def __init__(self,
aminer_config,
target_path_list,
anomaly_event_handlers,
persistence_id='Default',
auto_include_flag=False,
output_log_line=True):
"""Initialize the detector. This will also trigger reading or creation of persistence storage location."""
self.target_path_list = target_path_list
self.anomaly_event_handlers = anomaly_event_handlers
self.auto_include_flag = auto_include_flag
self.next_persist_time = None
self.output_log_line = output_log_line
self.aminer_config = aminer_config
self.persistence_id = persistence_id
PersistencyUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, self.__class__.__name__, persistence_id)
persistence_data = PersistencyUtil.load_json(
self.persistence_file_name)
if persistence_data is None:
self.known_path_set = set()
else:
self.known_path_set = set(persistence_data)
def __init__(self, aminer_config, parallel_check_count, correlation_test_count, max_fail_count, anomaly_event_handlers,
persistence_id='Default', record_count_before_event=0x10000, output_log_line=True):
"""Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param parallel_check_count number of rule detection checks to run in parallel.
@param correlation_test_count number of unit to perform on a rule under test.
@param max_fail_count maximal number of test failures so that rule is still eligible for reporting."""
self.last_timestamp = 0.0
self.parallel_check_count = parallel_check_count
self.correlation_test_count = correlation_test_count
self.max_fail_count = max_fail_count
self.anomaly_event_handlers = anomaly_event_handlers
self.max_rule_attributes = 5
self.last_unhandled_match = None
self.next_persist_time = None
self.total_records = 0
self.record_count_before_event = record_count_before_event
self.persistence_id = persistence_id
self.output_log_line = output_log_line
PersistencyUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(aminer_config, 'TimeCorrelationDetector', persistence_id)
persistence_data = PersistencyUtil.load_json(self.persistence_file_name)
if persistence_data is None:
self.feature_list = []
self.event_count_table = [0] * parallel_check_count * parallel_check_count * 2
self.event_delta_table = [0] * parallel_check_count * parallel_check_count * 2
def __init__(self,
aminer_config,
property_path,
bin_definition,
report_interval,
report_event_handlers,
reset_after_report_flag=True,
persistence_id='Default',
output_log_line=True):
"""Initialize the analysis component.
@param report_interval delay in seconds between creation of two reports. The parameter is applied to the parsed record data
time, not the system time. Hence reports can be delayed when no data is received."""
self.last_report_time = None
self.next_report_time = 0.0
self.property_path = property_path
self.bin_definition = bin_definition
self.histogram_data = {}
self.report_interval = report_interval
self.report_event_handlers = report_event_handlers
self.reset_after_report_flag = reset_after_report_flag
self.persistence_id = persistence_id
self.next_persist_time = None
self.output_log_line = output_log_line
PersistencyUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, 'PathDependentHistogramAnalysis', persistence_id)
persistence_data = PersistencyUtil.load_json(
self.persistence_file_name)
if persistence_data is not None:
raise Exception('No data reading, def merge yet')
def __init__(self, aminer_config, anomaly_event_handlers, timestamp_path, analyze_path_list, min_bin_elements, min_bin_time,
sync_bins_flag=True, debug_mode=False, persistence_id='Default', output_log_line=True):
"""Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param timestamp_path if not None, use this path value for timestamp based bins.
@param analyze_path_list list of match pathes to analyze in this detector.
@param min_bin_elements evaluate the latest bin only after at least that number of elements was added to it.
@param min_bin_time evaluate the latest bin only when the first element is received after minBinTime has elapsed.
@param sync_bins_flag if true the bins of all analyzed path values have to be filled enough to trigger analysis.
@param debug_mode if true, generate an analysis report even when average of last bin was within expected range."""
self.anomaly_event_handlers = anomaly_event_handlers
self.timestamp_path = timestamp_path
self.min_bin_elements = min_bin_elements
self.min_bin_time = min_bin_time
self.sync_bins_flag = sync_bins_flag
self.debug_mode = debug_mode
self.next_persist_time = None
self.persistence_id = persistence_id
self.output_log_line = output_log_line
PersistencyUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(aminer_config, 'MatchValueAverageChangeDetector',
persistence_id)
persistence_data = PersistencyUtil.load_json(self.persistence_file_name)
if persistence_data is None:
self.stat_data = []
for path in analyze_path_list:
self.stat_data.append((path, [],))
def __init__(self,
aminer_config,
histogram_defs,
report_interval,
report_event_handlers,
reset_after_report_flag=True,
persistence_id='Default',
output_log_line=True):
"""Initialize the analysis component.
@param histogram_defs is a list of tuples containing the target property path to analyze and the BinDefinition to apply for
binning.
@param report_interval delay in seconds between creation of two reports. The parameter is applied to the parsed record data
time, not the system time. Hence reports can be delayed when no data is received."""
self.last_report_time = None
self.next_report_time = 0.0
self.histogram_data = []
for (path, bin_definition) in histogram_defs:
self.histogram_data.append(HistogramData(path, bin_definition))
self.report_interval = report_interval
self.report_event_handlers = report_event_handlers
self.reset_after_report_flag = reset_after_report_flag
self.persistence_id = persistence_id
self.next_persist_time = None
self.output_log_line = output_log_line
PersistencyUtil.add_persistable_component(self)
self.persistenceFileName = AMinerConfig.build_persistence_file_name(
aminer_config, 'HistogramAnalysis', persistence_id)
persistence_data = PersistencyUtil.load_json(self.persistenceFileName)
if persistence_data is not None:
raise Exception('No data reading, def merge yet')
def __init__(self,
aminer_config,
ruleset,
anomaly_event_handlers,
persistence_id='Default',
output_log_line=True):
"""
Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param ruleset a list of MatchRule rules with appropriate CorrelationRules attached as actions.
"""
self.aminer_config = aminer_config
self.event_classification_ruleset = ruleset
self.anomaly_event_handlers = anomaly_event_handlers
self.next_persist_time = time.time(
) + self.aminer_config.config_properties.get(
AMinerConfig.KEY_PERSISTENCE_PERIOD,
AMinerConfig.DEFAULT_PERSISTENCE_PERIOD)
self.persistence_id = persistence_id
self.output_log_line = output_log_line
self.last_log_atom = None
event_correlation_set = set()
for rule in self.event_classification_ruleset:
if rule.match_action.artefact_a_rules is not None:
event_correlation_set |= set(
rule.match_action.artefact_a_rules)
if rule.match_action.artefact_b_rules is not None:
event_correlation_set |= set(
rule.match_action.artefact_b_rules)
self.event_correlation_ruleset = list(event_correlation_set)
PersistenceUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, 'TimeCorrelationViolationDetector', persistence_id)
def __init__(self,
aminer_config,
target_path,
anomaly_event_handlers,
persistence_id='Default',
auto_include_flag=False,
default_interval=3600,
realert_interval=86400,
output_log_line=True):
"""Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param target_path to extract a source identification value from each logatom."""
self.target_path = target_path
self.anomaly_event_handlers = anomaly_event_handlers
self.auto_include_flag = auto_include_flag
self.default_interval = default_interval
self.realert_interval = realert_interval
# This timestamps is compared with timestamp values from log atoms for activation of alerting logic. The first timestamp from logs
# above this value will trigger alerting.
self.next_check_timestamp = 0
self.last_seen_timestamp = 0
self.next_persist_time = None
self.output_log_line = output_log_line
self.aminer_config = aminer_config
self.persistence_id = persistence_id
PersistencyUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, self.__class__.__name__, persistence_id)
persistence_data = PersistencyUtil.load_json(
self.persistence_file_name)
if persistence_data is None:
self.expected_values_dict = {}
else:
self.expected_values_dict = persistence_data
self.analysis_string = 'Analysis.%s'
def __init__(self,
aminer_config,
target_path_list,
anomaly_event_handlers,
persistence_id='Default',
auto_include_flag=False,
output_log_line=True):
"""Initialize the detector. This will also trigger reading or creation of persistence storage location."""
self.target_path_list = target_path_list
self.anomaly_event_handlers = anomaly_event_handlers
self.auto_include_flag = auto_include_flag
self.next_persist_time = None
self.output_log_line = output_log_line
self.aminer_config = aminer_config
self.persistence_id = persistence_id
self.log_success = 0
self.log_total = 0
self.log_learned_path_values = 0
self.log_new_learned_values = []
PersistenceUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, self.__class__.__name__, persistence_id)
persistence_data = PersistenceUtil.load_json(
self.persistence_file_name)
if persistence_data is None:
self.known_values_set = set()
else:
self.known_values_set = set(persistence_data)
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).debug(
'%s loaded persistence data.', self.__class__.__name__)
def __init__(self,
aminer_config,
target_path_list,
anomaly_event_handlers,
persistence_id='Default',
allow_missing_values_flag=False,
auto_include_flag=False,
output_log_line=True):
"""Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param target_path_list the list of values to extract from each match to create the value combination to be checked.
