HBaseCon, profile picture
Uploaded byHBaseCon
PPTX, PDF4,087 views

A Graph Service for Global Web Entities Traversal and Reputation Evaluation Based on HBase

The document discusses a graph service designed for global web entities traversal and reputation evaluation using HBase. It outlines the challenges of threat entity connectivity, the revised PageRank algorithm for assessing unknown reputations based on malware behaviors, and the architecture for storing and processing graph data. Additionally, it covers the implementation details, performance metrics, and the significance of using big data in enhancing security measures against evolving cyber threats.

Embed presentation

Downloaded 57 times
A Graph Service for Global Web Entities Traversal and Reputation Evaluation Based on HBase Chris Huang, Scott Miao 2014/5/5
Who are we • Scott Miao • Developer, SPN, Trend Micro • Worked on hadoop ecosystem since 2011 • Expertise in HDFS/MR/HBase • Contributor for HBase/HDFS • @takeshi.miao • Chris Huang • RD Manager, SPN, Trend Micro • Hadoop Architect • Worked on hadoop ecosystem since 2009 • Contributor for Bigtop • @chenhsiu48 Our blog ‘Dumbo in TW’: http://dumbointaiwan.blogspot.tw/
Challenges We Faced
New Unique Malware Discovered http://www.av-test.org/en/statistics/malware/
Social Engineering vs. Cyber Attacks
Trend Micro Defense Strategy
Layer of Protection Exposure Infection Dynamic Web, Emails File Signatures File Behaviors
See The Threat Entity Connectivity
Connectivity From Different Data Sources Threat Connect Sand- box File Detecti on Threat Web Web Reputa tionFamily Write- up TE Virus DB APT KB
ThreatWeb: Threat Entities as a Graph
Threat Entities Relation Graph F D I DD D I I D DF F D I I I E E E E E E I I ID D D D F D D F I I F D E File IP Domain Email
Most Entity Reputations are Unknown F D I DD D I I D DF F D I I I E E E E E E I I ID D D D F D D F I I F D E File IP Domain Email
Security Solution Dilemma – Long Tail Prevalence Entities Known good/bad Traditional heuristic detection Big Datacan help! How can we detect the rest effectively?
Inspired by PageRank • Too many un-visited pages! • Users browse pages through links • Let users’ clicks (BIG DATA) tell us the rankings of those un- visited pages!
Revised PageRank Algorithm • Too many un-rated threat entities! • Malware activities interact with threat entitles • Let malware’s behaviors (BIG DATA) tell us the reputations of those un-rated threat entities! F D I DD D I I D DF F D II I E E E E E E I I ID D D D F D D F I
The Graph Problem
The Problems • Store large size of Graph data • Access large size of Graph data • Process large size of Graph data
Data volume • Dump ~450MB (150 bytes * 3,000,000 records) data into Graph per day – Extract from 3GB of data • Keep it for 3 month – ~450MB * 90 = ~40,500MB = ~39GB – With Snappy compression – ~20 - 22GB • Dataset – ~40,000,000 vertices and ~100,000,000 edges • Data query volume about hundreds of thousands per day
BIG GRAPH !! http://news.gamme.com.tw/544510
Store
Property Graph Model Name: Jack Sex: Male Marriage: true Name: Merry Sex: Female Marriage: true marries Name: Vivian Sex: Female Marriage: false Name: John Sex: Male Marriage: true Date: 2010/5/5 Name: Emily Sex: Female Marriage: true From a soap opera… https://github.com/tinkerpop/blueprints/wiki/Property-Graph- Model
• We use HBase as a Graph Storage – Google BigTable and PageRank – HBaseCon2012 • Storing and manipulating graphs in HBase The winner is… Massive scalable ? Active community ? Analyzable ?
Use HBase to store Graph data (1/3) • Tables – create 'vertex', {NAME => 'property', BLOOMFILTER => 'ROW', COMPRESSION => ‘SNAPPY', TTL => '7776000'} – create 'edge', {NAME => 'property', BLOOMFILTER => 'ROW', COMPRESSION => ‘SNAPPY', TTL => '7776000'}
Use HBase to store Graph data (2/3) • Schema design – Table: vertex – Table: edge ‘<vertex-id>||<entity-type>’, ‘property:<property-key>@<property-value-type>’, <property-value> ‘<vertex1-row-key>--><label>--><vertex2-row-key>’, ‘property:<property-key>@<property-value-type>’, <property-value>
Use HBase to store Graph data (3/3) • Sample – Table: vertex – Table: edge ‘myapps-ups.com||domain’, ‘property:ip@String’, ‘…’ ‘myapps-ups.com||domain’, ‘property:asn@String’, ‘…’ … ‘track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:path@String’, ‘…’ ‘track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:parameter@String’, ‘…’ ‘myapps-ups.com||domain-->host-->track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:property1’, ‘…’ ‘myapps-ups.com||domain-->host-->track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:property2’, ‘…’
Keep your rowkey length short • With long rowkey length – It does not impact your query performance – But it does impact your algorithm MR • OutOfMemoryException • Use something like HASH function to keep your rowkey length short – Use the hash value as rowkey – Put the original value into a property
Overall Architecture Src table snapshot Clone table Clone table Graph table snapshot Clone table Clone table HBase Source C Source B source A HDFS 1. Collect data 2. reprocess & dump data 3. Get Data Client 4. Process Data Algorithms Intermediate data On HDFS
Src table snapsho t Clone table Clone table Graph table snapsho t Clone table Clone table HBase Source C Source B source A HDFS reprocess & dump data Client Algorithms Intermediate data On HDFS
Preprocess and Dump Data • HBase schema design is simple and human- readable • It is easy to write your dumping tool if needed – MR/Pig/Completebulkload – Can write cron-job to clean up the broken-edge data – TTL can also help to retire old data • We already have a lot practices for these tasks
Access
Src table snapsho t Clone table Clone table Graph table snapsho t Clone table Clone table HBase Source C Source B source A HDFS Get Data Client Algorithms Intermediate data On HDFS
