Efficiency Insights from Sigma Rule Detections in Spark Streaming | by Jean-Claude Cote | Jun, 2024

Using Sigma guidelines for anomaly detection in cybersecurity logs: A research on efficiency optimization

One of many roles of the Canadian Centre for Cyber Security (CCCS) is to detect anomalies and concern mitigations as shortly as potential.

Whereas placing our Sigma rule detections into manufacturing, we made an fascinating remark in our Spark streaming utility. Working a single giant SQL assertion expressing 1000 Sigma detection guidelines was slower than operating 5 separate queries, every making use of 200 Sigma guidelines. This was shocking, as operating 5 queries forces Spark to learn the supply information 5 occasions somewhat than as soon as. For additional particulars, please consult with our sequence of articles:

Given the huge quantity of telemetry information and detection guidelines we have to execute, each achieve in efficiency yields important price financial savings. Due to this fact, we determined to research this peculiar remark, aiming to clarify it and probably uncover further alternatives to enhance efficiency. We discovered a number of issues alongside the way in which and wished to share them with the broader group.

Introduction

Our hunch was that we had been reaching a restrict in Spark’s code era. So, somewhat background on this matter is required. In 2014, Spark launched code era to guage expressions of the shape (id > 1 and id > 2) and (id < 1000 or (id + id) = 12). This text from Databricks explains it very nicely: Exciting Performance Improvements on the Horizon for Spark SQL

Two years later, Spark launched Entire-Stage Code Era. This optimization merges a number of operators collectively right into a single Java perform. Like expression code era, Entire-Stage Code Era eliminates digital perform calls and leverages CPU registers for intermediate information. Nevertheless, somewhat than being on the expression degree, it’s utilized on the operator degree. Operators are the nodes in an execution plan. To search out out extra, learn Apache Spark as a Compiler: Joining a Billion Rows per Second on a Laptop

To summarize these articles, let’s generate the plan for this straightforward question:

clarify codegen
choose
id,
(id > 1 and id > 2) and (id < 1000 or (id + id) = 12) as check  
from
vary(0, 10000, 1, 32)

On this easy question, we’re utilizing two operators: Vary to generate rows and Choose to carry out a projection. We see these operators within the question’s bodily plan. Discover the asterisk (*) beside the nodes and their related [codegen id : 1]. This means that these two operators had been merged right into a single Java perform utilizing Entire-Stage Code Era.

|== Bodily Plan ==
* Undertaking (2)
+- * Vary (1)
(1) Vary [codegen id : 1]
Output [1]: [id#36167L]
Arguments: Vary (0, 10000, step=1, splits=Some(32))
(2) Undertaking [codegen id : 1]
Output [2]: [id#36167L, (((id#36167L > 1) AND (id#36167L > 2)) AND ((id#36167L < 1000) OR ((id#36167L + id#36167L) = 12))) AS test#36161]
Enter [1]: [id#36167L]

The generated code clearly exhibits the 2 operators being merged.

Generated code:
/* 001 */ public Object generate(Object[] references) {
/* 002 */   return new GeneratedIteratorForCodegenStage1(references);
/* 003 */ }
/* 004 */
/* 005 */ // codegenStageId=1
/* 006 */ ultimate class GeneratedIteratorForCodegenStage1 extends org.apache.spark.sql.execution.BufferedRowIterator {
/* 007 */   non-public Object[] references;
/* 008 */   non-public scala.assortment.Iterator[] inputs;
/* 009 */   non-public boolean range_initRange_0;
/* 010 */   non-public lengthy range_nextIndex_0;
/* 011 */   non-public TaskContext range_taskContext_0;
/* 012 */   non-public InputMetrics range_inputMetrics_0;
/* 013 */   non-public lengthy range_batchEnd_0;
/* 014 */   non-public lengthy range_numElementsTodo_0;
/* 015 */   non-public org.apache.spark.sql.catalyst.expressions.codegen.UnsafeRowWriter[] range_mutableStateArray_0 = new org.apache.spark.sql.catalyst.expressions.codegen.UnsafeRowWriter[3];
/* 016 */
/* 017 */   public GeneratedIteratorForCodegenStage1(Object[] references) {
/* 018 */     this.references = references;
/* 019 */   }
/* 020 */
/* 021 */   public void init(int index, scala.assortment.Iterator[] inputs) {
/* 022 */     partitionIndex = index;
/* 023 */     this.inputs = inputs;
/* 024 */
/* 025 */     range_taskContext_0 = TaskContext.get();
/* 026 */     range_inputMetrics_0 = range_taskContext_0.taskMetrics().inputMetrics();
/* 027 */     range_mutableStateArray_0[0] = new org.apache.spark.sql.catalyst.expressions.codegen.UnsafeRowWriter(1, 0);
/* 028 */     range_mutableStateArray_0[1] = new org.apache.spark.sql.catalyst.expressions.codegen.UnsafeRowWriter(1, 0);
/* 029 */     range_mutableStateArray_0[2] = new org.apache.spark.sql.catalyst.expressions.codegen.UnsafeRowWriter(2, 0);
/* 030 */
/* 031 */   }
/* 032 */
/* 033 */   non-public void project_doConsume_0(lengthy project_expr_0_0) throws java.io.IOException {
/* 034 */     // widespread sub-expressions
/* 035 */
/* 036 */     boolean project_value_4 = false;
/* 037 */     project_value_4 = project_expr_0_0 > 1L;
/* 038 */     boolean project_value_3 = false;
/* 039 */
/* 040 */     if (project_value_4) {
/* 041 */       boolean project_value_7 = false;
/* 042 */       project_value_7 = project_expr_0_0 > 2L;
/* 043 */       project_value_3 = project_value_7;
/* 044 */     }
/* 045 */     boolean project_value_2 = false;
/* 046 */
/* 047 */     if (project_value_3) {
/* 048 */       boolean project_value_11 = false;
/* 049 */       project_value_11 = project_expr_0_0 < 1000L;
/* 050 */       boolean project_value_10 = true;
/* 051 */
/* 052 */       if (!project_value_11) {
/* 053 */         lengthy project_value_15 = -1L;
/* 054 */
/* 055 */         project_value_15 = project_expr_0_0 + project_expr_0_0;
/* 056 */
/* 057 */         boolean project_value_14 = false;
/* 058 */         project_value_14 = project_value_15 == 12L;
/* 059 */         project_value_10 = project_value_14;
/* 060 */       }
/* 061 */       project_value_2 = project_value_10;
/* 062 */     }
/* 063 */     range_mutableStateArray_0[2].reset();
/* 064 */
/* 065 */     range_mutableStateArray_0[2].write(0, project_expr_0_0);
/* 066 */
/* 067 */     range_mutableStateArray_0[2].write(1, project_value_2);
/* 068 */     append((range_mutableStateArray_0[2].getRow()));
/* 069 */
/* 070 */   }
/* 071 */
/* 072 */   non-public void initRange(int idx) {
/* 073 */     java.math.BigInteger index = java.math.BigInteger.valueOf(idx);
/* 074 */     java.math.BigInteger numSlice = java.math.BigInteger.valueOf(32L);
/* 075 */     java.math.BigInteger numElement = java.math.BigInteger.valueOf(10000L);
/* 076 */     java.math.BigInteger step = java.math.BigInteger.valueOf(1L);
