Rare/Unusual Domain & Destination Flow Check #7807

DropB1t · 2023-09-05T08:49:46Z

Me and my colleagues @LeoBubi & @F3rto have implemented a check Flow Check for rare domains and destinations, using ndpi_bitmap , with periodic learning.

Mentioned issues are
#6416, #6417

fixed two RareDestTrainig's methods. renamed bitmaps ( more concise with its functionality ). added serialization to redis: ( dumpRareDestToRedis and loadRareDestFromRedis methods )

Host extension with Rare Destination structures and methods

Host extension

* Edit suggestion * refactor: change position of curly braces --------- Co-authored-by: Leonardo Brugnano <[email protected]>

Rare dest: Destination hashing function available in epoch_feature

defined constant values instead of struct's values

refactored getDestinationHash serialization of training variables into redis refactor epoch feature code

Sync fork with latest dev updates

DropB1t · 2023-09-08T18:19:49Z

Just in case, I've already fixed the conflicts with base branch. Looking forward to move on with pr

src/LocalHost.cpp

src/flow_checks/RareDestination.cpp

cardigliano · 2023-09-12T10:02:55Z

It was required to implement one flow check for the domains, and one for IPs. It is ok using a single Check, but it is required to use at least two different bitmaps to keep the status.
Currently the status (bitmaps) is kept in LocalHost, the issue required this to be per ntopng instance. I suggest moving the bitmaps to NetworkInterface to make this global per interface.
The learning mechanism is not optimal (besides the fact that code itself is a bit too complicated and can be simplified):
The algorithm it is based on periodic learning periods, during those periods the check is in standby mode and it does not detect/trigger alerts. I suggest reworking this to have a single standby period during the initial learning, after this period all the new destinations should be just added to the status/bitmaps when running the check. The status should be still serialized on redis periodically.

Please also check my comments inline in the code.

Thank you.

LeoBubi · 2023-09-12T14:10:03Z

Thank you for the precious comments and suggestions, we're going to fix the code as soon as possible.

We only have some doubts about the learning mechanism you suggested. The periodic training logic was implemented because we think that if a destination is not seen in a while then it makes sense to consider it rare again. If only a single initial training is done, it is not possible to do such thing, causing the bitmaps to fill up after some time, effectively making the check useless. In addition, we talked to @lucaderi some time ago, and he suggested that we proceed by implementing periodic training.

Regarding the bitmaps in LocalHost, @lucaderi said that it was up to us to decide whether to do it for host or network interface. Anyway, we'll move the bitmaps to NetworkInterface as suggested.

cardigliano · 2023-09-12T14:33:57Z

As of the periodic training, what I proposed is the easiest solution: just warn once for every rare destination detected, and ignore it for the future. Alternatively you can periodically rebuild the bitmaps, but this should happen while running the check (building a "shadow" bitmap and swapping the bitmaps after the learning period), without putting the check in "standby" during the learning periods as this is like disabling the check for several hours per day.

lucaderi · 2023-09-12T16:30:29Z

Thank you for the precious comments and suggestions, we're going to fix the code as soon as possible.

We only have some doubts about the learning mechanism you suggested. The periodic training logic was implemented because we think that if a destination is not seen in a while then it makes sense to consider it rare again. If only a single initial training is done, it is not possible to do such thing, causing the bitmaps to fill up after some time, effectively making the check useless. In addition, we talked to @lucaderi some time ago, and he suggested that we proceed by implementing periodic training.

Regarding the bitmaps in LocalHost, @lucaderi said that it was up to us to decide whether to do it for host or network interface. Anyway, we'll move the bitmaps to NetworkInterface as suggested.

A rare destination is as such if it has not been detected so far in any of the hosts currently monitored. The learning period (or grace period) is a way to avoid triggering alerts until some basic knowledge is made. So it's done once at beginning and not periodically. Instead periodically you need to keep a backlog of visited hosts that allow you to trigger events for sites visited seldom (i.e. once a week). Does all this make sense to you?

new implementation of Redis save/load minor bug fixes & typo modular get/set methods for rareDestTraining values LocalHost cleanup

deallocating chain in case of failre

lucaderi · 2023-09-18T08:43:48Z

@DropB1t Anything we can do to expedite this PR?

