Abstract. Network worms are malicious programs that spread automatically across networks by exploiting vulnerabilities that affect a large number of hosts. Because of the speed at which worms spread to large computer populations, countermeasures based on human reaction time are not feasible. Therefore, recent research has focused on devising new techniques to detect and contain network worms without the need of human supervision. In particular, a number of approaches have been proposed to automatically derive signatures to detect network worms by analyzing a number of worm-related network streams. Most of these techniques, however, assume that the worm code does not change during the infection process. Unfortunately, worms can be polymorphic. That is, they can mutate as they spread across the network. To detect these types of worms, it is necessary to devise new techniques that are able to identify similarities between different mutations of a worm. This paper presents a novel technique based on the structural analysis of binary code that allows one to identify structural similarities between different worm mutations. The approach is based on the analysis of a worm’s control flow graph and introduces an original graph coloring technique that supports a more precise characterization of the worm’s structure. The technique has been used as a basis to implement a worm detection system that is resilient to many of the mechanisms used to evade approaches based on instruction sequences only.

Peg Solitaire is a well known puzzle which can prove difficult despite its simple rules. Pegs are arranged on a board such that at least one `hole' remains. By making draughts-like moves, pegs are gradually removed until no further moves are possible or some goal configuration is achieved. This paper considers the English variant, consisting of a board in a cross shape with 33 holes. Modelling Peg Solitaire via CP or OR techniques presents a considerable challenge and is examined in detail. The merits of the resulting models are discussed and they are compared empirically. The sequential nature of the puzzle naturally conforms to a planning problem, hence we also present an experimental comparison with several leading AI planning systems. Other

A Lagrangian relaxation network for graph matching is presented. The problem is formulated as follows: given graphs G and g, find a permutation matrix M that brings the two sets of vertices into correspondence. Permutation matrix constraints are formulated in the framework of deterministic annealing. Our approach is in the same spirit as a Lagrangian decomposition approach in that the row and column constraints are satisfied separately with a Lagrange multiplier used to equate the two "solutions." Due to the unavoidable symmetries in graph isomorphism (resulting in multiple global minima), we add a symmetry-breaking self-amplification term in order to obtain a permutation matrix. With the application of a fixpoint preserving algebraic transformation to both the distance measure and self-amplification terms, we obtain a Lagrangian relaxation network. The network performs minimization with respect to the Lagrange parameters and maximization with respect to the permutation matrix variable...

Randomization is vital in cryptography: secret keys should be randomly generated and most cryptographic primitives (e.g., encryption) must be probabilistic. As a common abstraction, it is assumed that there is a source of truly random bits available to all the participants of the system. While convenient, this assumption is often highly unrealistic, and cryptographic systems have to be built based on imperfect sources of randomness. Remarkably, this fundamental problem has received little or no attention so far, despite the fact that a related question of simulating probabilistic (BPP) algorithms with imperfect random sources has a long and rich history.

This paper describes a new encoding scheme for the representation of spanning trees. This new encoding scheme is based on the factorization of the determinant of the in-degree matrix of the original graph. Each factor represents a spanning tree if the determinant corresponding to that factor is equal to one. Our new determinant encoding will be compared to the Prufer encoding, and to the node and link biased encoding by solving an NP-complete variation of the minimum spanning tree problem, known as the Probabilistic Minimum Spanning Tree Problem. Given a connected graph G(V,E), a cost function c:E;!< +, and a probability function P:2V;![0 � 1], the problem is to nd an a priori spanning tree of minimum expected length. Our results show a signi cant improvement in using the new determinant encoding and the node and link biased encoding compared to Prufer's encoding. We also show empirically that our new determinant encoding scheme is as good as the node and link biased encoding. Our new determinant encoding works very well for restricted spanning trees, and for incomplete graphs. 1

With increasing deployment of multi-agent and distributed systems, there is an increasing need for failure diagnosis systems. While

Usability is empirical, and often highly context-specific, but it would be useful for designers to have general estimates of usability from interactive system specifications alone. We discuss how this problem may be approached, and we give examples. We also discuss the justification for the approach, since it is unusual to measure usability without involving users. The explicit mathematical content of this paper has been deliberately kept to a minimum.

To my dear wife Åsa In complex and automated technological processes the effects of a fault can quickly propagate and lead to degradation of process performance or even worse to a catastrophic failure. This means that faults have to be found as quickly as possible and decisions have to be made to stop the propagation of their effects and to minimize process performance degradation. The behavior of the process is affected in different ways by different faults and the fault can be found by ruling out faults for which the expected behavior of the process is not consistent with the observed behavior. In model-based diagnosis, a model describes the expected behavior of the process for the different faults. A device for finding faults is called a diagnosis system. In the diagnosis systems considered here, a number of tests check the consistency of different parts of the model, by using observations of the process. To be able to identify which fault that has occurred, the set of tests that is used must be carefully

Like many interactive systems, hypertext is operated by button pressing. It is therefore possible to combine an interactive system with its own hypertext manual. Numerous advantages follow: adaptive intelligent interactive help; correct documentation, in natural or mathematical language; automatic generation of conventional manuals optimised for various tasks; and detailed analysis. This paper motivates the approach, and describes a representative system, Hyperdoc. Hyperdoc enables research questions about good user interfaces and good user manuals to be investigated.

A game on a convex geometry is a real-valued function defined on the family L of the closed sets of a closure operator which satisfies the finite Minkowski-Krein-Milman property. If L is the boolean algebra 2 N then we obtain an n-person cooperative game. Faigle and Kern investigated games where L is the distributive lattice of the order ideal of the poset of players. We obtain two classes of axioms that give rise to a unique Shapley value for games on convex geometries.