Get Data (1/2) • A Graph API • A better semantic for manipulating Graph data – As a wrapper for HBase Client API – Rather than use HBase Client API directly • A malware exploring sample Vertex vertex = this.graph.getVertex(“malware"); Vertex subVertex = null; Iterable<Edge> edges = vertex.getEdges(Direction.OUT, “connect", “infect", “trigger"); for(Edge edge : edges) { subVertex = edge.getVertex(Direction.OUT); ... }
Get Data (2/2) • We implement blueprints API – It provides interfaces as spec. for users to impl. • 824 stars, 173 forks on github – We can get more benefits from it • plug-and-play different Blueprints-enabled graph backends – Traversal language, RESTful server, dataflow, etc – http://www.tinkerpop.com/ – Currently basic query methods are implemented
Clients • Real time Client – Client systems • they need associated Graph data for a specific entity via RESTful API – Usually retrieve two levels of graph data – Quick responsiveness supported by HBase • With rowkey random access and appropriate schema design • HTable.get(),Scan.setStartRow(), Scan.setStopRow() • Batch client – Threat experts – Pick one entity and how many levels interested in, generate a graph file format used by tools • To visualize and navigate what whether users interested in • Graph Exploring Tools – Threat experts – Find out sub-graphs by given criteria • E.g. How many levels or associated vertices
Malware Exploring Performance (1/3) • one request – Use Malware exploring sample again – 1 vertex with 2 levels associated instances (2 ~ 9 vertices) • Dataset – 42,133,610 vertices and 108,355,774 edges • Total requests – 31,764 requests * 100 clients = 3,176,400 Vertex vertex = this.graph.getVertex(“malware"); Vertex subVertex = null; Iterable<Edge> edges = vertex.getEdges(Direction.OUT, “connect", “infect", “trigger"); for(Edge edge : edges) { subVertex = edge.getVertex(Direction.OUT); ... }
Malware Exploring Performance (2/3)
Malware Exploring Performance (3/3) • Some statistics – Mean: 51.61 ms – Standard Deviation: 653.57 ms – Empirical rule: 68%, 95%, 99.7% • 99.7% of requests below 2.1 seconds • But response time variances still happen – Use Cache layer between client and HBase – Warm-up after new data come in
Process
Src table snapshot Clone table Clone table Graph table snapshot Clone table Clone table HBase Source C Source B source A HDFS Client Process Data Algorithms Intermediate data On HDFS
• Human-readable HBase schema design – Write your own MR – Write your own Pig/UDFs • So we can write the algorithms to further process our graph data – To predict unknown reputation by known threats – E.g. a revised PageRank algorithm
Data process flow Src table snapshot Clone table Data on HDFS Algorithms (MR, Pig UDF) Clone table Processed completed Graph table snapshot Clone table Clone table Intermediate data on HDFS HBase 1. Dump daily data 2. Take snapshot 3. Clone snapshot 4. Process data iteratively (takes hours) 4.1 generate Intermediate data 5. Process complete 6. Dump processed data with timerange
A customized TableInputFormat (1/2) • One Mapper for one region by default – Each Mapper process too much data • OutOfMemoryException • Too long to process – Use small split region size ? • Will overload your HBase cluster !! • Before: about ~40 Mappers • After: about ~500 Mappers
A customized TableInputFormat (2/2) Clone Graph Table MR - Pick Candidates Combination Candidates list file <encodedRegionName>t<startKey>t<endKey> … d3d1749f3486e850b263c7ecb2424dd3tstartKey_1tendKey_1 d3d1749f3486e850b263c7ecb2424dd3tstartKey_2tendKey_2 d3d1749f3486e850b263c7ecb2424dd3tstartKey_3tendKey_3 Cd91c08d656a19bdb180e0b7f8896575tstartKey_4tendKey_4 Cd91c08d656a19bdb180e0b7f8896575tstartKey_5tendKey_5 … CustTableInp utFormat MR - algorithm 2. Scan table3. Output candidates 4. Load candidates 5. Run Algo. with more Mappers 1. Run MR
HGraph • A project is open and put on github – https://github.com/trendmicro/HGraph • A partial impl. released from our internal project – Follow HBase schema design – Read data via Blueprints API – Process data with our pagerank default impl. • Download or ‘git clone’ it – Use ‘mvn clean package’ – Run on unix-like OS • Use windows may encounter some errors
PageRank Result
Experiment Result • Testing Dataset – 42,133,610 vertices and 108,355,774 edges – 1 vertex usually associates 2 ~ 9 vertices – 4.13% of the vertices are known bad – 0.09% of the vertices are known good – The rests are unknown • Result – Runs 34hrs for running 23 iterations. – 1,291 unknown vertices are ranked out – Top 200 has 99% accuracy (explain later)
Suspicious DGA Discovered • 3nkp***cq-----x.esf.sinkdns.org – 196 domains from Domain Generated Algorithms https://www.virustotal.com/en/url/871004bd9a0fe27e61b0519ceb8457528ea00da0e7ffdc44d98e759ab3e3caa1/analysis/
Untested But Highly Malware Related IP • 67.*.*.132 – Categorized as “Computers / Internet”, not tested https://www.virustotal.com/en/ip-address/67.*.*.132/information/
Prevalence Entities Knowngood/bad Traditionalheuristicdetection IntelligencefromBigDataAnalyt (90%) Security in Old Days Cannot Protect What You Cannot See Next Generation Security Unleash the Power of Data Discover What We Don’t Know
Q&A
Backups
Property Graph Model (2/2)
Property Graph Model Definition • A property graph has these elements – a set of vertices • each vertex has a unique identifier. • each vertex has a set of outgoing edges. • each vertex has a set of incoming edges. • each vertex has a collection of properties defined by a map from key to value. – a set of edges • each edge has a unique identifier. • each edge has an outgoing tail vertex. • each edge has an incoming head vertex. • each edge has a label that denotes the type of relationship between its two vertices. • each edge has a collection of properties defined by a map from key to value.
About regions • Keep reasonable amount of regions for each regionserver • Notice your splitted regions from one table – Dump data daily, cause regions splitting – Make sure your regions scattered evenly on each regionserver <hbase.regionserver.global.memstore.upperLimit> / <hbase.hregion.memstore.flush.size> = <active-regions-per-rs> e.g. (10G * 0.4) / 128MB = 32 active regions HBase Sizing Notes by Lars George

More Related Content

PDF
Data Evolution in HBase
byHBaseCon
 
PPTX
A Survey of HBase Application Archetypes
byHBaseCon
 
PPTX
HBaseCon 2013: HBase SEP - Reliable Maintenance of Auxiliary Index Structures
byCloudera, Inc.
 
PPTX
HBaseCon 2013: Deal Personalization Engine with HBase @ Groupon
byCloudera, Inc.
 
PPTX
HBaseCon 2013: ETL for Apache HBase
byCloudera, Inc.
 
PPTX
Apache HBase Application Archetypes
byCloudera, Inc.
 
PPTX
Hadoop and HBase @eBay
byDataWorks Summit
 
PPTX
Hadoop @ eBay: Past, Present, and Future
byRyan Hennig
 
Data Evolution in HBase
byHBaseCon
 
A Survey of HBase Application Archetypes
byHBaseCon
 
HBaseCon 2013: HBase SEP - Reliable Maintenance of Auxiliary Index Structures
byCloudera, Inc.
 
HBaseCon 2013: Deal Personalization Engine with HBase @ Groupon
byCloudera, Inc.
 
HBaseCon 2013: ETL for Apache HBase
byCloudera, Inc.
 
Apache HBase Application Archetypes
byCloudera, Inc.
 
Hadoop and HBase @eBay
byDataWorks Summit
 
Hadoop @ eBay: Past, Present, and Future
byRyan Hennig
 

What's hot

PPTX
HBaseCon 2013: Apache Drill - A Community-driven Initiative to Deliver ANSI S...
byCloudera, Inc.
 
PPTX
Apache HBase™
byPrashant Gupta
 
PDF
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
byCloudera, Inc.
 
PDF
HBaseCon 2015: S2Graph - A Large-scale Graph Database with HBase
byHBaseCon
 
PPTX
Introduction To HBase
byAnil Gupta
 
PDF
Hbase status quo apache-con europe - nov 2012
byChris Huang
 
PPTX
Apache HBase - Introduction & Use Cases
byData Con LA
 
PPTX
Big Data Day LA 2015 - NoSQL: Doing it wrong before getting it right by Lawre...
byData Con LA
 
PDF
Hoodie - DataEngConf 2017
byVinoth Chandar
 
PDF
Introduction To Hadoop Ecosystem
byInSemble
 
PPT
Big Data Fundamentals in the Emerging New Data World
byJongwook Woo
 
PPTX
HBaseCon 2012 | Real-Time and Batch HBase for Healthcare at Explorys
byCloudera, Inc.
 
PDF
Cisco connect toronto 2015 big data sean mc keown
byCisco Canada
 
PPTX
Hoodie: Incremental processing on hadoop
byPrasanna Rajaperumal
 
PPTX
HBaseCon 2015: Industrial Internet Case Study using HBase and TSDB
byHBaseCon
 
PPTX
Impala for PhillyDB Meetup
byShravan (Sean) Pabba
 
PDF
Hadoop User Group - Status Apache Drill
byMapR Technologies
 
PPTX
Architecting Applications with Hadoop
bymarkgrover
 
PPTX
Getting Started with Hadoop
byCloudera, Inc.
 
PPTX
Hadoop World 2011: Advanced HBase Schema Design
byCloudera, Inc.
 
HBaseCon 2013: Apache Drill - A Community-driven Initiative to Deliver ANSI S...
byCloudera, Inc.
 