/* 077 */     java.math.BigInteger begin = java.math.BigInteger.valueOf(0L);
/* 078 */     lengthy partitionEnd;
/* 079 */
/* 080 */     java.math.BigInteger st = index.multiply(numElement).divide(numSlice).multiply(step).add(begin);
/* 081 */     if (st.compareTo(java.math.BigInteger.valueOf(Lengthy.MAX_VALUE)) > 0) {
/* 082 */       range_nextIndex_0 = Lengthy.MAX_VALUE;
/* 083 */     } else if (st.compareTo(java.math.BigInteger.valueOf(Lengthy.MIN_VALUE)) < 0) {
/* 084 */       range_nextIndex_0 = Lengthy.MIN_VALUE;
/* 085 */     } else {
/* 086 */       range_nextIndex_0 = st.longValue();
/* 087 */     }
/* 088 */     range_batchEnd_0 = range_nextIndex_0;
/* 089 */
/* 090 */     java.math.BigInteger finish = index.add(java.math.BigInteger.ONE).multiply(numElement).divide(numSlice)
/* 091 */     .multiply(step).add(begin);
/* 092 */     if (finish.compareTo(java.math.BigInteger.valueOf(Lengthy.MAX_VALUE)) > 0) {
/* 093 */       partitionEnd = Lengthy.MAX_VALUE;
/* 094 */     } else if (finish.compareTo(java.math.BigInteger.valueOf(Lengthy.MIN_VALUE)) < 0) {
/* 095 */       partitionEnd = Lengthy.MIN_VALUE;
/* 096 */     } else {
/* 097 */       partitionEnd = finish.longValue();
/* 098 */     }
/* 099 */
/* 100 */     java.math.BigInteger startToEnd = java.math.BigInteger.valueOf(partitionEnd).subtract(
/* 101 */       java.math.BigInteger.valueOf(range_nextIndex_0));
/* 102 */     range_numElementsTodo_0  = startToEnd.divide(step).longValue();
/* 103 */     if (range_numElementsTodo_0 < 0) {
/* 104 */       range_numElementsTodo_0 = 0;
/* 105 */     } else if (startToEnd.the rest(step).compareTo(java.math.BigInteger.valueOf(0L)) != 0) {
/* 106 */       range_numElementsTodo_0++;
/* 107 */     }
/* 108 */   }
/* 109 */
/* 110 */   protected void processNext() throws java.io.IOException {
/* 111 */     // initialize Vary
/* 112 */     if (!range_initRange_0) {
/* 113 */       range_initRange_0 = true;
/* 114 */       initRange(partitionIndex);
/* 115 */     }
/* 116 */
/* 117 */     whereas (true) {
/* 118 */       if (range_nextIndex_0 == range_batchEnd_0) {
/* 119 */         lengthy range_nextBatchTodo_0;
/* 120 */         if (range_numElementsTodo_0 > 1000L) {
/* 121 */           range_nextBatchTodo_0 = 1000L;
/* 122 */           range_numElementsTodo_0 -= 1000L;
/* 123 */         } else {
/* 124 */           range_nextBatchTodo_0 = range_numElementsTodo_0;
/* 125 */           range_numElementsTodo_0 = 0;
/* 126 */           if (range_nextBatchTodo_0 == 0) break;
/* 127 */         }
/* 128 */         range_batchEnd_0 += range_nextBatchTodo_0 * 1L;
/* 129 */       }
/* 130 */
/* 131 */       int range_localEnd_0 = (int)((range_batchEnd_0 - range_nextIndex_0) / 1L);
/* 132 */       for (int range_localIdx_0 = 0; range_localIdx_0 < range_localEnd_0; range_localIdx_0++) {
/* 133 */         lengthy range_value_0 = ((lengthy)range_localIdx_0 * 1L) + range_nextIndex_0;
/* 134 */
/* 135 */         project_doConsume_0(range_value_0);
/* 136 */
/* 137 */         if (shouldStop()) {
/* 138 */           range_nextIndex_0 = range_value_0 + 1L;
/* 139 */           ((org.apache.spark.sql.execution.metric.SQLMetric) references[0] /* numOutputRows */).add(range_localIdx_0 + 1);
/* 140 */           range_inputMetrics_0.incRecordsRead(range_localIdx_0 + 1);
/* 141 */           return;
/* 142 */         }
/* 143 */
/* 144 */       }
/* 145 */       range_nextIndex_0 = range_batchEnd_0;
/* 146 */       ((org.apache.spark.sql.execution.metric.SQLMetric) references[0] /* numOutputRows */).add(range_localEnd_0);
/* 147 */       range_inputMetrics_0.incRecordsRead(range_localEnd_0);
/* 148 */       range_taskContext_0.killTaskIfInterrupted();
/* 149 */     }
/* 150 */   }
/* 151 */
/* 152 */ }

The project_doConsume_0 perform accommodates the code to guage (id > 1 and id > 2) and (id < 1000 or (id + id) = 12). Discover how this code is generated to guage this particular expression. That is an illustration of expression code era.

The entire class is an operator with a processNext methodology. This generated operator performs each the Projection and the Vary operations. Contained in the whereas loop at line 117, we see the code to provide rows and a particular name (not a digital perform) to project_doConsume_0. This illustrates what Entire-Stage Code Era does.

Breaking Down the Efficiency

Now that we now have a greater understanding of Spark’s code era, let’s attempt to clarify why breaking a question doing 1000 Sigma guidelines into smaller ones performs higher. Let’s contemplate a SQL assertion that evaluates two Sigma guidelines. These guidelines are easy: Rule1 matches occasions with an Imagepath ending in ‘schtask.exe’, and Rule2 matches an Imagepath beginning with ‘d:’.

choose /* #3 */
Imagepath,
CommandLine,
PID,
map_keys(map_filter(results_map, (ok,v) -> v = TRUE)) as matching_rules
from (
choose /* #2 */
*,
map('rule1', rule1, 'rule2', rule2) as results_map
from (
choose /* #1 */
*,
(lower_Imagepath like '%schtasks.exe') as rule1,
(lower_Imagepath like 'd:%') as rule2
from (
choose 
decrease(PID) as lower_PID,
decrease(CommandLine) as lower_CommandLine,
decrease(Imagepath) as lower_Imagepath,
*
from (
choose
uuid() as PID,
uuid() as CommandLine,
uuid() as Imagepath,
id 
from
vary(0, 10000, 1, 32)
)
)
)
)

The choose labeled #1 performs the detections and shops the leads to new columns named rule1 and rule2. Choose #2 regroups these columns below a single results_map, and at last choose #3 transforms the map into an array of matching guidelines. It makes use of map_filter to maintain solely the entries of guidelines that truly matched, after which map_keys is used to transform the map entries into an inventory of matching rule names.

Let’s print out the Spark execution plan for this question:

== Bodily Plan ==
Undertaking (4)
+- * Undertaking (3)
+- * Undertaking (2)
+- * Vary (1)
...
(4) Undertaking
Output [4]: [Imagepath#2, CommandLine#1, PID#0, map_keys(map_filter(map(rule1, EndsWith(lower_Imagepath#5, schtasks.exe), rule2, StartsWith(lower_Imagepath#5, d:)), lambdafunction(lambda v#12, lambda k#11, lambda v#12, false))) AS matching_rules#9]
Enter [4]: [lower_Imagepath#5, PID#0, CommandLine#1, Imagepath#2]

Discover that node Undertaking (4) is just not code generated. Node 4 has a lambda perform, does it forestall entire stage code era? Extra on this later.

This question is just not fairly what we would like. We wish to produce a desk of occasions with a column indicating the rule that was matched. One thing like this:

+--------------------+--------------------+--------------------+--------------+
|           Imagepath|         CommandLine|                 PID|  matched_rule|
+--------------------+--------------------+--------------------+--------------+
|09401675-dc09-4d0...|6b8759ee-b55a-486...|44dbd1ec-b4e0-488...|         rule1|
|e2b4a0fd-7b88-417...|46dd084d-f5b0-4d7...|60111cf8-069e-4b8...|         rule1|
|1843ee7a-a908-400...|d1105cec-05ef-4ee...|6046509a-191d-432...|         rule2|
+--------------------+--------------------+--------------------+--------------+

That’s straightforward sufficient. We simply must explode the matching_rules column.

choose
Imagepath,
CommandLine,
PID,
matched_rule
from (
choose
*,
explode(matching_rules) as matched_rule
from (
/* authentic assertion */
)
)

This produces two further operators: Generate (6) and Undertaking (7). Nevertheless, there’s additionally a brand new Filter (3).

== Bodily Plan ==
* Undertaking (7)
+- * Generate (6)
+- Undertaking (5)
+- * Undertaking (4)
+- Filter (3)
+- * Undertaking (2)
+- * Vary (1)
...
(3) Filter
Enter [3]: [PID#34, CommandLine#35, Imagepath#36]
Situation : (dimension(map_keys(map_filter(map(rule1, EndsWith(decrease(Imagepath#36),
schtasks.exe), rule2, StartsWith(decrease(Imagepath#36), d:)), 
lambdafunction(lambda v#47, lambda ok#46, lambda v#47, false))), true) > 0)
...
(6) Generate [codegen id : 3]
Enter [4]: [PID#34, CommandLine#35, Imagepath#36, matching_rules#43]
Arguments: explode(matching_rules#43), [PID#34, CommandLine#35, Imagepath#36], false, [matched_rule#48]
(7) Undertaking [codegen id : 3]
Output [4]: [Imagepath#36, CommandLine#35, PID#34, matched_rule#48]
Enter [4]: [PID#34, CommandLine#35, Imagepath#36, matched_rule#48]

The explode perform generates rows for each component within the array. When the array is empty, explode doesn’t produce any rows, successfully filtering out rows the place the array is empty.

