Today, to generate a process fingerprint (proctor fp), we take the checksum value of the process and its parents SHAs and combine it to create a new checksum, which is the fingerprint.
The primary use-case of fingerprinting is anomaly detection. As such, the only variance that would cause a different SHA is if the binary of the process or parent process changes. This may not be enough for all users.
The issues proposes introducing configuration where a user may choose the attributes of a process that should be used to generate the fingerprint. This configuration should be global to proctor and stored in a configuration file. Proctor's parsing of this configuration file should then be passed into plib when gathering data.
Today, to generate a process fingerprint (
proctor fp), we take the checksum value of the process and its parents SHAs and combine it to create a new checksum, which is the fingerprint.The primary use-case of fingerprinting is anomaly detection. As such, the only variance that would cause a different SHA is if the binary of the process or parent process changes. This may not be enough for all users.
The issues proposes introducing configuration where a user may choose the attributes of a process that should be used to generate the fingerprint. This configuration should be global to proctor and stored in a configuration file. Proctor's parsing of this configuration file should then be passed into plib when gathering data.