Rapide is an event-based concurrent, object-oriented language specifically designed for prototyping system architectures. Two principle design goals are (1) to provide constructs for defining executable prototypes of architectures, and (2) to adopt an execution model in which the concurrency, synchronization, dataflow, and timing properties of a prototype are explicitly represented. This paper describes the partially ordered event set (poset) execution model and outlines with examples some of the event-based features for defining communication architectures and relationships between architectures. Various features of Rapide are illustrated by excerpts from a prototype of the X/Open distributed transaction processing reference architecture.

There is increasing interest in having software systems execute and interoperate over the Internet. Execution and interoperation at this scale imply a degree of loose coupling and heterogeneity among the components from which such systems will be built. One common architectural style for distributed; loosely-coupled, heterogeneous software systems is a structure based on event generation, observation and notification. The technology to support this approach is well-developed for local area networks, but it is illsuited to networks on the scale of the Internet. Hence, new technologies are needed to support the construction of large-scale, event-based software systems for the Internet. We have begun to design a new facility for event observation and notification that better serves the needs of Internet-scale applications. In this paper we present results from our first step in this design process, in which we defined a framework that captures many of the relevant design dimensions. Our framework comprises seven models-an object model, an event model, a naming model, an observation model, a time model, a notification model, and a resource model. The paper discusses each of these models in detail and illustrates them using an example involving an update to a Web page. The paper also evaluates three existing technologies with respect to the seven models.

To build survivable information systems (i.e., systems that continue to provide their services in spite of coordinated attacks), it is necessary to detect and isolate intrusions before they impact system performance or functionality. Previous research in this area has focussed primarily on detecting intrusions after the fact, rather than preventing them in the first place. We have developed a new approach based on specifying intended program behaviors using patterns over sequences of system calls. The patterns can also capture conditions on the values of system-call arguments. At runtime, we intercept the system calls made by processes, compare them against specifications, and disallow (or otherwise modify) those calls that deviate from specifications. Since our approach is capable of modifying a system call before it is delivered to the operating system kernel, it is capable of reacting before any damage-causing system call is executed by a process under attack. We present our specification language and illustrate its use by developing a specification for the ftp server. Observe that in our approach, every system call is intercepted and subject to potentially expensive operations for matching against many patterns that specify normal/abnormal behavior. Thus, minimizing the overheads incurred for pattern-matching is critical for the viability of our approach. We solve this problem by developing a new, low-overhead algorithm for matching runtime behaviors against specifications. A salient feature of our algorithm is that its runtime is almost independent of the number of patterns. In most cases, it uses a constant amount of time per system call intercepted, and uses a constant amount of storage, both independent of either the size or number of patterns. These benefits m...

We describe a general module language integrating abstract data types, specifications and object-oriented concepts. The framework is based on the Standard ML module system, with three main extensions: subtyping, a form of object derived from ML structures, and inheritance primitives. The language aims at supporting a range of programming styles, including mixtures of object-oriented programming and programs built around specified algebraic or higher-order abstract data types. We separate specification from implementation, and provide independent inheritance mechanisms for each. In order to support binary operations on objects within this framework, we introduce "internal interfaces" which govern the way that function components of one structure may access components of another. The language design has been tested by writing a number of program examples; an implementation is under development in the context of a larger project.

In this paper we present a new approach for network intrusion detection based on concise specifications that characterize normal and abnormal network packet sequences. Our specification language is geared for a robust network intrusion detection by enforcing a strict type discipline via a combination of static and dynamic type checking. Unlike most previous approaches in network intrusion detection, our approach can easily support new network protocols as information relating to the protocols are not hard-coded into the system. Instead, we simply add suitable type definitions in the specifications and define intrusion patterns on these types. We compile these specifications into a highperformance network intrusion detection system. Important components of our approach include efficient algorithms for patternmatching and information aggregation on sequences of network packets. In particular, our techniques ensure that the matching time is insensitive to the number of patterns characterizing different network intrusions, and that the aggregation operations typically take constant time per packet. Our system participated in an intrusion detection evaluation organized by MIT Lincoln Labs, where our system demonstrated its effectiveness (96% detection rate on low-level network attacks) and performance (real-time detection at 500Mbps), while producing very few false positives (0.05 to 0.1 per attack).

this document are those of the author and should not be interpreted as representative of the official policies, either expressed or implied, of the ONR or the U.S. Government. vii Contents Preface iv Acknowledgements vi 1 Introduction 1

This paper describes subtyping, assignment, equality and cloning in a concurrent object-oriented language called rapide. Based on experiments and language design considerations, we separate the subtype relation from the derivation (or inheritance) hierarchy. This avoids various anomalies and has the added benefit of reducing the syntactic and design complexity of programs that use intricate subtype relationships. A relatively sophisticated algorithm to decide subtyping is also needed for implementation. Objects may contain multiple threads, and different objects with the same type may have different implementations. This makes it difficult to provide a meaningful, predefined form of "copy" assignment or predefined equality tests. Therefore, the primitive form of assignment in rapide is a form of pointer assignment. Special provision is made for user-defined "cloning," so that an object may produce a meaningful copy of itself. Equality may be user-defined for any type, in some cases ove...

This volume deals with the efforts at control and extermination of that notorious form of noninsect life which we in the programming community refer to, somewhat contemptuously, as "bugs". Although as individuals we may in less cautious moments speak of bugs with cavalier disdain, it is always with a latent awareness that such bravado may be a harbinger of a period of intense bughunting, relieved only by occasional naps on piles of discarded dumps. To the bug-playing victim, the sympathetic nods of one's colleagues more often suggest relief that it is "him rather than me".

This paper presents a notation for extracting complex performance measurements of parallel software from an event log. NICE defines a `complex interval' as a sequence of events in the event log that match a rather general template using an interval monitor process (IMP). The IMP process model combines an extended FSM with parametrized event descriptors to provide a generalized description of a sequence of subintervals each one of which may be measured for duration. An interval matching algorithm provides a strategy for distributing the events in the log to multiple concurrent IMPs, thereby handling interval occurrences that overlap and/or share the same event. Practical issues of implementing and using NICE are addressed in a discussion of our performance monitoring tool called Finale.

Debugging distributed applications is very difficult, due to a number of problems. To manage the inherent complexity of distributed applications, the use of abstractions is proposed. One frequently performed abstraction is to group processes into clusters. We describe an approach to derive clustering rules from well--known programming paradigms for distributed programming. Programming paradigms determine how we think about problems and their implementation. They shape, among other things, the application structure. This paper identifies frequently used programming paradigms for distributed computing. Likely application structures resulting from the use of these paradigms are discussed and captured in process clustering rules. A quantitative measure for process cluster evaluation is presented and applied to clusters derived for Hermes applications. The results provide insight into the relative strength of the process clustering rules. 1 Introduction Distributed applications have a numb...