Spark has an optimization rule that detects the explode perform and produces this extra situation. The filter is an try by Spark to short-circuit processing as a lot as potential. The supply code for this rule, named org.apache.spark.sql.catalyst.optimizer.InferFiltersFromGenerate, explains it like this:

Infers filters from Generate, such that rows that might have been eliminated by this Generate will be eliminated earlier — earlier than joins and in information sources.

For extra particulars on how Spark optimizes execution plans please consult with David Vrba’s article Mastering Query Plans in Spark 3.0

One other query arises: will we profit from this extra filter? Discover this extra filter is just not whole-stage code generated both, presumably due to the lambda perform. Let’s attempt to categorical the identical question however with out utilizing a lambda perform.

As a substitute, we will put the rule leads to a map, explode the map, and filter out the rows, thereby bypassing the necessity for map_filter.

choose
Imagepath,
CommandLine,
PID,
matched_rule
from (
choose
*
from (
choose
*,
explode(results_map) as (matched_rule, matched_result)
from (
/* authentic assertion */
)
)
the place
matched_result = TRUE
)

The choose #3 operation explodes the map into two new columns. The matched_rule column will maintain the important thing, representing the rule title, whereas the matched_result column will comprise the results of the detection check. To filter the rows, we merely maintain solely these with a optimistic matched_result.

The bodily plan signifies that every one nodes are whole-stage code generated right into a single Java perform, which is promising.

== Bodily Plan ==
* Undertaking (8)
+- * Filter (7)
+- * Generate (6)
+- * Undertaking (5)
+- * Undertaking (4)
+- * Filter (3)
+- * Undertaking (2)
+- * Vary (1)

Let’s conduct some checks to match the efficiency of the question utilizing map_filter and the one utilizing explode then filter.

We ran these checks on a machine with 4 CPUs. We generated 1 million rows, every with 100 guidelines, and every rule evaluating 5 expressions. These checks had been run 5 occasions.

On common

• map_filter took 42.6 seconds
• explode_then_filter took 51.2 seconds

So, map_filter is barely quicker regardless that it’s not utilizing whole-stage code era.

Nevertheless, in our manufacturing question, we execute many extra Sigma guidelines — a complete of 1000 guidelines. This consists of 29 regex expressions, 529 equals, 115 starts-with, 2352 ends-with, and 5838 accommodates expressions. Let’s check our question once more, however this time with a slight enhance within the variety of expressions, utilizing 7 as an alternative of 5 per rule. Upon doing this, we encountered an error in our logs:

Attributable to: org.codehaus.commons.compiler.InternalCompilerException: Code grows past 64 KB

We tried growing spark.sql.codegen.maxFields and spark.sql.codegen.hugeMethodLimit, however basically, Java courses have a perform dimension restrict of 64 KB. Moreover, the JVM JIT compiler limits itself to compiling capabilities smaller than 8 KB.

Nevertheless, the question nonetheless runs high quality as a result of Spark falls again to the Volcano execution mannequin for sure elements of the plan. WholeStageCodeGen is simply an optimization in any case.

Working the identical check as earlier than however with 7 expressions per rule somewhat than 5, explode_then_filter is way quicker than map_filter.

• map_filter took 68.3 seconds
• explode_then_filter took 15.8 seconds

Growing the variety of expressions causes elements of the explode_then_filter to not be whole-stage code generated. Specifically, the Filter operator launched by the rule org.apache.spark.sql.catalyst.optimizer.InferFiltersFromGenerate is just too huge to be integrated into whole-stage code era. Let’s see what occurs if we exclude the InferFiltersFromGenerate rule:

spark.sql("SET spark.sql.optimizer.excludedRules=org.apache.spark.sql.catalyst.optimizer.InferFiltersFromGenerate")

As anticipated, the bodily plan of each queries not has an extra Filter operator.

