Author:
Description:
The general problem we consider in this thesis is the following: we have to analyze a stream of data (records, packets, events .) by successively applying to each piece of data a set of ``rules'. Rules are best viewed as lightweight parallel processes synchronizing on each arrival of a new piece of data. In many applications, such as signature-based intrusion detection, only a few rules are concerned with each new piece of data. But all other rules have to be executed anyway just to conclude that they can ignore it. Our goal is to make it possible to avoid this useless work completely. To do so, we perform a static analysis of the code of each rule and we build a decision tree that we apply to each piece of data before executing the rule. The decision tree tells us whether executing the rule or not will change anything to the global analysis results. The decision trees are built at compile time, but their evaluation at each cycle (i.e., for each piece of data) entails an overhead. Thus we organize the set of all computed decision trees in a way that makes their evaluation as fast as possible. The two main original contributions of this thesis are the following. Firstly, we propose a method to organize the set of decision trees and the set of active rules in such a way that deciding which rules to execute can be made optimally in O(r_u), where r_u is the number of useful rules. This time complexity is thus independent of the actual (total) number of active rules. This method is based on the use of a global decision tree that integrates all individual decision trees built from the code of the rules. Secondly, as such a global tree may quickly become much too large if usual data structures are used, we introduce a novel kind of data structure called sequential tree that allows us to keep global decision trees much smaller in many situations where the individual trees share few common conditions. (When many conditions are shared by individual trees the global tree remains small.) To assess our contribution, we first ...
Contributors:
UCL - FSA/INGI - Département d'ingénierie informatique ; Le Charlier, Baudouin ; Deville, Yves ; Van Lamsweerde, Axel ; Mounji, Abdelaziz ; Ducassé, Mireille ; Dacier, Marc
Year of Publication:
2007
Document Type:
info:eu-repo/semantics/doctoralThesis ; [Doctoral and postdoctoral thesis]
Language:
eng
Subjects:
Decision tree ; Parallel analyses ; Intrusion detection
DDC:
006 Special computer methods (computed)
Rights:
info:eu-repo/semantics/openAccess
Relations:
boreal:6253
;
http://hdl.handle.net/2078.1/6253
boreal:6253
;
http://hdl.handle.net/2078.1/6253
Content Provider:
DIAL@UCLouvain (Université catholique de Louvain)
- URL: http://dial.uclouvain.be/
- Research Organization Registry (ROR): UCLouvain
- Continent: Europe
- Country: be
- Latitude / Longitude: 50.669600 / 4.611210 (Google Maps | OpenStreetMap)
- Number of documents: 238,155
- Open Access: 67,102 (29%)
- Type: Academic publications
- System: DIAL
- Content provider indexed in BASE since:
- BASE URL: https://www.base-search.net/Search/Results?q=coll:ftunivlouvain
My Lists:
My Tags:
Notes: