custom output functions are used to specify the value of the output tuple attributes. The output tuple attributes whose assignments are not specified are assigned from the input attribute.

For convenience, the type can be used as the output tuple type of this operator. This type contains contains attributes that can be assigned from the output functions.



Optional: warmupFile


This parameter specifies the path to the warmup file used to initialize the operator. This toolkit contains a default warmup file, which can be found here: "<TOOLKIT_ROOT_DIR>/etc/app/dp/DomainProfilingWarmup.txt".



No description for library.
Library Name: csa, re2
Library Path: ../../impl/lib/csa/, ../../impl/lib/re2/
Include Path: ../../impl/include/re2/, ../../impl/include/csa/, ../../impl/include/csa/dp/, ../../impl/include/