DSL for Streaming Network Traffic Analysis

This just announced at usenix 12:

In this paper, we introduce Chimera, a declarative query language for network traffic processing that bridges the gap between powerful intrusion detection systems and a simple, platform-independent SQL syntax. Chimera extends streaming SQL languages to better handle network traffic by adding structured data types, first-class functions, and dynamic window boundaries. We show how these constructs can be applied to real-world scenarios, such as side-jacking detection and DNS feature extraction. Finally, we describe the implementation and evaluation of a compiler that translates Chimera queries into low-level code for the Bro event language.

Unfortunately, paper is paywalled and not much details are there. I love various DSLs if they are well designed. The interesting property about any sort of network security monitoring is that it can't take very long to reach a decision on whether an event or packet is good or bad. Not all systems have to be instant, but where they have, the configuration language is quite simple - just a selector of properties and comparison against known values (I oversimply here...).

That said, there's ample room for research into slightly delayed responses - say 2 min to reach decision. Having a beautiful language would certainly help. Has anyone seen any related work?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

This certainly sounds like

This certainly sounds like Microsoft's SteamInsight, maybe with some specialization to make things easier since you know you're targeting network communication.


[double posted since the site had a DB error that apparently was unrelated to actually posting the message]