Traffic Analysis Using Streaming Queries

Mike Fisk Los Alamos National Laboratory [email protected]

Outline
Intro to Continuous Query Systems
a.k.a Streaming Databases Relevance to data networks

Optimizing the evaluation of multiple Boolean queries

Counting Algorithm Snort Static Dataflow Optimization
Common Subexpression Vector Algorithms

Performance Comparisons

Observations
Traffic analysis tools are data-type-specific
Flowtools netflow Snort pcap Psad iptables logs

Most analysis systems lack a framework for optimizing

rules/queries
Reordering boolean expressions Grouping (common sub-expressions) Vector/set operations

Continuous Query Systems

Continuous Query systems are to streaming data what Relational
Database systems are to stored data
Filtering, summarization, aggregation

Example datasets:
Sensor data (temperature, traffic, etc) Stock exchange transactions Packets, flows, logs

Inefficient and high latency to load data into a traditional database

and query periodically.
How often could you afford to re-execute the query?

Example systems:
NiagraCQ (Wisc), Telegraph (Berkeley), SMACQ, etc. Commerical: StreamBase, etc.

Example systems in disguise:

Snort, router ACLs, firewall filters, packet classification, egrep
4

System for Modular Analysis & Continuous Queries

Queries Optimized Data-Flow Graphs Scheduler Processing Modules Type Run-Time Type Modules Dynamically Loaded Internals Specied at run-time

Type Model
Stream of dynamically & heterogeneously typed objects
Each object can have different type Types need not be statically defined in advance

Objects refer to storage locations

Internal to the object, or references into other objects or external memory

Objects have fields

Fields are (indifferently) struct elements, enums, unions, casts, string conversions, etc. Fields are first-class objects Fields can be dynamically attached to objects

Objects are immutable

Enables parallelism without locking

Type Module Definition

There are no fundamental types Pcap packet example
struct dts_field_spec dts_type_packet_fields[] = { //Type Name Access Function if not fixed { "timeval", "ts", NULL }, // Fixed-length, fixed-location { "uint32", "caplen", NULL }, { "uint32, "len", NULL }, { "ipproto, "ipprotocol", dts_pkthdr_get_protocol }, // Function-pointer { "string, "packet", dts_pkthdr_get_packet }, { "macaddr, "dstmac", dts_pkthdr_get_dstmac }, { "nuint16", "ethertype", dts_pkthdr_get_ethertype }, { "ip", "srcip", dts_pkthdr_get_srcip },

SMACQ Processing Modules

Modules are the atoms of query optimization Written in C++ or Python Take arbitrary flags and arguments
Unix command-line style

Introspection: Can ask runtime to identify downstream invariants

When module can do eager pre-filtering (e.g. hardware prefilter on NIC, database query, etc.)

Event-driven (produce/consume) API

Can use threaded wrapper if lazy (really co-routines)

Can embed other query instantiations

Can instantiate new scheduler, or share primary (preferred)

Example Processing Module (Python)

Class Dumper: Print a few elements of each datum and pass every 5th def __init__(self, smacq, *args): print ('init', args) self.smacq = smacq #Save reference to runtime self.buf = [] #List of objects received def consume(self, datum): for i in 'srcip', 'dstip', 'ipprotocol', 'len': v = datum[i].value print (i, datum[i].type, type(v), v) self.buf.append(datum) if len(self.buf) == 5: self.smacq.enqueue(datum) # Output object downstream self.buf = []
9

Query Model: Dataflow Graphs

Queries are dataflow graphs
AND

pcaplive
Input

==
Stateless filtering

uniq
Stateful filtering

print
Output

Modules declare algebraic properties:

stateless (map), annotation, vector, demux, (associative) Enables optimization, rewriting, parallelization, map/reduce

Static optimizer applies all data-flow optimizations

permitted by algebraic properties of the involved modules
10

Optimizing Continuous Queries

Traditional database query optimization:
Uses data indexes Minimizes individual query times

Continuous-query optimization:
Executing many queries simultaneously Minimize resource consumption per unit of data input
Maximize data throughput

11

Why is multiple query processing important? Approximately 8 new rules each week

12

Optimization of 150 Snort Rules

Example Queries 6 Tests in 3 Rules

sport=80?

ip=x?

Packet Capture

sport=80? sport=80? ip=y?

contains FOO?

Reporter

14

Snort Approach
[Roesh, LISA 99]

Example: 6-7 Tests

Per-Tuple Tests

Unique 5-Tuples
srcip=x? sport=80?

