Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

new(anomalydetection): Initial Scope - CountMinSketch Powered Probabilistic Counting and Filtering #419

Open
wants to merge 17 commits into
base: main
Choose a base branch
from
Open

new(anomalydetection): Initial Scope - CountMinSketch Powered Probabilistic Counting and Filtering #419

wants to merge 17 commits into from

Conversation

incertum
Copy link
Contributor

@incertum incertum commented Feb 27, 2024
edited
Loading

What type of PR is this?

Uncomment one (or more) /kind <> lines:

/kind bug

/kind cleanup

/kind design

/kind documentation

/kind failing-test

/kind feature

Any specific area of the project related to this PR?

Uncomment one (or more) /area <> lines:

/area plugins

/area registry

/area build

/area documentation

What this PR does / why we need it:

Introduce a new anomalydetection plugin, as outlined in the Proposal.

Which issue(s) this PR fixes:

Fixes falcosecurity/falco#3117

falcosecurity/falco#3117

Fixes #

Special notes for your reviewer:

Sharing some hopefully useful notes:

  • Check out the README first, as it summarizes current limitations and the initial scope
  • Much of the code was duplicated from falcosecurity/libs; I’ve indicated this to show that this code doesn’t need review here. If you find issues, let’s address them in libs instead
  • Hot reloading seems to be working (no segfaults observed), except toggling enabled/disabled during a hot reload doesn’t work, which we can likely ignore
  • The project builds in a container suitable for building Falco, so we can set up CI
  • Initial local tests confirm the intended functionality, including the reset timers
  • Unit tests cover the most critical functions but could still be improved
  • cms.h contains the algorithm/math (it's probabilistic counting only, not AI/ML); the rest is mostly generic plugin setup or configuration.
  • Config initialization is designed to error out if the plugin is used for currently unsupported cases
  • The profile field filtercheck code might be removed if libs filterchecks are opened to plugins, which would make it more stable and less risky. Additionally, translating Falco filtercheck logic to the plugin framework was very tedious
  • Further testing on more robust servers is needed to check for performance and stability issues, such as CPU spikes or segfaults after extended runs
  • Most things had to be wrapped in try-catch statements, as simple checks for nullptr were not possible ...

For this first version, I am primarily concerned about performance and stability (no segfaults). I would truly appreciate a very critical review in this regard. Thanks a bunch in advance!

@poiana poiana requested review from leogr and mstemm February 27, 2024 06:47
This was referenced Feb 27, 2024
Closed
Open
Closed
@incertum incertum force-pushed the anomaly-detection-1 branch 2 times, most recently from c72e9de to f5bb677 Compare June 10, 2024 04:52
@incertum incertum force-pushed the anomaly-detection-1 branch 3 times, most recently from fdd5401 to 09a1864 Compare June 13, 2024 04:39
@incertum incertum mentioned this pull request Jun 21, 2024
Merged
@incertum incertum mentioned this pull request Jul 15, 2024
Open
@incertum incertum mentioned this pull request Aug 17, 2024
Open
incertum and others added 15 commits August 21, 2024 15:49
@incertum
new(anomalydetection): init plugin / start dev
1d82a07 
Signed-off-by: Melissa Kilby <[email protected]>
@incertum
cleanup(anomalydetection): cms class updates
047afba 
Signed-off-by: Melissa Kilby <[email protected]>
@incertum
new(anomalydetection): start unit tests + bump libs and sdk
c7b22e1 
Signed-off-by: Melissa Kilby <[email protected]>
@incertum
new(anomalydetection): init config + start behavior profile extraction
0a02b5b 
Signed-off-by: Melissa Kilby <[email protected]>
@jasondellaluce @incertum
update(anomalydetection): sync plugin to latest SDK changes
e5e9599 
Signed-off-by: Jason Dellaluce <[email protected]>
@jasondellaluce @incertum
update(anomalydetection): populate info for proc args
3353355 
Signed-off-by: Jason Dellaluce <[email protected]>
@incertum
update(anomalydetection): unit tests for proc lineage + add filterche…
b7ee15d 
…cks 1/n

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): add lastevent_fd + enhance robustness / tes…
feeb93c 
…ts + start fd related filterchecks 2/n

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): finish currently supported behavior profile…
409bc11 
… filterchecks 3/n

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): add MutexGuard (adopted from libs) to sketc…
f006a58 
…hes data structures

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): add some custom behavior profile short-cut …
fbf22f4 
…fields options

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): add some fallbacks / evt param extraction i…
059e983 
…n cases of missing fd table entry

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): more usage safeguards and info log messages
1dc61ee 
Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): ability to reset data structures w/ timers
f640d78 
Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): helper new filtercheck / output field anoma…
90d3adc 
…ly.falco.duration_ns

Signed-off-by: Melissa Kilby <[email protected]>
@incertum
update(anomalydetection): tweak inits when count_min_sketch disabled …
f6b9a42 
…+ better comments/docs clarity

Signed-off-by: Melissa Kilby <[email protected]>
@incertum incertum marked this pull request as ready for review August 22, 2024 19:47
@incertum incertum changed the title wip: new(anomalydetection): Initial Scope - CountMinSketch Powered Probabilistic Counting and Filtering new(anomalydetection): Initial Scope - CountMinSketch Powered Probabilistic Counting and Filtering Aug 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@leogr leogr Awaiting requested review from leogr

@mstemm mstemm Awaiting requested review from mstemm

@jasondellaluce jasondellaluce Awaiting requested review from jasondellaluce

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
area/plugins dco-signoff: yes kind/design kind/feature New feature or request size/XXL
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[TRACKING] New anomalydetection Plugin - Targeting First Release for Falco 0.39.0
3 participants
@incertum @poiana @jasondellaluce