wip: new(anomalydetection): Initial Scope - CountMinSketch Powered Probabilistic Counting and Filtering #419
Conversation
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
poiana
added
do-not-merge/work-in-progress
kind/design
dco-signoff: yes
kind/feature
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: incertum The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
incertum
force-pushed
the
anomaly-detection-1
branch
2 times, most recently
from
c72e9de
to
f5bb677
Compare
| auto& req = in.get_extract_request(); | ||
| uint64_t count_min_sketch_estimate = 0; | ||
| // todo fix settings to allow arg index in field | ||
| auto index = req.get_arg_index(); |
There was a problem hiding this comment.
@jasondellaluce may I ask for some guidance re how to make the arg indices available? The idea is to support notations like anomaly.count_min_sketch[2] etc. It should be possible, just not sure how. Thanks in advance!
There was a problem hiding this comment.
In std::vector<falcosecurity::field_info> anomalydetection::get_fields() you are defining the list of available fields. In each, when doing {...} you're invoking their constructor and defining them one by one. The 5th (and optional) argument of that constructor is the field arg, which is a substruct you can define to represent what the argument for that field looks like: https://github.com/falcosecurity/plugin-sdk-cpp/blob/efa5564221cea590eaf727a7a26e655515848c2b/include/falcosecurity/types.h#L149
Example:
...
{
ft::FTYPE_UINT64,
"anomaly.count_min_sketch",
"Count Min Sketch Estimate",
"Count Min Sketch Estimate according to the specified behavior profile for a predefined set of {syscalls} events. Access different behavior profiles/sketches using indices. For instance, anomaly.count_min_sketch[0] retrieves the first behavior profile defined in the plugins' `init_config`.",
{ // field arg
false, // key
true, // index
false, // required (don't know, maybe it is -- you know better)
}
},
...
After this declaration, the framework (libs) will handle all the syntax parsing for you and will provide you the user-defined argument, which you can access through req.get_arg_index()
There was a problem hiding this comment.
Thank you! I see it's a sub struct 🙃 works like a charm now!
incertum
force-pushed
the
anomaly-detection-1
branch
from
f5bb677
to
bde5bcd
Compare
Signed-off-by: Melissa Kilby <melissa.kilby.oss@gmail.com>
incertum
force-pushed
the
anomaly-detection-1
branch
from
bde5bcd
to
fdd5401
Compare
What type of PR is this?
/kind design
/kind feature
Any specific area of the project related to this PR?
/area plugins
What this PR does / why we need it:
Introduce a new
anomalydetectionplugin, as outlined in the Proposal.Which issue(s) this PR fixes:
falcosecurity/falco#3117
Fixes #
Special notes for your reviewer: