Time Complexity: Threat hunting techniques
O(n x m)
0
0
Threat hunting techniques in Cybersecurity - Time & Space Complexity
Understanding Time Complexity
When we analyze threat hunting techniques, we want to understand how the time needed grows as the amount of data or alerts increases.
We ask: How does the effort change when we have more logs or events to check?
Scenario Under Consideration
Analyze the time complexity of the following threat hunting process.
for alert in alerts_list:
for log_entry in logs_database:
if matches(alert, log_entry):
record_suspicious(log_entry)
analyze_results()
This code checks every alert against every log entry to find suspicious activity.
Identify Repeating Operations
Identify the loops, recursion, array traversals that repeat.
- Primary operation: Nested loops comparing alerts to logs.
- How many times: For each alert, it checks all log entries.
How Execution Grows With Input
As the number of alerts and logs grow, the total checks increase quickly.
| Input Size (alerts x logs) | Approx. Operations |
|---|---|
| 10 alerts x 100 logs | 1,000 checks |
| 100 alerts x 1,000 logs | 100,000 checks |
| 1,000 alerts x 10,000 logs | 10,000,000 checks |
Pattern observation: The number of operations grows very fast as both alerts and logs increase.
Final Time Complexity
Time Complexity: O(n x m)
This means the time needed grows proportionally to the number of alerts times the number of logs.
Common Mistake
[X] Wrong: "Checking alerts one by one is always fast enough."
[OK] Correct: When data grows large, checking every alert against every log can take a very long time.
Interview Connect
Understanding how time grows with data size helps you explain how to handle large security data efficiently in real work.
Self-Check
"What if we indexed the logs to quickly find matches? How would the time complexity change?"