Attacks on High Performance Linux Clusters

Center for Computer Security Research, Mississippi State University

Integrating Intelligent Anomaly Detection Agents into Distributed Monitoring Systems

Anomaly Detection With Function Call Logs

The following applications were selected to test the anomaly detectors with Ganglia:

FFT - An implementation of the Fast Fourier Transform
IS - An NPB benchmark based on a bucket sort
- Available from NAS Parallel Benchmarks
LU - An implementation of the LU Factorization method for solving systems of linear equations
- Available from NAS Parallel Benchmarks
LL - LLCbench from the MP-Bench benchmarks suite
- Available from LLCbench Home Page
NetPIPE - The Network Protocol Independent Performance Evaluator
- Available from NetPIPE

The data sets contained within this page have been executed on an 8-node Linux cluster called microcosm that is used at the Center for Computer Security Research. The names microcosm0 through microcosm7 are in reference to the individual nodes of the cluster.

The data on this page records the series of library functions called by the individual programs on each execution as an integer for the sake of the model. The correlation between integers and function names (and other information about each function) can be found in the following file:

Functions.gfl - Download function definitions

This file is pipe-delimited with each line representing a library function. First is the library's ID, followed by return type, and most importantly, the function name followed by the function number as used in the data files on this page. The remainder of the function prototype follows, with names for each argument, and a "key" argument that is recorded for each call in some of the more complex data sets. For more detail, see the Functions.gfl file's comment block.

The data files on this page consist of one integer per line referring to the functions above. For example, if you see:

33

You can look up this number in Functions.gfl to find more information about the function:

LIBMPI|int|MPI_Comm_size|33|MPI_Comm comm,int *size|comm,size|-1|

Training Data

Library function number per line format:

training.tar.gz - Download all training data (GNU tar.gz format)
By application:
- FFT
  - training_fftw.tar.gz - Download all FFT training data (GNU tar.gz format)
  - Browse FFT training data online
- IS
  - training_is.tar.gz - Download all IS training data (GNU tar.gz format)
  - Browse IS training data online
- LU
  - training_lu.tar.gz - Download all LU training data (GNU tar.gz format)
  - Browse LU training data online
- LL
  - training_ll.tar.gz - Download all LL training data (GNU tar.gz format)
  - Browse LL training data online
- NETPIPE
  - training_netpipe.tar.gz - Download all NETPIPE training data (GNU tar.gz format)
  - Browse NETPIPE training data online

For the training data, a more complete description of each function call is also available. An example:

30562,11,3,1078791711659440,129

In this example, 30562 is the process ID that called the library function. 11 is the function number, 3 is the "key" argument to the function (these arguments are defined in the Functions.gfl file for each function), 1078791711659440 is the time the function was called in Unix time (seconds-since-epoch) format, and 129 is the time elapsed since the last call.

The data above that simply lists the function number was extracted from this data using the StripCalls.sh script:

StripCalls.sh - Download the StripCalls.sh script

Training data in this format is available here:

training_full.tar.gz - Download all training data (GNU tar.gz format)
By application:
- FFT
  - training_fftw_full.tar.gz - Download all FFT training data (GNU tar.gz format)
  - Browse FFT training data online
- IS
  - training_is_full.tar.gz - Download all IS training data (GNU tar.gz format)
  - Browse IS training data online
- LU
  - training_lu_full.tar.gz - Download all LU training data (GNU tar.gz format)
  - Browse LU training data online
- LL
  - training_ll_full.tar.gz - Download all LL training data (GNU tar.gz format)
  - Browse LL training data online
- NETPIPE
  - training_netpipe_full.tar.gz - Download all NETPIPE training data (GNU tar.gz format)
  - Browse NETPIPE training data online

Test Data

Normal

Library function number per line format:

test_normal.tar.gz - Download all testing data for normal execution (GNU tar.gz format)
By application:
- FFT
  - test_normal_fftw.tar.gz - Download all FFT testing data for normal execution (GNU tar.gz format)
  - Browse FFT testing data for normal execution online
- IS
  - test_normal_is.tar.gz - Download all IS testing data for normal execution (GNU tar.gz format)
  - Browse IS testing data for normal execution online
- LU
  - test_normal_lu.tar.gz - Download all LU testing data for normal execution (GNU tar.gz format)
  - Browse LU testing data for normal execution online
- LL
  - test_normal_ll.tar.gz - Download all LL testing data for normal execution (GNU tar.gz format)
  - Browse LL testing data for normal execution online
- NETPIPE
  - test_normal_netpipe.tar.gz - Download all NETPIPE testing data for normal execution (GNU tar.gz format)
  - Browse NETPIPE testing data for normal execution online

Abnormal

Library function number per line format:

test_abnormal.tar.gz - Download all testing data for abnormal execution (GNU tar.gz format)
By application:
- FFT
  - test_abnormal_fftw.tar.gz - Download all FFT testing data for abnormal execution (GNU tar.gz format)
  - Browse FFT testing data for abnormal execution online
- IS
  - test_abnormal_is.tar.gz - Download all IS testing data for abnormal execution (GNU tar.gz format)
  - Browse IS testing data for abnormal execution online
- LU
  - test_abnormal_lu.tar.gz - Download all LU testing data for abnormal execution (GNU tar.gz format)
  - Browse LU testing data for abnormal execution online
- LL
  - test_abnormal_ll.tar.gz - Download all LL testing data for abnormal execution (GNU tar.gz format)
  - Browse LL testing data for abnormal execution online
- NETPIPE
  - test_abnormal_netpipe.tar.gz - Download all NETPIPE testing data for abnormal execution (GNU tar.gz format)
  - Browse NETPIPE testing data for abnormal execution online

Questions and comments about this web site may be directed to the webmaster at rwm8@cse.msstate.edu