DSL for Streaming Network Traffic Analysis

This just announced at usenix 12:

In this paper, we introduce Chimera, a declarative query language for network traffic processing that bridges the gap between powerful intrusion detection systems and a simple, platform-independent SQL syntax. Chimera extends streaming SQL languages to better handle network traffic by adding structured data types, first-class functions, and dynamic window boundaries. We show how these constructs can be applied to real-world scenarios, such as side-jacking detection and DNS feature extraction. Finally, we describe the implementation and evaluation of a compiler that translates Chimera queries into low-level code for the Bro event language.

Unfortunately, paper is paywalled and not much details are there. I love various DSLs if they are well designed. The interesting property about any sort of network security monitoring is that it can't take very long to reach a decision on whether an event or packet is good or bad. Not all systems have to be instant, but where they have, the configuration language is quite simple - just a selector of properties and comparison against known values (I oversimply here...).

That said, there's ample room for research into slightly delayed responses - say 2 min to reach decision. Having a beautiful language would certainly help. Has anyone seen any related work?

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

The Bro event language.

Vern Paxon's paper Bro: A System for Detecting Network Intruders in Real-Time is an introduction to the Bro language underlying Chimera.

It took me awhile to figure

It took me awhile to figure out if this was a joke or not (see recent discussions on brogramming languages). Seems legit :)