Declarative domain-specific languages and applications to network monitoring

Os Sistemas de Detecção de Intrusões em Redes de Computadores são provavelmente usados desde que existem redes de computadores. Estes sistemas têm como objectivo monitorizarem o tráfego de rede, procurando anomalias, comportamentos indesejáveis ou vestígios de ataques conhecidos, por forma a manter utilizadores, dados, máquinas e serviços seguros, garantindo que as redes de computadores são locais de trabalho seguros. Neste trabalho foi desenvolvido um Sistema de Detecção de Intrusões em Redes de Computadores, chamado NeMODe (NEtwork MOnitoring DEclarative approach), que fornece mecanismos de detecção baseados em Programação por Restrições, bem como uma Linguagem Específica de Domínio criada para modelar ataques específicos, usando para isso metodologias de programação declarativa, permitindo relacionar vários pacotes de rede e procurar intrusões que se propagam por vários pacotes e ao longo do tempo. As principais contribuições do trabalho descrito nesta tese são: Uma abordagem declarativa aos Sistema de Detecção de Intrusões em Redes de Computadores, incluindo mecanismos de detecção baseados em Programação por Restrições, permitindo a detecção de ataques distribuídos ao longo de vários pacotes e num intervalo de tempo. Uma Linguagem Específica de Domínio baseada nos conceitos de Programação por Restrições, usada para descrever os ataques nos quais estamos interessados em detectar. Um compilador para a Linguagem Específica de Domínio fornecida pelo sistema NeMODe, capaz de gerar múltiplos detectores de ataques baseados em Gecode, Adaptive Search e MiniSat; ### Abstract: Network Intrusion Detection Systems (NIDSs) are in use probably ever since there are computer networks, with the purpose of monitoring network traffic looking for anomalies, undesired behaviors or a trace of known intrusions to keep both users, data, hosts and services safe, ensuring computer networks are a secure place to work. In this work, we developed a Network Intrusion Detection System (NIDS) called NeMODe (NEtwork MOnitoring DEclarative approach), which provides a detection mechanism based on Constraint Programming (CP) together with a Domain Specific Language (DSL) crafted to model the specific intrusions using declarative methodologies, able to relate several network packets and look for intrusions which span several network packets. The main contributions of the work described in this thesis are: A declarative approach to Network Intrusion Detection Systems, including detection mechanisms based on several Constraint Programming approaches, allowing the detection of network intrusions which span several network packets and spread over time. A Domain Specific Language (DSL) based on Constraint Programming methodologies, used to describe the network intrusions which we are interested in finding on the network traffic. A compiler for the DSL able to generate multiple detection mechanisms based on Gecode, Adaptive Search and MiniSat

Efficient Automated Planning with New Formulations

Problem solving usually strongly relies on how the problem is formulated. This fact also applies to automated planning, a key field in artificial intelligence research. Classical planning used to be dominated by STRIPS formulation, a simple model based on propositional logic. In the recently introduced SAS+ formulation, the multi-valued variables naturally depict certain invariants that are missed in STRIPS, make SAS+ have many favorable features. Because of its rich structural information SAS+ begins to attract lots of research interest. Existing works, however, are mostly limited to one single thing: to improve heuristic functions. This is in sharp contrast with the abundance of planning models and techniques in the field. On the other hand, although heuristic is a key part for search, its effectiveness is limited. Recent investigations have shown that even if we have almost perfect heuristics, the number of states to visit is still exponential. Therefore, there is a barrier between the nice features of SAS+ and its applications in planning algorithms. In this dissertation, we have recasted two major planning paradigms: state space search and planning as Satisfiability: SAT), with three major contributions. First, we have utilized SAS+ for a new hierarchical state space search model by taking advantage of the decomposable structure within SAS+. This algorithm can greatly reduce the time complexity for planning. Second, planning as Satisfiability is a major planning approach, but it is traditionally based on STRIPS. We have developed a new SAS+ based SAT encoding scheme: SASE) for planning. The state space modeled by SASE shows a decomposable structure with certain components independent to others, showing promising structure that STRIPS based encoding does not have. Third, the expressiveness of planning is important for real world scenarios, thus we have also extended the planning as SAT to temporally expressive planning and planning with action costs, two advanced features beyond classical planning. The resulting planner is competitive to state-of-the-art planners, in terms of both quality and performance. Overall, our work strongly suggests a shifting trend of planning from STRIPS to SAS+, and shows the power of formulating planning problems as Satisfiability. Given the important roles of both classical planning and temporal planning, our work will inspire new developments in other advanced planning problem domains

Probabilistic Inference Using Partitioned Bayesian Networks:Introducing a Compositional Framework

Probability theory offers an intuitive and formally sound way to reason in situations that involve uncertainty. The automation of probabilistic reasoning has many applications such as predicting future events or prognostics, providing decision support, action planning under uncertainty, dealing with multiple uncertain measurements, making a diagnosis, and so forth. Bayesian networks in particular have been used to represent probability distributions that model the various applications of uncertainty reasoning. However, present-day automated reasoning approaches involving uncertainty struggle when models increase in size and complexity to fit real-world applications.In this thesis, we explore and extend a state-of-the-art automated reasoning method, called inference by Weighted Model Counting (WMC), when applied to increasingly complex Bayesian network models. WMC is comprised of two distinct phases: compilation and inference. The computational cost of compilation has limited the applicability of WMC. To overcome this limitation we have proposed theoretical and practical solutions that have been tested extensively in empirical studies using real-world Bayesian network models.We have proposed a weighted variant of OBDDs, called Weighted Positive Binary Decision Diagrams (WPBDD), which in turn is based on the new notion of positive Shannon decomposition. WPBDDs are particularly well suited to represent discrete probabilistic models. The conciseness of WPBDDs leads to a reduction in the cost of probabilistic inference.We have introduced Compositional Weighted Model Counting (CWMC), a language-agnostic framework for probabilistic inference that partitions a Bayesian network into subproblems. These subproblems are then compiled and subsequently composed in order to perform inference. This approach significantly reduces the cost of compilation, yet increases the cost of inference. The best results are obtained by seeking a partitioning that allows compilation to (barely) become feasible, but no more, as compilation cost can be amortized over multiple inference queries.Theoretical concepts have been implemented in a readily available open-source tool called ParaGnosis. Further implementational improvements have been found through parallelism, by exploiting independencies that are introduced by CWMC. The proposed methods combined push the boundaries of WMC, allowing this state-of-the-art method to be used on much larger models than before

The log-support encoding of CSP into SAT

Abstract. It is known that Constraint Satisfaction Problems (CSP) can be converted into Boolean Satisfiability problems (SAT); however how to encode a CSP into a SAT problem such that a SAT solver will efficiently find a solution is still an open question. Various encodings have been proposed in the literature. Some of them use a logical variable for each element in each domain: among these very successful are the direct and the support encodings. It is known that a SAT solver based on the DPLL procedure obtains a propagation similar to Forward Checking on a directencoded CSP, and to Maintaining Arc-Consistency on a support-encoded CSP. Other methods, such as the log-encoding, are more compact, and use a logarithmic number of logical variables to encode domains. However, they lack the propagation power of the direct and support encodings, so many SAT solvers perform better on direct/support encodings than in the log-encoding, as witnessed by many works in the literature. In this paper, we propose a new encoding that combines the log and support encodings. The new encoding, called log-support, has a logarithmic number of variables, and uses support clauses to obtain improved propagation. Experiments on Job-Shop scheduling problems and randomlygenerated problems show the effectiveness of the proposed approach, with respect to other popular approaches.