Lambda the Ultimate

This just announced at usenix 12:

In this paper, we introduce Chimera, a declarative query language for network traffic processing that bridges the gap between powerful intrusion detection systems and a simple, platform-independent SQL syntax. Chimera extends streaming SQL languages to better handle network traffic by adding structured data types, first-class functions, and dynamic window boundaries. We show how these constructs can be applied to real-world scenarios, such as side-jacking detection and DNS feature extraction. Finally, we describe the implementation and evaluation of a compiler that translates Chimera queries into low-level code for the Bro event language.

Unfortunately, paper is paywalled and not much details are there. I love various DSLs if they are well designed. The interesting property about any sort of network security monitoring is that it can't take very long to reach a decision on whether an event or packet is good or bad. Not all systems have to be instant, but where they have, the configuration language is quite simple - just a selector of properties and comparison against known values (I oversimply here...).

That said, there's ample room for research into slightly delayed responses - say 2 min to reach decision. Having a beautiful language would certainly help. Has anyone seen any related work?

This just announced at usenix 12:

In this paper, we introduce Chimera, a declarative query language for network traffic processing that bridges the gap between powerful intrusion detection systems and a simple, platform-independent SQL syntax. Chimera extends streaming SQL languages to better handle network traffic by adding structured data types, first-class functions, and dynamic window boundaries. We show how these constructs can be applied to real-world scenarios, such as side-jacking detection and DNS feature extraction. Finally, we describe the implementation and evaluation of a compiler that translates Chimera queries into low-level code for the Bro event language.

Unfortunately, paper is paywalled and not much details are there. I love various DSLs if they are well designed. The interesting property about any sort of network security monitoring is that it can't take very long to reach a decision on whether an event or packet is good or bad. Not all systems have to be instant, but where they have, the configuration language is quite simple - just a selector of properties and comparison against known values (I oversimply here...).

That said, there's ample room for research into slightly delayed responses - say 2 min to reach decision. Having a beautiful language would certainly help. Has anyone seen any related work?