As suggested by the review: - Status ( bitmaps ) has been decoupled: for domain & IPs - Status has been moved into NetworkInterface, and now it's global for each interface - Inline comments fixes has been made - Learning mechanism has been streamlined

DropB1t · 2023-09-19T13:45:53Z

As suggested by the review:

Status ( bitmaps ) has been decoupled: for domain & IPs
Status has been moved into NetworkInterface, and now it's global for each interface
Inline comments fixes has been made
Learning mechanism has been streamlined

cardigliano · 2023-09-25T13:26:11Z

My comments after the last review:

Two bitmaps (rare_dest_local and rare_dest_remote) are used now, why you need them? In my previous review I suggested to use two different bitmaps for domain names and IP addresses to avoid mixing them (and create collisions).
Issues Rare/Unusual Domain Flow Check #6416 and Rare/Unusual Destination Flow Check #6417 ask to track domain names and destination IPs, it is not really clear what RareDestination::protocolDetected is actually aiming to check and in which cases the traffic is going to be evaluated, some comment would help, especially around this if statement https://github.com/ntop/ntopng/pull/7807/files#diff-571714b52e75685b8e6fdc55c8f88a1c7e5ffc6131f1c7d195561a4aa9d03d1cR59
Similar to the previous item, RareDestination::getDestinationHash is not really clear, and there is some unhandled "else" condition. In general it is not clear which are all the cases this code is aiming to handle (referring to the values of src, dst, local, remote, mac, etc).

DropB1t · 2023-09-25T15:22:24Z

As was suggested we had separated the circle of concern between local and remote destinations and created those two statuses ( bitmaps ). As we opted to handle also mac addresses ( in case if dhcp is turned on on the local network ) the given name ( rare_dest_local ) seems to be more suited, and more generic, for the case
As for if statement on line 59 we try to perform the Check only if the client host is on the Local network and we have at our disposal either domain name or ip adress of the server host. If neither domain nor ip is available we cannot obtain the index key ( hash ) that is used to access the bitmaps
In RareDestination::getDestinationHash we try to define what type of traffic we are looking at ( from Local to Local host or from Local to Remote host ) and differentiate the destination type ( destType ) to select the appropriate bitmap to perform on, later in the Check. As stated in the first item we tried to use the mac addresses as hash key in case the DHCP is on and the server host is neither Brodcast nor Multicast Host. If not the hash key will be one of IPs at our disposal. In case of remote destination we try to set the hash key with the hash of the domain name using Utils::hashString(f->getFlowServerInfo()) ( I searched the appropriate method, in the flow interface at our disposal, to retrieve the domain name of the remote destination and f->getFlowServerInfo() seemed to be the right one, correct me if I had done the wrong choice )

I hope I have explained myself well. Thank you for your attention and time

lucaderi · 2023-10-17T19:27:35Z

Closing for inactivity

DropB1t and others added 30 commits April 12, 2023 14:05

test: flow's server address handling

14a00a7

First sketch

931fe1b

Second sketch

233638f

Host extension for RareDest implementation.

2c378d1

refactor: polished hashing section

880d221

fix: fix typo & set dummy default params

b005bbb

API adaption to new Host class

3f32c19

[fix] API adaption to new Host class

98e92ed

features & refactor & fixes:

e2278e4

fixed two RareDestTrainig's methods. renamed bitmaps ( more concise with its functionality ). added serialization to redis: ( dumpRareDestToRedis and loadRareDestFromRedis methods )

Merge pull request #1 from DropB1t/host_extension

6f358bf

Host extension with Rare Destination structures and methods

Variables renaming and hashing implementation

1802dc2

Fix typo

f9ccc38

bugfix: correct memory leak

a626af3

Merge pull request #2 from DropB1t/host_extension

5ab82e4

Host extension

fix: fixed typos

66a3fa8

Hashing edit (#3)

eb1d0e3

* Edit suggestion * refactor: change position of curly braces --------- Co-authored-by: Leonardo Brugnano <[email protected]>

Merge branch 'epoch-feature' into rare_dest

0cd2560

Merge pull request #4 from DropB1t/rare_dest

16f5dfd

Rare dest: Destination hashing function available in epoch_feature

refactor: refactor naming convention,

410ad41

defined constant values instead of struct's values

RareDestination.cpp refactoring

fdc6d10

refactor & fixes:

bb399cf

refactored getDestinationHash serialization of training variables into redis refactor epoch feature code

Testing feature & fixes

a62d3dc

fix: fixed getDestinationHash's function signature

7f21dbc

[fix] loadRareDestFromRedis memory leak

cdda897

Merge branch 'rareDestination-refactor' into synced-latest-dev

05d851d

Merge pull request #5 from DropB1t/synced-latest-dev

454ee3b

Sync fork with latest dev updates

refactor: moved implementation into LocalHost

09231d2

Commented Prints

ab8713d

Code cleanup

9c8411b

refactor: moved hashing function

e5795f4