Apache HBase™
byPrashant Gupta
 
HBaseCon 2012 | Getting Real about Interactive Big Data Management with Lily ...
byCloudera, Inc.
 
HBaseCon 2015: S2Graph - A Large-scale Graph Database with HBase
byHBaseCon
 
Introduction To HBase
byAnil Gupta
 
Hbase status quo apache-con europe - nov 2012
byChris Huang
 
Apache HBase - Introduction & Use Cases
byData Con LA
 
Big Data Day LA 2015 - NoSQL: Doing it wrong before getting it right by Lawre...
byData Con LA
 
Hoodie - DataEngConf 2017
byVinoth Chandar
 
Introduction To Hadoop Ecosystem
byInSemble
 
Big Data Fundamentals in the Emerging New Data World
byJongwook Woo
 
HBaseCon 2012 | Real-Time and Batch HBase for Healthcare at Explorys
byCloudera, Inc.
 
Cisco connect toronto 2015 big data sean mc keown
byCisco Canada
 
Hoodie: Incremental processing on hadoop
byPrasanna Rajaperumal
 
HBaseCon 2015: Industrial Internet Case Study using HBase and TSDB
byHBaseCon
 
Impala for PhillyDB Meetup
byShravan (Sean) Pabba
 
Hadoop User Group - Status Apache Drill
byMapR Technologies
 
Architecting Applications with Hadoop
bymarkgrover
 
Getting Started with Hadoop
byCloudera, Inc.
 
Hadoop World 2011: Advanced HBase Schema Design
byCloudera, Inc.
 

Viewers also liked

PDF
HBaseCon 2015: Warcbase - Scaling 'Out' and 'Down' HBase for Web Archiving
byHBaseCon
 
PPTX
Real-time HBase: Lessons from the Cloud
byHBaseCon
 
PPTX
HBaseCon 2015: HBase Operations in a Flurry
byHBaseCon
 
PPTX
HBaseCon 2015: Blackbird Collections - In-situ Stream Processing in HBase
byHBaseCon
 
PPTX
Rolling Out Apache HBase for Mobile Offerings at Visa
byHBaseCon
 
PDF
HBaseCon 2015: Solving HBase Performance Problems with Apache HTrace
byHBaseCon
 
PPTX
Update on OpenTSDB and AsyncHBase
byHBaseCon
 
PDF
HBaseCon 2013: Real-Time Model Scoring in Recommender Systems
byCloudera, Inc.
 
PPTX
HBase Data Modeling and Access Patterns with Kite SDK
byHBaseCon
 
PPTX
Digital Library Collection Management using HBase
byHBaseCon
 
PPTX
HBase at Bloomberg: High Availability Needs for the Financial Industry
byHBaseCon
 
PPTX
Content Identification using HBase
byHBaseCon
 
PDF
HBaseCon 2015: Graph Processing of Stock Market Order Flow in HBase on AWS
byHBaseCon
 
PDF
Apache HBase in the Enterprise Data Hub at Cerner
byHBaseCon
 
PPTX
HBaseCon 2013: Using Coprocessors to Index Columns in an Elasticsearch Cluster
byCloudera, Inc.
 
PDF
Apache HBase Improvements and Practices at Xiaomi
byHBaseCon
 
PPTX
HBaseCon 2015: HBase @ CyberAgent
byHBaseCon
 
PPTX
HBaseCon 2013: Full-Text Indexing for Apache HBase
byCloudera, Inc.
 
PPTX
HBaseCon 2015: Analyzing HBase Data with Apache Hive
byHBaseCon
 
PPTX
HBaseCon 2013: Realtime User Segmentation using Apache HBase -- Architectural...
byCloudera, Inc.
 
HBaseCon 2015: Warcbase - Scaling 'Out' and 'Down' HBase for Web Archiving
byHBaseCon
 
Real-time HBase: Lessons from the Cloud
byHBaseCon
 
HBaseCon 2015: HBase Operations in a Flurry
byHBaseCon
 
HBaseCon 2015: Blackbird Collections - In-situ Stream Processing in HBase
byHBaseCon
 
Rolling Out Apache HBase for Mobile Offerings at Visa
byHBaseCon
 
HBaseCon 2015: Solving HBase Performance Problems with Apache HTrace
byHBaseCon
 
Update on OpenTSDB and AsyncHBase
byHBaseCon
 
HBaseCon 2013: Real-Time Model Scoring in Recommender Systems
byCloudera, Inc.
 
HBase Data Modeling and Access Patterns with Kite SDK
byHBaseCon
 
Digital Library Collection Management using HBase
byHBaseCon
 
HBase at Bloomberg: High Availability Needs for the Financial Industry
byHBaseCon
 
Content Identification using HBase
byHBaseCon
 
HBaseCon 2015: Graph Processing of Stock Market Order Flow in HBase on AWS
byHBaseCon
 
Apache HBase in the Enterprise Data Hub at Cerner
byHBaseCon
 
HBaseCon 2013: Using Coprocessors to Index Columns in an Elasticsearch Cluster
byCloudera, Inc.
 
Apache HBase Improvements and Practices at Xiaomi
byHBaseCon
 
HBaseCon 2015: HBase @ CyberAgent
byHBaseCon
 
HBaseCon 2013: Full-Text Indexing for Apache HBase
byCloudera, Inc.
 
HBaseCon 2015: Analyzing HBase Data with Apache Hive
byHBaseCon
 
HBaseCon 2013: Realtime User Segmentation using Apache HBase -- Architectural...
byCloudera, Inc.
 

Similar to A Graph Service for Global Web Entities Traversal and Reputation Evaluation Based on HBase

PPTX
Attack on graph
byScott Miao
 
PDF
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle Graph
byJim Czuprynski
 
PPTX
Hadoop World 2011: Hadoop and Graph Data Management: Challenges and Opportuni...
byCloudera, Inc.
 
PPTX
Large Scale Graph Analytics with JanusGraph
byDataWorks Summit
 
PPTX
Large Scale Graph Analytics with JanusGraph
byP. Taylor Goetz
 
PDF
1st UIM-GDB - Connections to the Real World
byAchim Friedland
 
PDF
HBaseCon 2012 | Storing and Manipulating Graphs in HBase
byCloudera, Inc.
 
PDF
Storing and manipulating graphs in HBase
byDan Lynn
 
PDF
Distributed graph processing
byBartosz Konieczny
 
PPTX
מיכאל
bysqlserver.co.il
 
PPTX
Hadoop and Graph Data Management: Challenges and Opportunities
byDaniel Abadi
 
PDF
Graph store
byInder Singh
 
PDF
The Analytics Frontier of the Hadoop Eco-System
byinside-BigData.com
 
PPTX
Beyond Hadoop 1.0: A Holistic View of Hadoop YARN, Spark and GraphLab
byVijay Srinivas Agneeswaran, Ph.D
 
PPTX
Graph Analytics
byKhalid Salama
 
PPTX
Introduction to Apache HBase
byGokuldas Pillai
 
PPTX
why the title needs to be 40 characters i dont get it
bystar42348
 
PDF
Processing large-scale graphs with Google(TM) Pregel by MICHAEL HACKSTEIN at...
byBig Data Spain
 
PDF
HBase ArcheTypes
byMatteo Bertozzi
 
PDF
F14 lec12graphs
byankush karwa
 
Attack on graph
byScott Miao
 
Graphing Grifters: Identify & Display Patterns of Corruption With Oracle Graph
byJim Czuprynski
 
Hadoop World 2011: Hadoop and Graph Data Management: Challenges and Opportuni...
byCloudera, Inc.
 
Large Scale Graph Analytics with JanusGraph
byDataWorks Summit
 
Large Scale Graph Analytics with JanusGraph
byP. Taylor Goetz
 
1st UIM-GDB - Connections to the Real World
byAchim Friedland
 
HBaseCon 2012 | Storing and Manipulating Graphs in HBase
byCloudera, Inc.
 
Storing and manipulating graphs in HBase
byDan Lynn
 
Distributed graph processing
byBartosz Konieczny
 
מיכאל
bysqlserver.co.il
 
Hadoop and Graph Data Management: Challenges and Opportunities
byDaniel Abadi
 
Graph store
byInder Singh
 
The Analytics Frontier of the Hadoop Eco-System
byinside-BigData.com
 
Beyond Hadoop 1.0: A Holistic View of Hadoop YARN, Spark and GraphLab
byVijay Srinivas Agneeswaran, Ph.D
 
Graph Analytics
byKhalid Salama
 
Introduction to Apache HBase
byGokuldas Pillai
 
why the title needs to be 40 characters i dont get it
bystar42348
 
Processing large-scale graphs with Google(TM) Pregel by MICHAEL HACKSTEIN at...
byBig Data Spain
 
HBase ArcheTypes
byMatteo Bertozzi
 
F14 lec12graphs
byankush karwa
 

More from HBaseCon

PDF
hbaseconasia2017: Building online HBase cluster of Zhihu based on Kubernetes
byHBaseCon
 
PDF
hbaseconasia2017: HBase on Beam
byHBaseCon
 
PDF
hbaseconasia2017: HBase Disaster Recovery Solution at Huawei
byHBaseCon
 
PDF
hbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinterest
byHBaseCon
 
PDF
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程
byHBaseCon
 
PDF
hbaseconasia2017: Apache HBase at Netease
byHBaseCon
 
PDF
hbaseconasia2017: HBase在Hulu的使用和实践
byHBaseCon
 
PDF
hbaseconasia2017: 基于HBase的企业级大数据平台
byHBaseCon
 
PDF
hbaseconasia2017: HBase at JD.com
byHBaseCon
 
PDF
hbaseconasia2017: Large scale data near-line loading method and architecture
byHBaseCon
 
PDF
hbaseconasia2017: Ecosystems with HBase and CloudTable service at Huawei
byHBaseCon
 
PDF
hbaseconasia2017: HBase Practice At XiaoMi
byHBaseCon
 
PDF
hbaseconasia2017: hbase-2.0.0
byHBaseCon
 
PDF
HBaseCon2017 Democratizing HBase
byHBaseCon
 
PDF
HBaseCon2017 Removable singularity: a story of HBase upgrade in Pinterest
byHBaseCon
 
PDF
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBase
byHBaseCon
 
PDF
HBaseCon2017 Transactions in HBase
byHBaseCon
 
PDF
HBaseCon2017 Highly-Available HBase
byHBaseCon
 
PDF
HBaseCon2017 Apache HBase at Didi
byHBaseCon
 
PDF
HBaseCon2017 gohbase: Pure Go HBase Client
byHBaseCon
 
hbaseconasia2017: Building online HBase cluster of Zhihu based on Kubernetes
byHBaseCon
 
hbaseconasia2017: HBase on Beam
byHBaseCon
 
hbaseconasia2017: HBase Disaster Recovery Solution at Huawei
byHBaseCon
 
hbaseconasia2017: Removable singularity: a story of HBase upgrade in Pinterest
byHBaseCon
 
hbaseconasia2017: HareQL:快速HBase查詢工具的發展過程
byHBaseCon
 
hbaseconasia2017: Apache HBase at Netease
byHBaseCon
 
hbaseconasia2017: HBase在Hulu的使用和实践
byHBaseCon
 
hbaseconasia2017: 基于HBase的企业级大数据平台
byHBaseCon
 
hbaseconasia2017: HBase at JD.com
byHBaseCon
 
hbaseconasia2017: Large scale data near-line loading method and architecture
byHBaseCon
 
hbaseconasia2017: Ecosystems with HBase and CloudTable service at Huawei
byHBaseCon
 
hbaseconasia2017: HBase Practice At XiaoMi
byHBaseCon
 
hbaseconasia2017: hbase-2.0.0
byHBaseCon
 
HBaseCon2017 Democratizing HBase
byHBaseCon
 
HBaseCon2017 Removable singularity: a story of HBase upgrade in Pinterest
byHBaseCon
 
HBaseCon2017 Quanta: Quora's hierarchical counting system on HBase
byHBaseCon
 
HBaseCon2017 Transactions in HBase
byHBaseCon
 
HBaseCon2017 Highly-Available HBase
byHBaseCon
 
HBaseCon2017 Apache HBase at Didi
byHBaseCon
 
HBaseCon2017 gohbase: Pure Go HBase Client
byHBaseCon
 

Recently uploaded

PPTX
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
PDF
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
PPTX
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
PPTX
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
PDF
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
PDF
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
PDF
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
PDF
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
PDF
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
PPTX
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
PDF
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
PDF
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
PDF
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
PDF
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
PDF
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
PDF
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
PDF
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
PDF
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
PPTX
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
PPTX
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 
Connecting to MCP Servers in OutSystems Platform
byOzanCali
 
Complete iOS Delivery App Features & Admin Tools
byShiv Technolabs Pvt. Ltd.
 
Installing Python in Visual Studio Code
bydabydcatahanibmcom
 
Chapter Two Logic and Language - Copy.pptx
byGediyonBelay
 
Versnel innovatie met GitHub Enterprise - Rick Smit GitHub
byDelta-N
 
On Demand Massage Therapist Booking App Development
byV3CUBE TECHNOLABS
 
Metrics, Logs, Traces, and Mayhem_ Introducing an observability adventure gam...
byImma Valls Bernaus
 
Routing Guidelines: Unlocking Smarter Query Routing in MySQL Architectures
byMiguel Araújo
 
JFokus 2026 - Please pass the salt- Serve up passwords with a side of entropy...
byOrtus Solutions, Corp
 
40m_wAIred_DigitalPlatformRabobank_10022026.pptx
bySimonedeGijt
 
Doctor On Call App Development for Digital Healthcare.
byV3CUBE TECHNOLABS
 
eresource Xcel ERP for Maunfacturing - Best Manufacturing ERP for SME
byeresource Infotech Pvt.Ltd
 
ACE Aarhus February 2026: Atlassian news
byDanielEriksen5
 
Jira, Powered by Enterprise-Grade Intelligence from NeoroTalks.pdf
byNeoro Talks
 
Build Modern Applications with Amazon Aurora DSQL- AWS User Group Bonn 2026
byVadym Kazulkin
 
The Ultimate Guide to Real Estate Tokenization Platforms
byDaniel Smith
 
Ready, Set, REST! Introducing MySQL's Built-In REST Service
byMiguel Araújo
 
Ontwikkel sneller en veiliger met GitHub Copilot
byDelta-N
 
How CFD Simulations Support Sustainable Data Center Design Optimization
byWeb Synergies
 
Data Skills for Business Analysts: What You Need to Succeed
byScott W. Ambler
 

A Graph Service for Global Web Entities Traversal and Reputation Evaluation Based on HBase

