Compilers: principles, techniques, and tools
Compilers: principles, techniques, and tools
Bro: a system for detecting network intruders in real-time
Computer Networks: The International Journal of Computer and Telecommunications Networking
Query Optimization in Database Systems
ACM Computing Surveys (CSUR)
PostgreSQL: introduction and concepts
PostgreSQL: introduction and concepts
Oracle PL/SQL Programming
The Volcano Optimizer Generator: Extensibility and Efficient Search
Proceedings of the Ninth International Conference on Data Engineering
Gigascope: a stream database for network applications
Proceedings of the 2003 ACM SIGMOD international conference on Management of data
Filtering postures: local enforcement for global policies
SP '97 Proceedings of the 1997 IEEE Symposium on Security and Privacy
Aurora: a new model and architecture for data stream management
The VLDB Journal — The International Journal on Very Large Data Bases
LEO: An autonomic query optimizer for DB2
IBM Systems Journal
Snort - Lightweight Intrusion Detection for Networks
LISA '99 Proceedings of the 13th USENIX conference on System administration
Window-aware load shedding for aggregation queries over data streams
VLDB '06 Proceedings of the 32nd international conference on Very large data bases
Towards a streaming SQL standard
Proceedings of the VLDB Endowment
Empowering users against sidejacking attacks
Proceedings of the ACM SIGCOMM 2010 conference
SECRET: a model for analysis of the execution semantics of stream processing systems
Proceedings of the VLDB Endowment
Hi-index | 0.00 |
Intrusion detection systems play a vital role in network security. Central to these systems is the language used to express policies. Ideally, this language should be powerful, implementation-agnostic, and cross-platform. Unfortunately, today's popular intrusion detection systems fall short of this goal. Each has their own policy language in which expressing complicated logic requires implementation-specific code. Database systems have adapted SQL to handle streaming data, but have yet to achieve the efficiency and flexibility required for complex intrusion detection tasks. In this paper, we introduce Chimera, a declarative query language for network traffic processing that bridges the gap between powerful intrusion detection systems and a simple, platform-independent SQL syntax. Chimera extends streaming SQL languages to better handle network traffic by adding structured data types, first-class functions, and dynamic window boundaries. We show how these constructs can be applied to real-world scenarios, such as side-jacking detection and DNS feature extraction. Finally, we describe the implementation and evaluation of a compiler that translates Chimera queries into low-level code for the Bro event language.