@param allow_missing_values_flag when set to True, the detector will also use matches, where one of the pathes from targetPathList
does not refer to an existing parsed data object.
@param auto_include_flag when set to True, this detector will report a new value only the first time before including it
in the known values set automatically."""
self.target_path_list = target_path_list
self.anomaly_event_handlers = anomaly_event_handlers
self.allow_missing_values_flag = allow_missing_values_flag
self.auto_include_flag = auto_include_flag
self.output_log_line = output_log_line
self.aminer_config = aminer_config
self.persistence_id = persistence_id
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, self.__class__.__name__, persistence_id)
self.next_persist_time = None
self.known_values_set = set()
self.load_persistency_data()
PersistencyUtil.add_persistable_component(self)
def tearDown(self):
self.aminer_config = AMinerConfig.load_config(self.__configFilePath)
persistence_file_name = AMinerConfig.build_persistence_file_name(
self.aminer_config)
if os.path.exists(persistence_file_name):
shutil.rmtree(persistence_file_name)
if not os.path.exists(persistence_file_name):
os.makedirs(persistence_file_name)
def __init__(self,
aminer_config,
target_path,
anomaly_event_handlers,
persistence_id='Default',
auto_include_flag=False,
default_interval=3600,
realert_interval=86400,
output_log_line=True):
"""
Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param target_path to extract a source identification value from each logatom.
"""
self.target_path = target_path
self.anomaly_event_handlers = anomaly_event_handlers
self.auto_include_flag = auto_include_flag
self.default_interval = default_interval
self.realert_interval = realert_interval
# This timestamps is compared with timestamp values from log atoms for activation of alerting logic. The first timestamp from logs
# above this value will trigger alerting.
self.next_check_timestamp = 0
self.last_seen_timestamp = 0
self.next_persist_time = None
self.output_log_line = output_log_line
self.aminer_config = aminer_config
self.persistence_id = persistence_id
self.log_success = 0
self.log_total = 0
self.log_learned_values = 0
self.log_new_learned_values = []
PersistenceUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, self.__class__.__name__, persistence_id)
persistence_data = PersistenceUtil.load_json(
self.persistence_file_name)
self.expected_values_dict = {}
if persistence_data is not None:
for key in persistence_data:
value = persistence_data[key]
if self.target_path is not None:
if value[3] != self.target_path:
continue
elif self.target_path_list is not None:
if value[3] not in self.target_path_list:
continue
if value[1] != default_interval:
value[1] = default_interval
value[2] = value[0] + default_interval
self.expected_values_dict[key] = value
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).debug(
'%s loaded persistence data.', self.__class__.__name__)
self.analysis_string = 'Analysis.%s'
def setUp(self):
self.aminer_config = AMinerConfig.load_config(self.__configFilePath)
self.analysis_context = AnalysisContext(self.aminer_config)
self.output_stream = StringIO()
self.stream_printer_event_handler = StreamPrinterEventHandler(
self.analysis_context, self.output_stream)
persistence_file_name = AMinerConfig.build_persistence_file_name(
self.aminer_config)
if os.path.exists(persistence_file_name):
shutil.rmtree(persistence_file_name)
if not os.path.exists(persistence_file_name):
os.makedirs(persistence_file_name)
def __init__(self,
aminer_config,
anomaly_event_handlers,
parallel_check_count,
persistence_id='Default',
record_count_before_event=10000,
output_log_line=True,
use_path_match=True,
use_value_match=True,
min_rule_attributes=1,
max_rule_attributes=5):
"""
Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param parallel_check_count number of rule detection checks to run in parallel.
@param record_count_before_event number of events used to calculate statistics (i.e., window size)
@param min_rule_attributes minimum number of attributes forming a rule
@param max_rule_attributes maximum number of attributes forming a rule
@param use_path_match if true rules are build based on path existance
@param use_value_match if true rules are built based on actual values
"""
self.last_timestamp = 0.0
self.parallel_check_count = parallel_check_count
self.anomaly_event_handlers = anomaly_event_handlers
self.min_rule_attributes = min_rule_attributes
self.max_rule_attributes = max_rule_attributes
self.last_unhandled_match = None
self.next_persist_time = None
self.total_records = 0
self.record_count_before_event = record_count_before_event
self.persistence_id = persistence_id
self.output_log_line = output_log_line
self.use_path_match = use_path_match
self.use_value_match = use_value_match
self.aminer_config = aminer_config
PersistenceUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, 'TimeCorrelationDetector', persistence_id)
persistence_data = PersistenceUtil.load_json(
self.persistence_file_name)
if persistence_data is None:
self.feature_list = []
self.event_count_table = [
0
] * parallel_check_count * parallel_check_count * 2
self.event_delta_table = [
0
] * parallel_check_count * parallel_check_count * 2
else:
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).debug(
'%s loaded persistence data.', self.__class__.__name__)
def __init__(self,
aminer_config,
target_path_list,
anomaly_event_handlers,
id_path_list,
min_allowed_time_diff,
persistence_id='Default',
allow_missing_values_flag=False,
auto_include_flag=False,
output_log_line=True):
"""
Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param target_path_list the list of values to extract from each match to create the value combination to be checked.
@param id_path_list the list of pathes where id values can be stored in all relevant log event types.
@param min_allowed_time_diff the minimum amount of time in seconds after the first appearance of a log atom with a specific id
that is waited for other log atoms with the same id to occur. The maximum possible time to keep an incomplete combo
is 2*min_allowed_time_diff
@param allow_missing_values_flag when set to True, the detector will also use matches, where one of the pathes from target_path_list
does not refer to an existing parsed data object.
@param auto_include_flag when set to True, this detector will report a new value only the first time before including it
in the known values set automatically.
"""
self.target_path_list = target_path_list
self.anomaly_event_handlers = anomaly_event_handlers
self.id_path_list = id_path_list
self.min_allowed_time_diff = min_allowed_time_diff
self.allow_missing_values_flag = allow_missing_values_flag
self.auto_include_flag = auto_include_flag
self.output_log_line = output_log_line
self.aminer_config = aminer_config
self.persistence_id = persistence_id
self.log_success = 0
self.log_total = 0
self.log_learned_path_value_combos = 0
self.log_new_learned_values = []
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, self.__class__.__name__, persistence_id)
self.next_persist_time = None
self.load_persistence_data()
PersistenceUtil.add_persistable_component(self)
self.id_dict_current = {}
self.id_dict_old = {}
self.next_shift_time = None
def __init__(self, aminer_config, anomaly_event_handlers, timestamp_path, analyze_path_list, min_bin_elements, min_bin_time,
debug_mode=False, persistence_id='Default', output_log_line=True):
"""
Initialize the detector. This will also trigger reading or creation of persistence storage location.
@param timestamp_path if not None, use this path value for timestamp based bins.
@param analyze_path_list list of match paths to analyze in this detector.
@param min_bin_elements evaluate the latest bin only after at least that number of elements was added to it.
@param min_bin_time evaluate the latest bin only when the first element is received after minBinTime has elapsed.
@param debug_mode if true, generate an analysis report even when average of last bin was within expected range.
"""
self.anomaly_event_handlers = anomaly_event_handlers
self.timestamp_path = timestamp_path
self.min_bin_elements = min_bin_elements
self.min_bin_time = min_bin_time
self.debug_mode = debug_mode
self.next_persist_time = None
self.persistence_id = persistence_id
self.output_log_line = output_log_line
self.aminer_config = aminer_config
PersistenceUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(aminer_config, 'MatchValueAverageChangeDetector',
persistence_id)
persistence_data = PersistenceUtil.load_json(self.persistence_file_name)
self.stat_data = []
for path in analyze_path_list:
self.stat_data.append((path, [],))
if persistence_data is not None:
for val in persistence_data:
if isinstance(val, str):
val = val.strip('[').strip(']').split(',', 2)
path = val[0].strip('"')
values = val[1].strip(' ').strip('[').strip(']')
else:
path = val[0]
values = val[1]
index = 0
for p, _ in self.stat_data:
if p == path:
break
index += 1
for value in values:
self.stat_data[index][1].append(value)
def __init__(self, program_name, aminer_config):
self.program_name = program_name
self.analysis_context = AnalysisContext(aminer_config)
self.run_analysis_loop_flag = True
self.log_streams_by_name = {}
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
self.analysis_context.aminer_config, self.__class__.__name__ + '/RepositioningData')
self.next_persist_time = time.time() + 600
self.repositioning_data_dict = {}
self.master_control_socket = None
self.remote_control_socket = None
# This dictionary provides a lookup list from file descriptor to associated object for handling the data to and from the given
# descriptor. Currently supported handler objects are:
# * Parent process socket
# * Remote control listening socket
# * LogStreams
# * Remote control connections
self.tracked_fds_dict = {}
# Override the signal handler to allow graceful shutdown.
def graceful_shutdown_handler(_signo, _stack_frame):
"""React on typical shutdown signals."""
msg = '%s: caught signal, shutting down' % program_name
print(msg, file=sys.stderr)
logging.getLogger(AMinerConfig.DEBUG_LOG_NAME).info(msg)
self.run_analysis_loop_flag = False
import signal
signal.signal(signal.SIGHUP, graceful_shutdown_handler)
signal.signal(signal.SIGINT, graceful_shutdown_handler)
signal.signal(signal.SIGTERM, graceful_shutdown_handler)
# Do this on at the end of the initialization to avoid having partially initialized objects inside the registry.
self.analysis_context.add_time_triggered_component(self)
def __init__(self,
aminer_config,
anomaly_event_handlers,
persistence_id='Default',
path_list=None,
min_num_vals=1000,
max_num_vals=1500,
save_values=True,
track_time_for_TSA=False,
waiting_time_for_TSA=300,
num_sections_waiting_time_for_TSA=10):
"""Initialize the detector. This will also trigger reading or creation of persistence storage location."""
self.next_persist_time = time.time() + 600.0
self.anomaly_event_handlers = anomaly_event_handlers
self.num_events = 0
# List of the longest path of the events
self.longest_path = []
# List of the keys corresponding to the events
self.found_keys = []
# List of the keys, which take values in the log-line
self.variable_key_list = []
# List of the values of the log-lines. If the lenght reaches max_num_vals the list gets reduced to min_num_vals values per variable
self.values = []
# Saves the number of lines of the event types
self.num_eventlines = []
# Saves the number of total log-lines
self.total_records = 0
# List of the modules which follow the event_type_detector. The implemented modules are form the list
# [variableTypeDetector, variableCorrelationDetector]
self.following_modules = []
# List of paths, which variables are being tracked. All other paths will not get tracked. If None all paths are being tracked.
self.path_list = path_list
# List of bools, which state if the variables of variable_key_list are updated.
self.check_variables = []
# List ot the time trigger. The first list states the times when something should be triggered, the second list states the indices
# of the eventtyps, or a list of the evnettype, a path and a value which should be counted (-1 for an initialization)
# the third list states, the length of the time window (-1 for a one time trigger)
self.etd_time_trigger = [[], [], []]
# Reference containing the number of lines of the events for the TSA
self.num_eventlines_TSA_ref = []
# Index of the eventtype of the current log line
self.current_index = 0
# Number of the values which the list is being reduced to. Be cautious that this is higher than 'num_min_values'
# in VarTypeD/Cor!!!
self.min_num_vals = min_num_vals
# Maximum number of lines in the value list before it is reduced. > min_num_vals.
self.max_num_vals = max_num_vals
# If False the values of the Token are not saved for further analysis. Disables self.values, and self.check_variables
self.save_values = save_values
# States if the time windows should be tracked for the time series analysis
self.track_time_for_TSA = track_time_for_TSA
# Time in seconds, until the time windows are being initialized
self.waiting_time_for_TSA = waiting_time_for_TSA
# Number of subdivisions of the initialization window. The length of the input-list of the function_Init-funtion is numSubd+1
self.num_sections_waiting_time_for_TSA = num_sections_waiting_time_for_TSA
self.aminer_config = aminer_config
# Loads the persistence
PersistenceUtil.add_persistable_component(self)
self.persistence_file_name = AMinerConfig.build_persistence_file_name(
aminer_config, self.__class__.__name__, persistence_id)
persistence_data = PersistenceUtil.load_json(
self.persistence_file_name)
# Imports the persistence
if persistence_data is not None:
for key in persistence_data[0]:
self.found_keys.append(set(key))
self.variable_key_list = persistence_data[1]
self.values = persistence_data[2]
self.longest_path = persistence_data[3]
self.check_variables = persistence_data[4]
self.num_eventlines = persistence_data[5]
self.etd_time_trigger = persistence_data[6]
self.num_eventlines_TSA_ref = persistence_data[7]
self.num_events = len(self.found_keys)
else:
if self.track_time_for_TSA:
self.etd_time_trigger[0].append(-1)
self.etd_time_trigger[1].append(-1)
self.etd_time_trigger[2].append(-1)