  • 1.
    A Graph Servicefor Global Web Entities Traversal and Reputation Evaluation Based on HBase Chris Huang, Scott Miao 2014/5/5
  • 2.
    Who are we •Scott Miao • Developer, SPN, Trend Micro • Worked on hadoop ecosystem since 2011 • Expertise in HDFS/MR/HBase • Contributor for HBase/HDFS • @takeshi.miao • Chris Huang • RD Manager, SPN, Trend Micro • Hadoop Architect • Worked on hadoop ecosystem since 2009 • Contributor for Bigtop • @chenhsiu48 Our blog ‘Dumbo in TW’: http://dumbointaiwan.blogspot.tw/
  • 3.
  • 4.
    New Unique MalwareDiscovered http://www.av-test.org/en/statistics/malware/
  • 5.
  • 6.
  • 7.
    Layer of Protection Exposure Infection Dynamic Web,Emails File Signatures File Behaviors
  • 8.
    See The ThreatEntity Connectivity
  • 9.
    Connectivity From DifferentData Sources Threat Connect Sand- box File Detecti on Threat Web Web Reputa tionFamily Write- up TE Virus DB APT KB
  • 10.
  • 11.
    Threat Entities RelationGraph F D I DD D I I D DF F D I I I E E E E E E I I ID D D D F D D F I I F D E File IP Domain Email
  • 12.
    Most Entity Reputationsare Unknown F D I DD D I I D DF F D I I I E E E E E E I I ID D D D F D D F I I F D E File IP Domain Email
  • 13.
    Security Solution Dilemma– Long Tail Prevalence Entities Known good/bad Traditional heuristic detection Big Datacan help! How can we detect the rest effectively?
  • 14.
    Inspired by PageRank •Too many un-visited pages! • Users browse pages through links • Let users’ clicks (BIG DATA) tell us the rankings of those un- visited pages!
  • 15.
    Revised PageRank Algorithm •Too many un-rated threat entities! • Malware activities interact with threat entitles • Let malware’s behaviors (BIG DATA) tell us the reputations of those un-rated threat entities! F D I DD D I I D DF F D II I E E E E E E I I ID D D D F D D F I
  • 16.
  • 17.
    The Problems • Storelarge size of Graph data • Access large size of Graph data • Process large size of Graph data
  • 18.
    Data volume • Dump~450MB (150 bytes * 3,000,000 records) data into Graph per day – Extract from 3GB of data • Keep it for 3 month – ~450MB * 90 = ~40,500MB = ~39GB – With Snappy compression – ~20 - 22GB • Dataset – ~40,000,000 vertices and ~100,000,000 edges • Data query volume about hundreds of thousands per day
  • 19.
  • 20.
  • 21.
    Property Graph Model Name:Jack Sex: Male Marriage: true Name: Merry Sex: Female Marriage: true marries Name: Vivian Sex: Female Marriage: false Name: John Sex: Male Marriage: true Date: 2010/5/5 Name: Emily Sex: Female Marriage: true From a soap opera… https://github.com/tinkerpop/blueprints/wiki/Property-Graph- Model
  • 22.
    • We useHBase as a Graph Storage – Google BigTable and PageRank – HBaseCon2012 • Storing and manipulating graphs in HBase The winner is… Massive scalable ? Active community ? Analyzable ?
  • 23.
    Use HBase tostore Graph data (1/3) • Tables – create 'vertex', {NAME => 'property', BLOOMFILTER => 'ROW', COMPRESSION => ‘SNAPPY', TTL => '7776000'} – create 'edge', {NAME => 'property', BLOOMFILTER => 'ROW', COMPRESSION => ‘SNAPPY', TTL => '7776000'}
  • 24.
    Use HBase tostore Graph data (2/3) • Schema design – Table: vertex – Table: edge ‘<vertex-id>||<entity-type>’, ‘property:<property-key>@<property-value-type>’, <property-value> ‘<vertex1-row-key>--><label>--><vertex2-row-key>’, ‘property:<property-key>@<property-value-type>’, <property-value>
  • 25.
    Use HBase tostore Graph data (3/3) • Sample – Table: vertex – Table: edge ‘myapps-ups.com||domain’, ‘property:ip@String’, ‘…’ ‘myapps-ups.com||domain’, ‘property:asn@String’, ‘…’ … ‘track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:path@String’, ‘…’ ‘track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:parameter@String’, ‘…’ ‘myapps-ups.com||domain-->host-->track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:property1’, ‘…’ ‘myapps-ups.com||domain-->host-->track.muapps-ups.com/InvoiceA1423AC.JPG.exe||url’, ‘property:property2’, ‘…’
  • 26.
    Keep your rowkeylength short • With long rowkey length – It does not impact your query performance – But it does impact your algorithm MR • OutOfMemoryException • Use something like HASH function to keep your rowkey length short – Use the hash value as rowkey – Put the original value into a property
  • 27.
  • 28.
  • 29.
    Preprocess and DumpData • HBase schema design is simple and human- readable • It is easy to write your dumping tool if needed – MR/Pig/Completebulkload – Can write cron-job to clean up the broken-edge data – TTL can also help to retire old data • We already have a lot practices for these tasks
  • 30.
  • 31.
  • 32.
    Get Data (1/2) •A Graph API • A better semantic for manipulating Graph data – As a wrapper for HBase Client API – Rather than use HBase Client API directly • A malware exploring sample Vertex vertex = this.graph.getVertex(“malware"); Vertex subVertex = null; Iterable<Edge> edges = vertex.getEdges(Direction.OUT, “connect", “infect", “trigger"); for(Edge edge : edges) { subVertex = edge.getVertex(Direction.OUT); ... }
  • 33.
    Get Data (2/2) •We implement blueprints API – It provides interfaces as spec. for users to impl. • 824 stars, 173 forks on github – We can get more benefits from it • plug-and-play different Blueprints-enabled graph backends – Traversal language, RESTful server, dataflow, etc – http://www.tinkerpop.com/ – Currently basic query methods are implemented
  • 34.
    Clients • Real timeClient – Client systems • they need associated Graph data for a specific entity via RESTful API – Usually retrieve two levels of graph data – Quick responsiveness supported by HBase • With rowkey random access and appropriate schema design • HTable.get(),Scan.setStartRow(), Scan.setStopRow() • Batch client – Threat experts – Pick one entity and how many levels interested in, generate a graph file format used by tools • To visualize and navigate what whether users interested in • Graph Exploring Tools – Threat experts – Find out sub-graphs by given criteria • E.g. How many levels or associated vertices
  • 35.
    Malware Exploring Performance(1/3) • one request – Use Malware exploring sample again – 1 vertex with 2 levels associated instances (2 ~ 9 vertices) • Dataset – 42,133,610 vertices and 108,355,774 edges • Total requests – 31,764 requests * 100 clients = 3,176,400 Vertex vertex = this.graph.getVertex(“malware"); Vertex subVertex = null; Iterable<Edge> edges = vertex.getEdges(Direction.OUT, “connect", “infect", “trigger"); for(Edge edge : edges) { subVertex = edge.getVertex(Direction.OUT); ... }
  • 36.
  • 37.
    Malware Exploring Performance(3/3) • Some statistics – Mean: 51.61 ms – Standard Deviation: 653.57 ms – Empirical rule: 68%, 95%, 99.7% • 99.7% of requests below 2.1 seconds • But response time variances still happen – Use Cache layer between client and HBase – Warm-up after new data come in
  • 38.
  • 39.
  • 40.
    • Human-readable HBaseschema design – Write your own MR – Write your own Pig/UDFs • So we can write the algorithms to further process our graph data – To predict unknown reputation by known threats – E.g. a revised PageRank algorithm
  • 41.
    Data process flow Src table snapshot Clone tableData on HDFS Algorithms (MR, Pig UDF) Clone table Processed completed Graph table snapshot Clone table Clone table Intermediate data on HDFS HBase 1. Dump daily data 2. Take snapshot 3. Clone snapshot 4. Process data iteratively (takes hours) 4.1 generate Intermediate data 5. Process complete 6. Dump processed data with timerange
  • 42.
    A customized TableInputFormat(1/2) • One Mapper for one region by default – Each Mapper process too much data • OutOfMemoryException • Too long to process – Use small split region size ? • Will overload your HBase cluster !! • Before: about ~40 Mappers • After: about ~500 Mappers
  • 43.
    A customized TableInputFormat(2/2) Clone Graph Table MR - Pick Candidates Combination Candidates list file <encodedRegionName>t<startKey>t<endKey> … d3d1749f3486e850b263c7ecb2424dd3tstartKey_1tendKey_1 d3d1749f3486e850b263c7ecb2424dd3tstartKey_2tendKey_2 d3d1749f3486e850b263c7ecb2424dd3tstartKey_3tendKey_3 Cd91c08d656a19bdb180e0b7f8896575tstartKey_4tendKey_4 Cd91c08d656a19bdb180e0b7f8896575tstartKey_5tendKey_5 … CustTableInp utFormat MR - algorithm 2. Scan table3. Output candidates 4. Load candidates 5. Run Algo. with more Mappers 1. Run MR
  • 44.
    HGraph • A projectis open and put on github – https://github.com/trendmicro/HGraph • A partial impl. released from our internal project – Follow HBase schema design – Read data via Blueprints API – Process data with our pagerank default impl. • Download or ‘git clone’ it – Use ‘mvn clean package’ – Run on unix-like OS • Use windows may encounter some errors
  • 45.
  • 46.
    Experiment Result • TestingDataset – 42,133,610 vertices and 108,355,774 edges – 1 vertex usually associates 2 ~ 9 vertices – 4.13% of the vertices are known bad – 0.09% of the vertices are known good – The rests are unknown • Result – Runs 34hrs for running 23 iterations. – 1,291 unknown vertices are ranked out – Top 200 has 99% accuracy (explain later)
  • 47.
    Suspicious DGA Discovered •3nkp***cq-----x.esf.sinkdns.org – 196 domains from Domain Generated Algorithms https://www.virustotal.com/en/url/871004bd9a0fe27e61b0519ceb8457528ea00da0e7ffdc44d98e759ab3e3caa1/analysis/
  • 48.
    Untested But HighlyMalware Related IP • 67.*.*.132 – Categorized as “Computers / Internet”, not tested https://www.virustotal.com/en/ip-address/67.*.*.132/information/
  • 49.
    Prevalence Entities Knowngood/bad Traditionalheuristicdetection IntelligencefromBigDataAnalyt (90%) Security in OldDays Cannot Protect What You Cannot See Next Generation Security Unleash the Power of Data Discover What We Don’t Know
  • 50.
  • 51.
  • 52.
  • 53.
    Property Graph ModelDefinition • A property graph has these elements – a set of vertices • each vertex has a unique identifier. • each vertex has a set of outgoing edges. • each vertex has a set of incoming edges. • each vertex has a collection of properties defined by a map from key to value. – a set of edges • each edge has a unique identifier. • each edge has an outgoing tail vertex. • each edge has an incoming head vertex. • each edge has a label that denotes the type of relationship between its two vertices. • each edge has a collection of properties defined by a map from key to value.
  • 54.
    About regions • Keepreasonable amount of regions for each regionserver • Notice your splitted regions from one table – Dump data daily, cause regions splitting – Make sure your regions scattered evenly on each regionserver <hbase.regionserver.global.memstore.upperLimit> / <hbase.hregion.memstore.flush.size> = <active-regions-per-rs> e.g. (10G * 0.4) / 128MB = 32 active regions HBase Sizing Notes by Lars George