== Bodily Plan ==
* Undertaking (6)
+- * Generate (5)
+- Undertaking (4)
+- * Undertaking (3)
+- * Undertaking (2)
+- * Vary (1)
== Bodily Plan ==
* Undertaking (7)
+- * Filter (6)
+- * Generate (5)
+- * Undertaking (4)
+- * Undertaking (3)
+- * Undertaking (2)
+- * Vary (1)

Eradicating the rule certainly had a big influence on efficiency:

• map_filter took 22.49 seconds
• explode_then_filter took 4.08 seconds

Each queries benefited vastly from eradicating the rule. Given the improved efficiency, we determined to extend the variety of Sigma guidelines to 500 and the complexity to 21 expressions:

Outcomes:

• map_filter took 195.0 seconds
• explode_then_filter took 25.09 seconds

Regardless of the elevated complexity, each queries nonetheless ship fairly good efficiency, with explode_then_filter considerably outperforming map_filter.

It’s fascinating to discover the totally different features of code era employed by Spark. Whereas we might not at the moment profit from whole-stage code era, we will nonetheless achieve benefits from expression era.

Expression era doesn’t face the identical limitations as whole-stage code era. Very giant expression bushes will be damaged into smaller ones, and Spark’s spark.sql.codegen.methodSplitThreshold controls how these are damaged up. Though we experimented with this property, we didn’t observe important enhancements. The default setting appears passable.

Spark gives a debugging property named spark.sql.codegen.factoryMode, which will be set to FALLBACK, CODEGEN_ONLY, or NO_CODEGEN. We are able to flip off expression code era by setting spark.sql.codegen.factoryMode=NO_CODEGEN, which leads to a drastic efficiency degradation:

With 500 guidelines and 21 expressions:

• map_filter took 1581 seconds
• explode_then_filter took 122.31 seconds.

Despite the fact that not all operators take part in whole-stage code era, we nonetheless observe important advantages from expression code era.

The Outcomes

With our greatest case of 25.1 seconds to guage 10,500 expressions on 1 million rows, we obtain a really respectable charge of 104 million expressions per second per CPU.

The takeaway from this research is that when evaluating a lot of expressions, we profit from changing our queries that use map_filter to ones utilizing an explode then filter strategy. Moreover, the org.apache.spark.sql.catalyst.optimizer.InferFiltersFromGenerate rule doesn’t appear useful in our use case, so we must always exclude that rule from our queries.

Does it Clarify our Preliminary Observations?

Implementing these classes discovered in our manufacturing jobs yielded important advantages. Nevertheless, even after these optimizations, splitting the big question into a number of smaller ones continued to offer benefits. Upon additional investigation, we found that this was not solely because of code era however somewhat a less complicated rationalization.

Spark streaming operates by operating a micro-batch to completion after which checkpoints its progress earlier than beginning a brand new micro-batch.

Throughout every micro-batch, Spark has to finish all its duties, usually 200. Nevertheless, not all duties are created equal. Spark employs a round-robin technique to distribute rows amongst these duties. So, now and again, some duties can comprise occasions with giant attributes, for instance, a really giant command line, inflicting sure duties to complete shortly whereas others take for much longer. For instance right here the distribution of a micro-batch process execution time. The median process time is 14 seconds. Nevertheless, the worst straggler is 1.6 minutes!

This certainly sheds mild on a distinct phenomenon. The truth that Spark waits on a number of straggler duties throughout every micro-batch leaves many CPUs idle, which explains why splitting the big question into a number of smaller ones resulted in quicker total efficiency.

This image exhibits 5 smaller queries operating in parallel inside the identical Spark utility. Batch3 is ready on a straggler process whereas the opposite queries maintain progressing.

Throughout these intervals of ready, Spark can make the most of the idle CPUs to sort out different queries, thereby maximizing useful resource utilization and total throughput.

Conclusion

On this article, we supplied an summary of Spark’s code era course of and mentioned how built-in optimizations might not at all times yield fascinating outcomes. Moreover, we demonstrated that refactoring a question from utilizing lambda capabilities to at least one using a easy explode operation resulted in efficiency enhancements. Lastly, we concluded that whereas splitting a big assertion did result in efficiency boosts, the first issue driving these good points was the execution topology somewhat than the queries themselves.