Experiments - crimson-unicorn/core GitHub Wiki

You Are Almost There to See the Results

Finally, it's time to run some experiments. Again, we make sure copy-paste is all you need.

With code and datasets, you are only one step away from running the experiments. Unicorn needs to parse provenance raw data into a uniformed graph format that Unicorn understands, analyze the graphs, and model normal behavior before it can detect any anomalies. We combine these three steps into one simple command, so all you need to do is to copy and paste:

make run_toy

Don't forget, you need to download the code and the datasets first.

:information_source: Under the hood, Unicorn does the following steps:

• Unicorn uses the StreamSpot parser to parse the raw StreamSpot datasets. Unicorn creates a Python virtual environment to handle dependencies. You should take a look at the toy command in the parser's Makefile. A raw graph is split into a base graph and a stream graph, the size of which can be changed via command line arguments. You should take a look at the documentation here to learn more about all possible command line arguments of StreamSpot's parse.py and parse_fast.py.
• Unicorn uses the analyzer to analyze the base and stream graphs output by the parser. You should take a look at the documentation here to learn more about all possible command line arguments of the analyzer, as well as the compilation-time macros.
• Unicorn uses the modeler to build a model for the toy experiments and test on the test dataset. Unicorn creates a Python virtual environment to handle dependencies. You should take a look at the toy command in the modeler's Makefile. You should also take a look at the documentation here to learn more about all possible command line arguments.

The results of this toy experiment should be located in the output/ directory.