[Correlation] Generate correlations through multiple requests #9884
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
I've been chatting with someone on Gitter who is facing similar performance issues on calculation of correlations. They are using MariaDB. Their query seems OK and creating the correct sort_union:
However the query is still extremely slow to return: If we simulate splitting the request into multiple per field, we are seeing much better performance. For example this is one part of the query looking at
Therefore I think this is a good change to make. |
JakubOnderka
reviewed
Sep 7, 2024
…ts to avoid poor SQL optimization strategy
tomking2
force-pushed
the
feature/correlation_optimize_fix
branch
from
d144694
to
77724e8
Compare
|
Thanks @JakubOnderka, I've updated to use |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What does it do?
This one might be up for debate, but I think it's a healthy addition that ensures consistent performance across all MySQL implementations (be that MariaDB, MySQL, AWS RDS or Azure MySQL etc.).
We were spotting that during ingestion of events with severe over-correlating values, we were seeing a major degradation of performance when generating correlation values.
The current code looks for the value in either
value1orvalue2via an OR clause, leaving MySQL to find the best optimisation strategy for performing this query. We found that on our MySQL DB (which wasn't MariaDB), the optimisation strategy was not optimal for every request. It appeared that for over-correlating IOCs, instead of using asort_unionstrategy on thevalue1andvalue2indexes, it was instead opting to use theevent_idas the selected index. I couldn't find a consistent method to force the correct strategy.What did this mean for our MISP instance? Instead of correlations taking <= 0.1s per attribute, it was taking around 5-7s per attribute. When trying to ingest an event with 4K objects and 80K attributes (every object had high correlations), it would've taken around 6 days to finish ingestion.
So what does this PR do? Instead of relying upon SQL to find a suitable optimisation strategy for the
valueconditions within the OR clause, separate DB calls are made for each value condition, enabling straightforward indexes to be used for the query. Correlation limits and bits like ACL are still adhered to during the lookups.Potential impact - While this will ensure consistent performance when generating correlations, for MariaDB that appears to consistently create well-optimised queries (although I haven't done much validation here), a slight reduction in performance may be sighted as it now must make up to 3 DB calls instead of just the 1. However given many MISP instances will not be using MariaDB, I reckon this is a good tradeoff.
Questions