Packet Capture

contains BOO?

Reporter

srcip=y? sport=80?

srcip=*? sport=80?

15

Counting Approach
[Carzaniga & Wolf, SIGCOMM 03]

Example: 7 Tests
Rules/Queries
(x, 80) total=2? sport=80 total=1?

Unique Sub-expressions
ip=x?

Packet Capture

sport=80? ip=y?
contains BOO?

Reporter

(y, 80, BOO) total=3?

16

Data-Flow Approach Example: 1-4 Tests

ip=x?

Packet Capture

sport=80? ip=y?
contains BOO?

Reporter

1. Common roots 2. Common leaves 3. Common upstream graphs 4. Common downstream graphs

17

Performance Comparison

Total Constraints

18

Vector Functions
Most optimizations in stream analysis have employed a class of
algorithms that can be characterized as vector functions:
f(x, v ) = f(x, v1), f(x, v2), . Vector version is typically O(1) or O(log n) instead of O(n)

Examples
Set of equality tests becomes a single lookup in a hash-table Set of string matches becomes a single DFA to traverse
Lookup dstport 80 25

dstport==80 dstport==25

X Y

X Y

19

Performance Comparison with Vector Functions

> 80% of tests short-circuited

20

Analysis: Why was Counting better only without vectors?

Assume that each test results in p more tests
p = fanout short-circuiting p fanout 0 short-circuiting 1

Assume data-flow of tests is a balanced tree of depth d

d is an integer 1

Expected number of evaluations:

1 + p + p2 + p3 + + pd-1 = (1 - pd) / (1 - p)

Let u = number of unique tests = Countings performance

s(1 - pd) / (1 - p) < u if (d > 1, p < 1)

For IDS test: d = 6

With Vectors (u=39): p < 1.7 is desired. Actual p = 1 Without Vectors (u=1782): p < 4.2 is desired. Actual p = 5.8

21

Supported Query Languages

SQL style:

print srcip, dstip from (cflow where dstport==80 and uniq(srcip, dstip))

Misplaced belief that since SQL is well defined, people can just use it Deeply nested queries make you wish you were merely nested in s-expressions

Unix pipe style:

cflow | where dstport==80 | uniq srcip dstip | print srcip, dstip AND

pcaplive
Input

==
Stateless filtering

uniq
Stateful filtering

print
Output
22

Supported Query Languages

Datalog
Pairs :- cflow | uniq(srcip dstip) SrcCount :- count() group by ipprotocol srcport DstCount :- count() group by ipprotocol dstport Pdf :- filter(count) | pdf Print :- sort(-r probability) | print(type ipprotocol port probability) Pairs | SrcCount | const(-f type src) | Pdf | rename (srcport port) | Print Pairs | private | DstCount | const(-f type dst) | Pdf | rename (dstport port) | Print

Clean, allows named subexpressions

23

Join Models
DFA module
Define a state machine where transitions specified as Booleans on new inputs

SQL style
Example: print running cross-product
print a.ipid b.ipid from pcapfile([email protected]) a, b where a.ipid != b.ipid

New keyword UNTIL defines when state can be removed

NEW refers to newly input data for comparison

Example: print retransmissions within the same second

print expr(b.ts - a.ts) from pcaplive() a until(new.a.ts.sec > a.ts.sec), b until(new) where b.ts > a.ts and a.srcip == b.srcip and a.srcport == b.srcport and a.seq == b.seq and a.payload != and b.payload !=

24

Usage Experience
Online detection & automated response systems Ad-hoc queries for forensic analysis and data exploration Feature extraction for other software

25

Conclusions
Continuous Queries provide a common query syntax,
software infrastructure, and optimization framework for traffic analysis

CQ necessary for streaming applications, sufficient for

ad-hoc forensic analysis

Open source at smacq.sf.net!

26

Conclusions

Open source at smacq.sf.net!

Continuous Queries provide a common query syntax, software

infrastructure, and optimization framework for traffic analysis

Two identified strategies for static optimization of multiple queries

Remove (Counting) or Reduce (Data-flow) redundant tests Boolean (Data-flow) short-circuiting removes need for some subsequent tests

Performance Analysis:
Counting is preferable when short-circuiting is rare Data-flow out-performs counting when short-circuiting is significant
When breadth of graph is reduced with vector functions, actual IDS workload benefits significantly from short-circuiting

Data-flow approach can also benefit from additional, dynamic

reordering of tests to maximize early short-circuiting

27