The Mochi demonstration application simulates clusters of failed logins at a bank, either by phone or web, as well as withdrawals or debits using the same customer id number.
To run the Mochi demo, do one of the following:
Note: If the Mochi demo does not start, we recommend rebooting the machine on which s-Server is installed. When you run the Mochi script, it does the following:
Note: the Linux server user who runs the Mochi demo must be using the latest version of Mozilla Firefox or Google Chrome in order to work.
If your machine does not have a GUI, you can run the script $SQLSTREAM_HOME/demo/mochi/runDemo.sh.
This is the same script that is run when you click the desktop icon. When the script detects that your system has no browser installed, it will print out a message that includes the URL on which the demo runs. You can then point to this URL from any machine that can access it (including Windows machines) in order to view the demo.
To launch s-Dashboard, open a browser and enter localhost:5595/dashboards The home page for s-Dashboard appears:
The Dashboards home page lets you launch four different dashboards. The first three offer combinations of a map with login failure alerts by geographical locations, and either a chart of failed logins or a table of geographical locations. The fourth, Stoplight, flags login failures by yellow
To stop the Mochi demo, do one of the following:
This will stop all pumps, datagens, WebAgent and s-Dashboard instances started by the Mochi demo.
The Mochi demo gathers simulated data on phone login events and web login events, then analyzes this data to identify clusters of failed login attempts. It tracks data using the following columns.
Column | Explanation |
---|---|
recNo | A unique record id for the event. |
ts | A timestamp for the event. |
accountNumber | Eleven digit number. |
loginSuccessful | Boolean true or false for login event. |
sourceIP | Originating id for login. |
destIP | Ip address that user attempted to log into. |
customerId | ID for customer. |
CREATE OR REPLACE STREAM "WebLoginEvents"
("recNo" INTEGER,
"ts" TIMESTAMP NOT NULL,
"accountNumber" INTEGER,
"loginSuccessful" BOOLEAN,
"sourceIP" VARCHAR(32),
"destIP" VARCHAR(32),
"customerId" INTEGER)
DESCRIPTION 'Logins from the web app';
Column | Explanation |
---|---|
recNo | A unique record id for the event. |
accountNumber | Eleven digit number. |
loginSuccessful | Boolean true or false for login event. |
callerId | Phone number for login. |
directDial | Number dialed at bank. |
customerId | ID for customer. |
SQLstream uses streams to capture dynamically changing data so that this data can be queried with SQL. The stream used to capture data for Mochi's web login events is called WebLoginEvents and is created with the following block of SQL:
CREATE OR REPLACE STREAM "PhoneLoginEvents"
("recNo" INTEGER,
"ts" TIMESTAMP NOT NULL,
"accountNumber" INTEGER,
"loginSuccessful" BOOLEAN,
"callerId" VARCHAR(32),
"directDial" VARCHAR(32),
"customerId" INTEGER)
DESCRIPTION 'Logins from the phone system';
The Mochi demo uses the ECDA adapter to tail and parse a sample log file from a web server to track web login events. See the topic Reading from the File System in the Integration Guide for more details.
The code for a sample foreign stream is as follows:
CREATE OR REPLACE FOREIGN STREAM "WebLoginEvents"
("recNo" INTEGER,
"ts" TIMESTAMP NOT NULL,
"accountNumber" INTEGER,
"loginSuccessful" BOOLEAN,
"sourceIP" VARCHAR(32),
"destIP" VARCHAR(32),
"customerId" INTEGER)
SERVER FILE_SERVER
OPTIONS (
directory '/tmp/mochi',
filename_pattern 'web_login\.log',
parser 'CSV',
encoding 'UTF-8',
skip_header 'true')
DESCRIPTION 'Login stream from web app';
Once the Mochi demo has created streams to gather data on the demo's events, it uses views to generate relationships between the streams' data. For example, the following code combines phone login events with the phone numbers' location.
CREATE OR REPLACE VIEW "WebLoginEventsWithLocation"
DESCRIPTION 'Web login events enriched by GeoIP lookup'
AS
SELECT STREAM
"recNo", "ts", "accountNumber", "loginSuccessful",
"sourceIP", "destIP", "customerId",
"countryCode", "countryName", "city", "region",
CAST("latitude" AS DECIMAL(8,5)) AS "lat",
CAST("longitude" AS DECIMAL(8,5)) AS "lon"
FROM STREAM(MOCHI_UTIL."addIpLocation"(
CURSOR(SELECT STREAM * FROM "WebLoginEvents2"),
'ipNum'));
Other views identify suspect login events by combining data from web login streams and phone login streams, then identifying account numbers with more than three failed login attempts in a minute:
CREATE OR REPLACE VIEW "SuspectLoginFailures"
DESCRIPTION 'Windowed stream view to detect groups of failed logins'
AS
SELECT STREAM
"accountNumber",
-- "loginFailureCount",
"webFail", "phoneFail",
"city", "region", "lat", "lon"
FROM (
SELECT STREAM
"accountNumber",
-- COUNT(*) OVER "lastMinute" AS "loginFailureCount",
SUM(MOCHI_UTIL.CMI("accessType", 'WEB')) OVER "lastMinute" AS "webFail",
SUM(MOCHI_UTIL.CMI("accessType", 'PHONE')) OVER "lastMinute" AS "phoneFail",
"city", "region", "lat", "lon"
FROM "LoginEvents"
WHERE NOT "loginSuccessful"
WINDOW "lastMinute" AS (
PARTITION BY "accountNumber"
ORDER BY "LoginEvents".ROWTIME
RANGE INTERVAL '1' MINUTE PRECEDING))
WHERE "webFail" + "phoneFail" > 3;
To change the amount, rate, and type of data generated, modify the xml files in /demo/mochi/datagen
For more information on Datagen, see the topic Generating Test Data with DataGen