Nov 20, 2020 by Thibault Debatty | 1304 views
Now that you have a running MARk server, with data flowing in, you can use the provided algorithms to build your detection chain.
For this blog post you first need to install MARk and create a data injector, as described in Getting started with MARk : create a PHP data injector
Once your MARk server is started, you should see a new directory called
modules. This directory is mapped by docker-compose to the corresponding directory inside the MARk container. It contains the yaml files that describe the different detectors. For now it is empty.
modules directory, create a first file called counter.detection.yml with following content:
In this file:
.detection.yml indicates to MARk that this file contains the definition of a detector;
class_name is the algorithm that should be executed. Counter is one of the built-in algorithms;
trigger_label indicates when this algorithm should be executed;
label indicates the label for the produced evidence reports. It can be used by other detectors that will build on top of our counter.
Now, on the web interface, head back to the Status page and click the 'Reload' button.
MARk will reload the
modules directory, and execute the detection algorithm as requested. You can see your detector appear on the 'Ranking' page.
And if you click on the
detection.count detector, it will display the ranking produced by this detector.
Most detectors also accept optional parameters, like
Counter.java, the default
time_window is 3600 seconds (1h). Let's add another detector, with a custom
time_window of 300 seconds (5 minutes). Therefore we add a new detection configuration, called counter.5m.detection.yml :
time_window : 300
For this detector we use the same
trigger_label, but we must indicate a different
label for the produced scores.
Once again, we click on 'Reload', and the new detector should appear.
And so on, by adding definition files, we can add more detectors. At the time of writing, there are 8 available algorithms:
You can find the most up-to-date list of buil-in detectors and the documentation of each detector on the GitLab project itself: https://gitlab.cylab.be/cylab/mark/-/tree/master/server/src/main/java/be/cylab/mark/detection
This blog post is licensed under CC BY-SA 4.0