An SCL-based constraint representation language for intrusion detectio

In this thesis, we have extended the SCL (Structured and Context Language) network protocol description language to describe the complex constraints for the network engineer. Previous SCL developed with the focus of penetration testing and not sufficient for constraint scenarios. The constraint scenarios include multiple-packet with order and environmental information. To address the current limitation of the SCL, we have proposed syntaxes which are declarative in nature. We have studied three different styles of syntaxes to handle constraint scenarios of an IDS (Intrusion detection system). The three syntaxes are based on Java expressions, QUEL and Prolog. We have represented three constraints for command and control systems such as ATC (Air Traffic Control) network using our syntaxes. The same constraints have been previously used by a constraint engine to demonstrate the capability of the IDS. We evaluate each of the syntax based on the four design guidelines for the domain specific language (DSL). The Java-based syntax shows better capability to represent constraints based on four DSL design guidelines. Finally, we show the mapping of the constraints represented in our syntaxes with the low-level DSL (Domain Specific Language) of the constraint engine. The mapping shows our syntaxes has all relevant information to translate into the low-level DSL.