Using advanced data structures to enable responsive security monitoring

Vorobyeva, Janet; Delayo, Daniel R.; Bender, Michael A.; Farach-Colton, Martín; Pandey, Prashant; Phillips, Cynthia Ann; Singh, Shikha; Thomas, Eric D.; Kroeger, Thomas M.

doi:10.1007/s10586-021-03463-5

Using advanced data structures to enable responsive security monitoring

Journal Article · Sun Jan 23 23:00:00 EST 2022 · Cluster Computing

DOI:https://doi.org/10.1007/s10586-021-03463-5· OSTI ID:1883172

Vorobyeva, Janet ^[1]; Delayo, Daniel R. ^[2]; Bender, Michael A. ^[2]; Farach-Colton, Martín ^[3]; Pandey, Prashant ^[4]; Phillips, Cynthia Ann ^[1]; Singh, Shikha ^[5]; Thomas, Eric D. ^[1]; ^[1]

Sandia National Lab. (SNL-NM), Albuquerque, NM (United States)
Stony Brook Univ., NY (United States)
Rutgers Univ., New Brunswick, NJ (United States)
Lawrence Berkeley National Lab. (LBNL), Berkeley, CA (United States)
Williams College, Williamstown, MA (United States)

Write-optimized data structures (WODS), offer the potential to keep up with cyberstream event rates and give sub-second query response for key items like IP addresses. These data structures organize logs as the events are observed. To work in a real-world environment and not fill up the disk, WODS must efficiently expire older events. As the basis for our research into organizing security monitoring data, we implemented a tool, called Diventi, to index IP addresses in connection logs using RocksDB (a write-optimized LSM tree). In this work, we extended Diventi to automatically expire data as part of the data structures’ normal operations. We guarantee that Diventi always tracks the N most recent events and tracks no more than N + k events for a parameter k < N, while ensuring the index is opportunistically pruned. To test Diventi at scale in a controlled environment, we used anonymized traces of IP communications collected at SuperComputing 2019. We synthetically extended the 2.4 billion connection events to 100 billion events. We tested Diventi vs. Elasticsearch, a common log indexing tool. In our test environment, Elasticsearch saw an ingestion rate of at best 37,000 events/s while Diventi sustained ingestion rates greater than 171,000 events/s. Our query response times were as much as 100 times faster, typically answering queries in under 80 ms. Furthermore, we saw no noticeable degradation in Diventi from expiration. We have deployed Diventi for many months where it has performed well and supported new security analysis capabilities.

Research Organization:: Sandia National Laboratories (SNL-NM), Albuquerque, NM (United States)

Sponsoring Organization:: USDOE National Nuclear Security Administration (NNSA); USDOE Laboratory Directed Research and Development (LDRD) Program; National Science Foundation (NSF)

Grant/Contract Number:: NA0003525

OSTI ID:: 1883172

Report Number(s):: SAND2021-15479J; 702298

Journal Information:: Cluster Computing, Journal Name: Cluster Computing Journal Issue: 4 Vol. 25; ISSN 1386-7857

Publisher:: SpringerCopyright Statement

Country of Publication:: United States

Language:: English

References (10)

The log-structured merge-tree (LSM-tree) O’Neil, Patrick; Cheng, Edward; Gawlick, Dieter Acta Informatica, Vol. 33, Issue 4 https://doi.org/10.1007/s002360050048	journal	June 1996
Bro: a system for detecting network intruders in real-time Paxson, Vern Computer Networks, Vol. 31, Issue 23-24 https://doi.org/10.1016/S1389-1286(99)00112-7	journal	December 1999
Cache-Oblivious Dynamic Dictionaries with Update/Query Tradeoffs Brodal, Gerth Stølting; Demaine, Erik D.; Fineman, Jeremy T. Proceedings of the Twenty-First Annual ACM-SIAM Symposium on Discrete Algorithms https://doi.org/10.1137/1.9781611973075.117	conference	January 2010
Cache-oblivious streaming B-trees Bender, Michael A.; Farach-Colton, Martin; Fineman, Jeremy T. Proceedings of the nineteenth annual ACM symposium on Parallel algorithms and architectures - SPAA '07 https://doi.org/10.1145/1248377.1248393	conference	January 2007
Bigtable: A Distributed Storage System for Structured Data Chang, Fay; Dean, Jeffrey; Ghemawat, Sanjay ACM Transactions on Computer Systems, Vol. 26, Issue 2 https://doi.org/10.1145/1365815.1365816	journal	June 2008
Cassandra: a decentralized structured storage system Lakshman, Avinash; Malik, Prashant ACM SIGOPS Operating Systems Review, Vol. 44, Issue 2 https://doi.org/10.1145/1773912.1773922	journal	April 2010
Timely Reporting of Heavy Hitters using External Memory Pandey, Prashant; Singh, Shikha; Bender, Michael A. Proceedings of the 2020 ACM SIGMOD International Conference on Management of Data https://doi.org/10.1145/3318464.3380598	conference	May 2020
Lethe: A Tunable Delete-Aware LSM Engine Sarkar, Subhadeep; Papon, Tarikul Islam; Staratzis, Dimitris Proceedings of the 2020 ACM SIGMOD International Conference on Management of Data https://doi.org/10.1145/3318464.3389757	conference	May 2020
Space/time trade-offs in hash coding with allowable errors Bloom, Burton H. Communications of the ACM, Vol. 13, Issue 7, p. 422-426 https://doi.org/10.1145/362686.362692	journal	July 1970
MyRocks Matsunobu, Yoshinori; Dong, Siying; Lee, Herman Proceedings of the VLDB Endowment, Vol. 13, Issue 12 https://doi.org/10.14778/3415478.3415546	journal	August 2020

Similar Records

Diventi

Software · Tue Dec 10 19:00:00 EST 2019 · OSTI ID:code-46580

Data Architecture for Security Monitoring (Project Summary)

Technical Report · Sun Sep 01 00:00:00 EDT 2019 · OSTI ID:1569410

Efficient Databases for MPC Microdata (Final Report)

Technical Report · Thu Aug 16 00:00:00 EDT 2012 · OSTI ID:1048538

Related Subjects

97 MATHEMATICS AND COMPUTING
Expiration
Network monitoring
Security monitoring
Write-optimized

Using advanced data structures to enable responsive security monitoring

Citation Formats

References (10)

Similar Records

Related Subjects