UadMLPlugin.dll
What this program actually does
UadMLPlugin.dll is the machine-learning augmentation layer for UAD in GCIS. It runs LightGBM models locally and optionally invokes AWS SageMaker endpoints for inference on seat telemetry — Sysmon events, perfmon counters (via PDH), and AppSensor messages — to detect anomalous user behavior beyond rule-based UadPlugin checks.
It is the largest GCIS plugin (~30 MB) due to embedded LightGBM + AWS SDK. MB endpoint: UadMLPlugin. Build: version 1.0 2026-04-07-b253f97.
Architecture / control flow
NvContainerGcis.exe
└─ UadMLPlugin.dll
├─ GcisPluginTaskQueue / GSConfigClient (shared framework)
├─ Feature extraction pipeline
│ ├─ PerfmonCollector — PDH counters (CPU/GPU/render metrics)
│ ├─ Sysmon event subscriber — EvtSubscribe rendering
│ └─ AppSensorMessage parser — window/process features
├─ Inference backends
│ ├─ LightGBM local predictor (model from S3)
│ └─ SageMakerPredictor (remote endpoint, AwsSageMakerRole)
├─ Model download — AWS S3 client (model URI from config)
└─ GsecTasTelemetry — inference UEC eventsKey RTTI: LightGBM types (CreateBoosting, AUCMetric, VirtualFileReader), SageMakerPredictor, AWSClient, S3ClientConfiguration, AppSensorMessage_*.
External interfaces
GCIS / seat config
| Config key (inferred) | Purpose |
|---|---|
GcisConfigData | Plugin-specific ML rules, model URIs, thresholds |
IsSageMakerInferenceEnabled | Toggle remote vs local-only inference |
AwsSageMakerRole | IAM role for SageMaker invoke |
Message Bus
- Endpoint:
UadMLPlugin - Cross-session AppSensor peer (same as UadPlugin in
messagebus.conf) - Receives process/window events for feature extraction
AWS services
| Service | Use |
|---|---|
| S3 | Download LightGBM model files (GSEC_UADML_Error_UnableToDownloadS3File) |
| SageMaker | Remote inference endpoint invoke |
| STS (embedded SDK) | AssumeRole for credentials |
Windows PDH / ETW
PdhCollectQueryData,PdhGetFormattedCounterValue— perfmon pollingEvtSubscribe,EvtRender— Sysmon event rendering for ML features
Runtime timeline
| Time (UTC) | Event | Source |
|---|---|---|
| 19:04:52.165 | Secure-load UadMLPlugin 1.0.0.0 | NvContainerGcis.log |
| 19:04:52.791 | Init OK, AIN subscription fails error 1 | UadMLPluginCurrent.log |
| 19:04:52.883 | PluginStart: telemetry + TAS session initiated | UadMLPluginCurrent.log |
| 19:04:53.025 | GcisConfigData OBJECT_NOT_FOUND → start failure | UadMLPluginCurrent.log |
| 19:04:53.044 | Mandatory plugin Starting failure notification | NvContainerGcis.log |
No inference ran in this snapshot — plugin never reached armed state. Data log UadMLPluginData.log exists but is empty/minimal for failed run.
Failure modes
| Error string | Meaning |
|---|---|
GSEC_UADML_Error_UnableToDownloadS3File | Model artifact fetch from S3 failed |
GSEC_UADML_Error_UndefinedModelUriInModelConfigurationFile | Config missing model URI |
GSEC_UADML_Error_UnableToInvokeSageMakerEndpoint | Remote inference call failed |
GSEC_UADML_Error_FailureDuringLocalPrediction | LightGBM inference error |
GSEC_UADML_Error_PdhCollectQueryDataFailedDuringInitialization | Perfmon collector setup failed |
GSEC_UADML_Error_FailedToSubscribeToSysmonEvents | ETW/Sysmon subscription failed |
GSEC_UADML_Error_FailedToParseAppSensorMessage | Malformed AppSensor protobuf |
GSEC_UADML_Error_FeatureExtractionError / InferenceError | Pipeline stage failure |
SageMakerPredictor construction error: No AWS region provided | Missing AWS region in config |
Missing GcisConfigData | PluginStart abort (observed) |
Not verified
- Exact LightGBM model feature vector schema.
- SageMaker endpoint name/region for [REDACTED_BASE_ENV] seats.
- Inference frequency and DPU message posting (
FailedToPostInferenceMessageToDpu). - Whether local-only mode works without AWS credentials on seat.
Evidence
strings/ RTTI onservices/GCIS/plugins/UadMLPlugin.dlllogs/GCIS/UadMLPluginCurrent.log,UadMLPluginOld.log,UadMLPluginData.logservices/GSP/plugins/messagebus.conflogs/GSP/GSConfiguratorPluginCurrent.log