Changes between Version 21 and Version 22 of ExDescLang


Ignore:
Timestamp:
Oct 11, 2010 2:47:41 PM (14 years ago)
Author:
sunshine
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • ExDescLang

    v21 v22  
    3030= Diving in =
    3131
    32 I'll now ignore the question '''which language to use to design experiments''' because I think that pretty much any language can be used once we know '''what we want to say'''. To figure this out I'll try to use a variant of FSA (finite state automata) and Arun's adaptation of TLA (temporal logic algebra) to describe example experiments from above. If the level of detail is right we can decide on appropriate language in the next step.
     32I'll now ignore the question '''which language to use to design experiments''' because I think that pretty much any language can be used once we know '''what we want to say'''. To figure this out I'll try to use a mix of FSA (finite state automata) and protocol diagrams, and Arun's adaptation of TLA (temporal logic algebra) to describe example experiments from above. If the level of detail is right we can decide on appropriate language in the next step.
    3333
    3434== Example 1: botnet ==
     
    4040Dimensions:
    4141 * '''Logical topology:'''
     42   [[Image(wormobj.jpg)]]
     43   (in English: There must be two sets of hosts, at least one infected host in infected set and at least one vulnerable host in vulnerable set. There can be a third set of hosts that are not vulnerable or infected. These sets are disjoint.)
     44 * '''Timeline of events: '''
     45   [[Image(wormwf.jpg)]]
     46   (in English: Each infected host generates scan events that target a vulnerable host - double line means one object acts upon another. There is at least one such event for a vulnerable host and at least one pair of scan+vulnerable host in the experiment. Once an infection event occurs on vulnerable host it transitions to an infected state. An infected host may scan other, non-vulnerable hosts).
     47   Note that I haven't yet defined what scan and infection events mean. I have to do this somewhere but I think the right place for this would be a common repository of domain knowledge rather than attaching these per experiment class since many classes of experiments may need same definitions. Ultimately what I'd like to say in these definitions in plain English is:
     48     * scan event generates traffic from A to B that exploits a vulnerability at B
     49     * infection event at B executes some code that places a copy of malware at B with ability to auto-start
     50
     51 * '''Invariants:''' There are some in definition of topology and timeline above. No additional ones are needed here.
     52
     53=== P2P w leader and C&C traffic metadescription ===
     54
     55* '''Logical topology:'''
    4256   [[Image(peerobj.jpg)]]
    4357   (in English: There must be two sets of hosts, at least two eligible peers and at least one leader. Nothing is said about relationship between sets so it's possible that there's an intersection between those that is non-empty.)
     
    5064
    5165 * '''Invariants:''' There are some in definition of topology and timeline above. No additional ones are needed here.
    52 
    53 === P2P w leader metadescription ===
    54 
    55 * '''Logical topology:'''
    56    [[Image(wormobj.jpg)]]
    57    (in English: There must be two sets of hosts, at least one infected host in infected set and at least one vulnerable host in vulnerable set. There can be a third set of hosts that are not vulnerable or infected.)
    58  * '''Timeline of events: '''
    59    [[Image(wormwf.jpg)]]
    60    (in English: Each infected host generates scan events that target a vulnerable host - double line means one object acts upon another. There is at least one such event for a vulnerable host and at least one pair of scan+vulnerable host in the experiment. Once an infection event occurs on vulnerable host it transitions to an infected state. An infected host may scan other, non-vulnerable hosts).
    61    Note that I haven't yet defined what scan and infection events mean. I have to do this somewhere but I think the right place for this would be a common repository of domain knowledge rather than attaching these per experiment class since many classes of experiments may need same definitions. Ultimately what I'd like to say in these definitions in plain English is:
    62      * scan event generates traffic from A to B that exploits a vulnerability at B
    63      * infection event at B executes some code that places a copy of malware at B with ability to auto-start
    64 
    65  * '''Invariants:''' There are some in definition of topology and timeline above. No additional ones are needed here.