Update the protocol inference test infra with Mongo changes #1758
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…o reflect new mongo captures Signed-off-by: Kartik Pattaswamy <kpattaswamy@pixielabs.ai>
ddelnano
reviewed
Nov 1, 2023
ddelnano
reviewed
Nov 1, 2023
ddelnano
approved these changes
Nov 1, 2023
JamesMBartlett
approved these changes
Nov 2, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary: Previously, the TShark command in the
dataset_generationscript was not able to decode Mongo pcap files and insert them to the dataset for evaluation. This PR adds a flag to the TShark command to decode traffic running through port 27017 as Mongo. The readme is also updated to provide information about the bidirectional connection level dataset.Updates to the confusion matrix
In the previous image, the connections per protocol in the dataset seem to have been duplicated leading to a large number of connections per protocol. This may have been due to the
dataset_generationscript appending data to the.tsvfiles each time it was ran even though the underlying pcap file content/counts not being altered.Running the
dataset_generationscript with empty.tsvfiles with the same pcap files followed by theevalscript resulted in a matrix showing much fewer number of connections per protocol, suggesting that there may have been duplication in the dataset previously.The connection counts for each protocol in the older dataset seem to have increased by a factor of 4x or 8x the count as the new dataset and makes sense as to why the inference accuracy remained constant between the old/new matrix.
The TLS connection count had dropped in the new matrix by the previous number of Mongo connections (432) due to the new TShark command decoding mongo connections. The Mongo captures may have been previously captured in one of the early iterations of running the
dataset_generationscript and not updated since in the old dataset.New mongo additions
In the old dataset, the Mongo pcap files were mainly of type
OP_QUERYwhich is an opcode that Stirling does not currently process. More mongo pcap files of typeOP_MSGwere added to test the existing inference rule and this resulted in 0.9% being mislabeled asunknowndue to request side data missing from the connection and the existing rule not supporting response side inference forOP_MSGpackets. 0.7% was mislabeled aspgsqldue to request side data also missing from the connection and the opcode of the packet being one which is not is not recognizable by Stirling.Related issues: #640
Type of change: /kind test-infra
Test Plan: Ran the dataset generation and evaluation scripts with the new TShark flag and verified the
.tsvfiles were created appropriately and the confusion matrix was as expected.