wip: new(anomalydetection): Initial Scope - CountMinSketch Powered Probabilistic Counting and Filtering #419
Conversation
Signed-off-by: Melissa Kilby <[email protected]>
poiana
added
do-not-merge/work-in-progress
kind/design
dco-signoff: yes
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: incertum The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Melissa Kilby <[email protected]>
Signed-off-by: Melissa Kilby <[email protected]>
incertum
force-pushed
the
anomaly-detection-1
branch
2 times, most recently
from
c72e9de
to
f5bb677
Compare
incertum
force-pushed
the
anomaly-detection-1
branch
3 times, most recently
from
fdd5401
to
09a1864
Compare
incertum
force-pushed
the
anomaly-detection-1
branch
from
09a1864
to
504b497
Compare
Signed-off-by: Melissa Kilby <[email protected]>
incertum
force-pushed
the
anomaly-detection-1
branch
from
504b497
to
78a8cec
Compare
| m_exe_writable = m_thread_table.get_field(t.fields(), "exe_writable", st::SS_PLUGIN_ST_BOOL); | ||
| m_exe_upper_layer = m_thread_table.get_field(t.fields(), "exe_upper_layer", st::SS_PLUGIN_ST_BOOL); | ||
| m_exe_from_memfd = m_thread_table.get_field(t.fields(), "exe_from_memfd", st::SS_PLUGIN_ST_BOOL); | ||
| // m_args = m_thread_table.get_field(t.fields(), "args", TBD); |
There was a problem hiding this comment.
@jasondellaluce what data type would this be for the cmd args? And what data types would it be for the fd sub table fields, like the fd_name? Please note that falcosecurity::state_value_type does not yet have the new data types. We would need an SDK upgrade. Do you have a timeline wrt when they will be available? Thanks.
| m_container_id.read_value(tr, thread_entry, tstr); | ||
| break; | ||
| case plugin_sinsp_filterchecks::TYPE_NAME: | ||
| m_comm.read_value(tr, thread_entry, tstr); |
There was a problem hiding this comment.
@jasondellaluce how would you read the cmd args? See also the previous comments. Same question for fd_name.
|
|
||
| bool anomalydetection::extract_filterchecks_concat_profile(int64_t thread_id, const falcosecurity::table_reader &tr, const std::vector<plugin_sinsp_filterchecks_field>& fields, std::string& behavior_profile_concat_str) | ||
| { | ||
| falcosecurity::table_entry thread_entry = m_thread_table.get_entry(tr, thread_id); |
There was a problem hiding this comment.
@jasondellaluce Would there be something needed to access the subtables for example for the cmd args and fd_name?
| break; | ||
| case plugin_sinsp_filterchecks::TYPE_ANAME: | ||
| { | ||
| // todo: check implications of main thread as it's part of the libs implementation |
There was a problem hiding this comment.
@jasondellaluce does the plugin have enough access to information to perform similar checks like we do in libs?
Signed-off-by: Jason Dellaluce <[email protected]>
Signed-off-by: Jason Dellaluce <[email protected]>
What type of PR is this?
/kind design
/kind feature
Any specific area of the project related to this PR?
/area plugins
What this PR does / why we need it:
Introduce a new
anomalydetectionplugin, as outlined in the Proposal.Which issue(s) this PR fixes:
falcosecurity/falco#3117
Fixes #
Special notes for your reviewer: