Subclass 2	Subclass 3	Subclass 4
Query processing (i.e., searching)

Method and device for model resolution and its use for detecting attacks against computer systems

7043755

Abstract

The present invention relates to a method and device for model resolution and its use for detecting attacks against computer systems. The device comprises adapter software for translating the information from the log file, formulated in the specific language of the machine, into a language understandable by the interpreter, an interpreter receiving the information from the adapter and receiving the formulation of the specification in the temporal logic in a specification formula in order to expand this formula and fill in the table and the stack of worked subformulas described above resulting from the scanning of the machine's log file, and a clause processing algorithm for resolving the Horn clauses using the information from the table and the stack of worked subformulas, this clause processing algorithm generating an output file or generating an action.

Claims

What is claimed is:

1. A high-performance specification resolution method for use in detecting attacks against computer systems, comprising:

a) receiving audit conditions to be detected using non-limiting specification formulas expressing fraudulent entry or attack patterns or abnormal operations, to be verified by examining records of a log file of a computer system;

b) expanding said formulas into subformulas for each record;

c) scanning and generating, for each expanded formula, Horn clauses to resolve in order to detect whether or not the formula is valid for each record, the Horn clauses expressing implications resolvent of the subformulas for each record scanned in positive clauses having a positive literal and in negative clauses having at least one negative literal;

d) storing the positive clauses in a stack of subformulas,

storing, in a table of clauses, a representation of the negative clauses and the positive clauses;

storing, in a table of counters, a number of negative literals in each negative clause;

e) resolving the table of clauses based on each positive clause so as to generate either an output file or an action of the computer system;

f) iterating steps b) through e) until the scanning of all the records in the log file is complete.

2. The method according to claim 1, wherein temporal logic is used for formulation of the high-performance specification.

3. The method according to claim 1, wherein the table of clauses is a matrix indexed in columns by subscripts of the formulas appearing in the negative clauses, and indexed in lines by subscripts of the formulas appearing in the positive clauses.

4. The method according to claim 1, wherein the table of clauses is a sparse matrix, the columns being represented by chained lists.

5. The method according to claim 1, further comprising optimizing the expansion of the formulas using a hash table to ensure that a formula is not expanded more than once in each record.

6. The method according to claim 2, further comprising optimizing the expansion of the formulas using a hash table to ensure that a formula is not expanded more than once in each record.

7. The method according to claim 1, wherein the log file is scanned only once from beginning to end.

8. A computer system comprising:

storage means; and

a processor, coupled to the storage means, for executing programs implementing a high performance resolution method for detecting attacks against the system wherein the processor operates to:

a) receive audit conditions to be detected using non-limiting specification formulas expressing fraudulent entry or attack patterns or abnormal operations, to be verified by examining the records of a log file;

b) expand said formulas into subformulas for each record;

c) scan and generate, for each expanded formula, Horn clauses to resolve in order to detect whether or not the formula is valid for each record, the Horn clauses expressing implications resolvent of the subformulas for each record scanned in positive clauses having a positive literal, and in negative clauses having at least one negative literal;

d) store the positive clauses in a stack of subformulas,

store, in a table of clauses, a representation of the negative clauses and the positive clauses,

store, in a table of counters, a number of negative literals in each negative clause; and

e) resolve the table of clauses based on each positive clause, so as to generate either an output file or an action of the computer system.

9. The computer system according to claim 8 wherein temporal logic is used for formulation of the high-performance resolution method.

10. The computer system according to claim 8, wherein the table of clauses is a matrix indexed in columns by subscripts of the formulas appearing in the negative clauses, and in lines by subscripts of the formulas appearing in the positive clauses.

11. The computer system according to claim 8, wherein the table is a sparse matrix, the columns being represented by chained lists.

12. The computer system according to claim 8 including a hash table to ensure that a formula is not expanded more than once in each record.

13. The computer system according to claim 9 including a hash table to ensure that a formula is not expanded more than once in each record.

14. The computer system according to claim 8 including means for scanning the log file only once from beginning to end.

15. The computer system according to claim 8, wherein the programs executed by the processor include:

an adaptor module for translating information from the log file;

an interpreter module for receiving the information from the adapter, receiving the specification formulas, expanding the specification formulas, and filling in the table of clauses, table of counters and the stack of subformulas stored in the storage means; and

a clause processing module for resolving the Horn clauses using the information from the table of clauses, the table of counters and the stack of worked subformulas, the clause processor generating the output file or generating the action.

Description

FIELD OF THE INVENTION

The present invention relates to a method and device for model resolution and its use for detecting attacks against computer systems.

BACKGROUND OF THE INVENTION

Secure computer systems can be subject to attacks or attempts at fraudulent entry. In general, one tries to ward off these attacks by establishing log files, for example system log files or network log files, and by running scans on these files for detecting a malfunction or an intrusion. The systems that perform the auditing of log files generally rely on a complicated method that poses problems in the writing, and moreover, the resulting audit is difficult to read. Furthermore, when the intrusion occurs in several successive non-concomitant stages, the system may very well not detect it. In addition, the writing of the audit conditions is not very flexible, not very modifiable, and poses modularity problems. Thus, in most rule-based systems, it is necessary to describe the audit conditions in the form of programs describing the activation of rules conditioned by events; for example, in order to describe an audit condition that specifies a step A, followed a short time later by B, followed a short time later by c, it is necessary to describe queuing rules for step A, which if successful must activate queuing rules for step B, which if successful must activate queuing rules for step C. This way of writing the sequence A, B, C is tedious, and results in errors that are hard to detect with a simple reading. Furthermore, certain known systems require the log files to be scanned several times.

SUMMARY OF THE INVENTION

One object of the invention is to offer a high-performance specification resolution method.

This object is achieved through the fact that the high-performance specification resolution method comprises:

a) a step for formulating the audit conditions one wishes to detect using specification formulas expressing fraudulent entry or attack patterns or even abnormal operations, this being non-limiting, to be verified by examining the records of the computer system's log file;
b) a step for expanding formulas into subformulas;
c) a step for scanning by an interpreter, which consists of generating, for each expanded formula in each record, Horn clauses to resolve in order to detect whether or not the formula is valid in this record, the Horn clauses expressing the implications resolvent of the subformulas for each record scanned, in positive clauses, i.e. counting only a positive literal, and in non-positive clauses, i.e. counting at least one negative literal, which negative literals form the negative part of the clause;
d) a step for storing the positive Horn clauses in a stack of worked subformulas, and a step for storing, in a table comprising a representation, the implicating subformula(s) constituting the negative part of the clause and the link with the implicated subformula(s) constituting the positive part of the clause, and storing in a counter the number of formulas or subformulas present in the negative part of the clause for each implicated subformula;
e) a step for resolving the table based on each positive clause encountered, so as to generate either an output file or an action of the computer system;
f) a step for iterating steps b) through e) until the scanning of all the records in the log file is complete.

Another object is to provide great flexibility.

This object is achieved through the fact that the method uses a temporal logic for the formulation of the specification.

According to another characteristic, the table is a matrix and is indexed in columns by the subscripts of the formulas appearing in the negative part of the Horn clauses, and the lines are the Horn clauses exactly.

According to another characteristic, the table is preferably represented in the form of a sparse matrix, the columns being represented by means of chained lists and the lines remaining implicit.

According to another characteristic, an optimization of the expansion of the formulas is obtained through a hash table in order to ensure that the same formula is not expanded more than once in each record.

According to another characteristic, the log file is scanned only once from beginning to end.

Another object is to offer a device that makes it possible to implement the method.

This object is achieved through the fact that the high-performance specification resolution device comprises:

an adapting means for translating the information from the log file formulated in the specific language of the machine into a language comprehensible to an interpreting means;
the interpreting means receiving the information from the adapter and receiving the formulation of the specification in the temporal logic in a specification formula in order to expand this formula and fill in the table and the stack of worked subformulas stored in a memory of the computer system and resulting from the scanning of the computer system's log file;
a clause processing algorithm executed by the computer system, which makes it possible to resolve the Horn clauses using the information from the table and the stack of worked subformulas, this clause processing algorithm generating an output file or generating an action.

BRIEF DESCRIPTION OF THE DRAWINGS

Other characteristics and advantages of the present invention will emerge more clearly through the reading of the following description, given in reference to the attached drawings, in which:

FIG. 1 represents a schematic view of the hardware and software elements that make it possible to implement the method.

FIG. 2 represents the contents of the table, of the counters of the formulas or subformulas present in the negative parts of the clauses, and of the stack, and their evolution during the implementation of the method.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1 represents the elements required to implement the method according to the invention. The log file (1) is generally present in all the machines and can be the network log file when the machine is connected to a network, or a system log file, or any other file in which one wishes to verify a specification. A machine is understood to mean a computer comprising storage means, means for reading and for executing a program, and means for interacting with a user (for example screen, keyboard, mouse) and means for connecting to the network. This file communicates with an adapter (2), which is a software program for translating the information contained in the log file and expressed in the specific language of the machine into a high-level language understandable by an interpreter (3). The interpreter (3) also receives from a module (4) the formula of the specification to be verified, expressed in a temporal logic. This interpreter (3) performs the expansion of the formula into subformulas and the scanning of each record Ei (Annex 2) of the log file (1) in order to generate, by means of this expansion and this scanning, a resulting table and stack expressing Horn clauses stored in a memory (5). The concept of a Horn clause is well known to one skilled in the art, and is described for example in Goubault-Larrecq, Jean and Mackie, Ian, "Proof Theory and Automated Deduction," published by Kluwer, 1996). This table and this stack are used by a clause processing algorithm (6), which receives a start order from the interpreter (3) once the latter has filled in the table (5) containing a table of counters (7) and a stack (18), after having scanned all the records Ei of the file. This algorithm will look for the resolution of the specification for all of the records. When the completed scan of the record file (1) is detected, the clause processing algorithm generates either an output file or an action of the system or the machine.

In an optimization of the method according to the invention, the phase for filling in the table (5) and the stack (18) and the phase for processing the clauses are performed concomitantly, so that the clause processing algorithm can generate the output file or the action of the system or the machine as soon as possible, and generally before the detection of the completed scan of the record file (1).

To provide a better understanding of the method implemented, the latter will be explained with the help of an example whose formulas appear in an annex at the end of the specification. First of all, a log file is a set of records E=E1, . . . EN), as represented in Annex 2. Each record Ei comprises a certain amount of information such as the date, the operation in question, the machine, a result, a subject, this list being non-limiting.

Thus, E1 indicates that the machine user has tried to connect but has failed.

To formulate a specification, as represented in Annex 1, that can be detected or resolved, a specification formula in a temporal logic is used. This formula is described according to the following formula production in the grammar of the BNF format well known to one skilled in the art (Aho, Alfred V., Sethi, Ravi and Ullman, Jeffrey D., Compilers: Principles, Techniques and Tools, Addison-Wesley, 1986):

formula::=atom
|formula
##CHR1##
formula
|formula
##CHR2##
formula
|formula U formula
|formual W formula
atom::=record
- |(formula)
- |
  ##CHR3##
  atom
- |O atom, the next line exists and in the next line, atom is true
- |Õ atom, if the next line exists, then in the next line, the atom is true
- |⋄ atom, there exists a line, either the current line or a subsequent line, the atom is true
- | atom, for all the lines starting with the current line, the atom is true

The operators between formulas are the operator "
##CHR4##
" for expressing a logical "OR", "U" for expressing the formulation "until", and "W" for expressing the formulation "waiting for", "O" for expressing the formulation "on the next line, which exists", "Õ" for expressing the formulation "on the next line, if it exists", "⋄" for expressing the formulation "on the current line or on a subsequent line", for expressing the formulation "on the current line and on every subsequent line." This notation is well known to one skilled in the art, (see for example Manna, Zohar and Pnueli, Amir, The Temporal Logic of Reactive and Concurrent Systems Specification, Springer, 1992). Thus, the temporal formulation F=F1 W F2 allows for an easy formulation of a specification to be verified.

Let us assume that the operator has entered, by means of a man-machine interface (4) that allows the generation of a temporal formula, a temporal formula like the one appearing in Annex 1.

The interface (4) will translate this formula in Annex 1 into a temporal formula where F and H are atomic formulas in which F represents {op="connection", result="failed", etc.} and H represents {op="connection", result="success", etc. Furthermore, let us assume that the log file (1) contains the records E1 through E3 represented in Annex 2.

First, the interpreter (3) performs an expansion of the formula for each record E1, E2, E3, as represented in Annex 6, by generating subformulas for each record in order to deduce from them Horn clauses that express the logical implications that exist between a formula and its subformulas, and the possibility of satisfying the atomic formulas, as represented in Annex 6. Thus, for the record E1, the formula is expanded into the subformula F to which the clause (f₂) corresponds, into the subformula ⋄H to which the clause (f₂)
##CHR5##
(f₃)→(f₁) means that if the configuration f₂ is verified and the configuration f₃is verified, then the configuration f₁is verified. The clause f₇→f₃means that if that the configuration f₇is verified, then the configuration f₃is too. Furthermore, during the expansion of the formulas by the interpreter (3), the latter stored in a stack (18) the positive clauses corresponding to the formulas that can be satisfied. Thus, at the end of the expansion, the formulas f₂and f₈are in the stack (18₁), as shown in FIG. 2, and the table of the counters of negative literals in the clauses of the table is constituted by the information represented by the reference (7₁) in this figure. In the resolution phase, the clause processing algorithm (6), when it is activated by the interpreter once the latter has filled in the tables (5, 7 and 18), after having examined the lines of the records in the log file, will begin by examining the top of the stack (18) and extracting from it the information that the configuration f₈, in this case, is satisfied. The algorithm then examines, in the table (5), the clauses that have this configuration in the negative part, in this case the configuration f₇, and deduces from them the counter that it must decrement. The counter (7₂) represents the evolution in the counter (7₁) of the counter that is associated with the formula represented in the positive part. The algorithm decrements the corresponding counter, in this case that of the configuration f₇, and places at the top of the stack the value "7" of the configuration that is true, as shown in the box (18₂), which represents the evolution of the stack (18), while the column (7₂) represents the evolution of the counter. Next, the clause resolution algorithm will proceed by iteration, searching for the clauses that have the configuration f₇in the negative part in order to deduce from them that the configuration f₃is true and decrement the counter corresponding to this line of configurations, as shown in the column (7₃). The algorithm (6) continues in this way until the stack (18) is empty or contains configurations already processed, and the only configuration f₁that verifies the specification is obtained in the stack (18₅).

The expansion algorithm avoids unnecessarily replicating identical configurations, represented by their pointers, by establishing a hash table. The hash table data structure and the associated algorithms are well known to one skilled in the art, (see for example Knuth, Donald Erwin, The Art of Computer Programming, Vol. 3, "Sorting and Searching," Addison-Wesley, Second Edition, 1998).

Furthermore, it is also possible to achieve optimizations in the expansion of the formulas, in order to avoid several steps. Thus, instead of expanding the formula ⋄F into F
##CHR6##
G where either F or G can be evaluated as false in the current state, the expansion of the formula is halted. The method developed by the invention has an advantage over the known method of the prior art, in which a truth table like the one represented in Annex 4 is first established for each atomic formula, then secondly, truth tables (Annex 5) are established for the non-atomic subformulas using the truth table of Annex 4. The model verification is then performed in two stages. First, it verifies whether the atomic formulas are true or false, which requires a scanning of the states for each formula, then secondly, in order to establish the truth of the subformulas, it is necessary to see how each atomic formula behaves in each state, which amounts to performing several scans of the records. This means performing backward returns in the log file with all the ensuing read and set operations which, given the large size of a log file, can be very time-consuming. The method developed by the invention is much more high-performance and economical, in terms of size and the memory required to store the intermediate states.

To provide a better understanding of the algorithm, we will describe it briefly, then present it formally.

The specification file, F_s, is considered to be a finite set of formulas F_s whose syntax and semantics are defined above. Let us use the notation F for the set of all the formulas whose syntax and semantics are defined above, and (R₁, . . . , R_|N|)(with N equal to the number of records in the file) for the log files. Log files are files that record everything that happens in a system (for example, a file that traces the users' connections to and disconnections from the machines). A record is a function R with a finite domain and codomain from Σ* to Σ*, or the set of character strings

R:Σ*→Σ*

Let us use the notations dom(R) and codom(R), respectively, for the domain of R and the codomain of R.

Example 1 (record) Let us consider the record R of a log file:
Date=02:27:2000, operation=connection, machine=papillon,
- result=success, subject=Machine
we then have: dom(R)={date, operation, machine, result, subject}
where dom(R) is the domain and codom is the codomain
codom(R)={02:27:2000, connection, papillon, success, Machine}, and
R:Σ*→Σ*
date→02:27:2000
Operation→connection
machine→papillon
result→success
subject→Machine

A log file is therefore a (finite) set of records R₁, . . . , R_|N|.

Let "Current" and "Next" be sets of formula representations (in the remainder of the description, "formula" will be used to mean "formula representation"); Current is the set of formulas to be examined in the current state and Next is the set of formulas that must be examined in the next state.

In each state, the set "Current" is the union of the set "Next" and the formulas F_s associated with the current state. That is what step 2) of the algorithm says.

The current state is represented by the integer i; 1≦i≦|N|.

The "log" file is scanned in one pass, and during this scan, in each state, i.e. in each record of the file, the formulas of the set Current that are verified are revealed, and those that contain future operators are added to the set "Next" so they can be examined in the next state. That is what the "Expand" procedure in step 3) of the algorithm does. This procedure extracts the subformulas from each formula recursively, stores the logical implications that concern them in the form of Horn clauses in a matrix M (for example, for a formula F=F₁
##CHR7##
F₂, we have the clauses F₁→F and F₂→F). and for those that are atomic, if they are verified in the current state (which is what the "match" procedure appearing in "Expand" looks for), it stores them in a stack (Stack), which is a stack of formula representations. Once all the formulas have been expanded in the current state, those that are resolvable are resolved with the help of the matrix and the stack (this is what the "resolve_matrix" procedure in step 4) of the algorithm does). Thus, as a result of the atomic formulas that have been resolved and the clauses, all the formulas that are verified are stored in the file "ResForm" (which is a set of formula representations).

These steps are iterated until the end of the "log" file (as seen in step 4) of the algorithm). Finally, when the entire log file has been scanned, the "Satis" procedure of step 5) compares the formulas of the file ResForm, which are all formulas verified in a certain state but which are subformulas of formulas of the specification file, to the formulas of the specification file, in order to see which ones are verified, and in which state(s).

Here is the algorithm itself:

1) i=Ø;

Current:=Ø;
Next:=Ø;
ResForm:=Ø;
Stack:=stack_empty;
M=( );

2) Current:={Repr(F, i)/F ∈ F_s} ∪ Next;

where Repr(F, i) is a stored representation of F in the i state
- Next:=Ø;

3) if Current ≠ Ø then:

let f ∈ Current;
Current:=Current\{f};
Expand(f);

4) resolve_matrix;

if/<|N|
- then i:=i+1;
go to 2):
otherwise go to 5);

5) Satis;

We will now define the various procedures used in the algorithm.

"Expand(f)" procedure, where f is a formula representation.

For greater clarity, this procedure will be presented with the help of a table whose meaning will now be explained:

the "Formula" column is exactly: form (f), i.e., the formula represented by f,
the "Current" (or respectively, "Next") column designates all the formula representations that have been added to the "Current" (or respectively, "Next") set,
the "Clause" column designates the clauses that are stored in the matrix with the insert_clause procedure described below;
the formula representations added to the "Current" set are in turn expanded recursively;
the atomic formulas and the formulas with the form
##CHR8##
F₁ is verified in the i state. More formally:
If form(f) is an atomic formula,
- if match(f)=TRUE
- then Stack=Stack(Stack, f);
If form(f) has the form
##CHR9##
F₁, F₁ being an atomic formula,
- let f₁=Repr(F₁, i);
- if match(f₁)=FALSE
- then Stack=Stack(Stack, f);

Formula Current Next Clause

F₁
##CHR10##
F₂ f₁ = Repr(F₁, i) f₁
##CHR11##
f₂→ f f₂ = Repr(F₂, i) F₁ V F₂ f₁ = Repr(F₁, i) f₁ → f f₂ = Repr(F₂, i) f₂ → f OF₁ f₁ = Repr(F₁, i + 1) f₁ → f OF₁ f₁ = Repr(F₁, i + 1) f₁ → f si i ≠ | N| (*) ⋄F₁ f₁ = Repr(F₁, i) f₂ = Repr(⋄F₁, i + 1) f₁ → f f₂ → f F₁ f₁ = Repr(F₁, i) f₂ = Repr(⋄F₁, i + 1) f₁
##CHR12##
f₂→ f F₁ U F₂ f₁ = Repr(F₁
##CHR13##
O(F₁U f₁ → f F₂), i) f₁ → f f₂ = Repr(F₂, i) F₁ W F₂ f₁ = Repr(F₁, i) f₁ → f f₂ = Repr(F₁U F₂,, i) f₂ → f
##CHR14##
F₃) f₁ = Repr(
##CHR15##
F₃, i) f₁ → f
##CHR16##
(F₂ V F₃) f₁ = Repr(
##CHR17##
F₃, i) f₁ → f
##CHR18##
F₂) f₁ = Repr(F₂, i) f₁ → f
##CHR19##
(OF₂) f₁ = Repr(O(
##CHR20##
F₂, i) f₁ → f
##CHR21##
(OF₂) f₁ = Repr(O(
##CHR22##
F₂, i) f₁ → f
##CHR23##
(⋄F₂) f₁ = Repr( (
##CHR24##
F₂, i) f₁ → f
##CHR25##
(F₂) f₁ = Repr(⋄(
##CHR26##
F₂, i) f₁ → f
##CHR27##
(F₂ U F₃) f₁ = Repr( (
##CHR28##
F₃, i) f₁ → f f₂ = Repr(
##CHR29##
, f₂ → f F₃), i)
##CHR30##
(F₂ W F₃) F₁ = Repr((
##CHR31##
F₂, f₁ → f
##CHR32##
F₃), i)

*: otherwise, i.e. if i = | N |, f₁ = Repr(F₁, i) Stack = Stack(Stack, f₁);

"match(f)" procedure, where f is a formula representation

In the case of form(_f):

if it has the form {id₁=t₁, . . . , id_n=t_n, . . . },then:
- if ∀j, 1≦j≦n, id_j ∈ Dom(R_i), and match-term
- (Ri(idj), tj, f)
- then TRUE
- otherwise FALSE
if it has the form {id₁=t₁, . . . , id_n=t_n, . . . }, then:
- if n=|domR_i)| and j, 1≦j<n, id_j ∈ Dom(R_i),
  - and match-term (Ri(idj), tj, f)
  - then TRUE
  - otherwise FALSE
"match-term" procedure (w, t, f) where w, t ∈ Σ* ∪ V and f is a formula
representation:
in the case of t:
- if t is a regex:
  - if Reg (w, t)
  - then TRUE
  - otherwise FALSE
- if t is a variable x:

Notation: ρ(x) is a partial function of the set of variables V to the set of character strings Σ*

if ρ(x) is defined
- if ρ(x)=w
- then TRUE
- otherwise FALSE
if ρ(x) is not defined, then

Notation: E is the environment constituted by the pairs whose first component is taken from the set of variables and whose second component is taken from the set of character strings

E:=E ∪ {(x, w)};
- TRUE;

Insert-clause procedure (H), where H is a Horn clause having one or two formula representations in the negative part:

Notation: If M is a matrix m x n, m, n ∈ N, let m_i,f be the element of the i^thline indexed by f, and likewise m_f,iand m_f1,f2

In the case of H:

if H has the form f₁→f, then
- if there already exists a column of M indicated by f₁
  - then add a line indexed by f with m_f,f1=1;
  - otherwise, add a column indexed by f and a line indexed by f₁, with m_f,f1=1;
if H has the form f₁
##CHR33##
f₂, then:
- if neither f₁ nor f₂is an index of any column of M
  - then add 2 columns indexed by f₁ and f₂and a line indexed by f with m_f,f1=m_f,f2=2
- if only one of the f_i, i=1,2 is not an index of a column of m, then:
  - add a column indexed by f_i and a line indexed by f with m_f,fi=m_f,fj=2, where j ∈ {1,2}\{i}
- if f₁ and f₂are indexes of columns of M, then:
  - add a line indexed by f with m_f,f1=m_f,f2=2

resolve-matrix procedure

if Stack=stack-empty, then nothing;
otherwise, let f:=pop(Stack); ∀_i such that m_i,fis the element that exists then:
- m_i,f=m_i,f-1;
- ∀_j such that m_i,jexists, then: m_i,j:=m_i,j-1
- if m_i,j=0, then;
- let f₁ be the index of the line m_i,f
- if f₁ ∉ Res-Form, then:
  - Stack:=stack(Stack, f₁)
  - Res-form:=Res-Form ∪ {f₁}
- dele (m_i,f);
- if the i^thline, delete it; if the column indexed by f is empty, delete it

Satis:

If Stack≠stack-empty then:

let f₁=pop(Stack);
if f₁ ∈ F_s, then form(f) is verified in the state state(f)

It should be clear to those skilled in the art that the present invention allows embodiments in many other specific forms without going outside the field of application of the invention as claimed. Consequently, the present embodiments should be considered as examples, but can be modified in the field defined by the scope of the attached claims.

ANNEX

Annex 1

{op=<<connection>>, result =<<failed >>, . . . }
and later {op=<<connection >>, result =<<success>>, . . . }
Annex 2
E1: {op =<<connection >>, result =<<failed >>, subject =<<machine >>}
E2: {op=<<connection >>, result =<<success >>, subject =<<machine >>, date =<<09:14:99>>}
E3: {op=<<exec >>, result =<<success >>, object =<<emacs >>, mode =<<tex >>, subject =<<machine >>}
Annex 3
F Λ⋄ H where F and H are atomic formulas for detecting events expressed in temporal logic from atomic formulas.
E1 {F}
E2: {H}
E3: {G}
Annex 4

Truth tables of the atomic formulas

STATES F H

E1 1 0 R2 0 1 R3 0 0

Annex 5

Truth tables of the non-atomic formulas

STATES ⋄ H F Λ ⋄ H

E1 1 1 E2 1 0 E3 0 0

Annex 7

STATES Formulas et subformulas Clauses generated

E1 F Λ ⋄ H (f₁) (f₁): F (f₂) (f₂) ⋄ H (f₃) (f₂) Λ (f₃)→(f₁) (f₃) H (f₄) (f₄)→FALSE E2 F Λ ⋄ H (f₆) (f₃) ⋄ H (f₇) (f₇)→(f₃) (f₇) : H (f₈) (f₈) (f₆): F (f₉) (f₆)→(f₇) (f₆)→FALSE E3 F Λ ⋄ H (f₁₀) (f₇) ⋄ H (f₁₁) (f₁₁)→(f₇) (f₁₁) : H (f₁₂) (f₁₂)→FALSE (f₁₀): F (f₁₃) (f₁₁)→FALSE

Annex 6

STATES Formulas et subformulas Clauses generated

E1 F Λ ⋄ H (f₁) (f₁): F (f₂) (f₂) ⋄H (f₃) (f₂) Λ (f₃) → (f₁) (f₃): H V O (⋄ H) (f₄) (f₄) → (f₃) (f₄): H (f₅) (f₅) →(f₄) (f₅) →FALSE O ( ⋄ H) (f₆) (f₆) →(f₄) E2 F Λ ⋄ H (f₇) (f₆) (⋄ H) (f₈) (f₈) → (f₆) (f₉) → (f₈) (f₈): H V O (⋄ H) (f₉) (f₁₀) → (f₉) (f₁₀) (f₉): H (f₁₀) (f₁₁)→ (f₉) (f₁₂) →FALSE O (⋄ H) (f₁₁) (f₁₂) Λ (f₁₃) → (f₇) (f₁₄)→ (f₁₃) (f₇): F (f₁₂) (f₁₅)→ (f₁₄) (⋄ H) (f₁₃) (f₁₅) (f₁₃): H V O (⋄ H) (f₁₄) (f₁₄): H (f₁₅) (f₁₆) →(f₁₄) O (⋄ H) (f₁₆) E3 F Λ ⋄ H (f₁₇) (f₁₁) ⋄ H (f₁₈) (f₁₈) →(f₁₁) (f₁₈): H V O (⋄ H) (f₁₉) (f₁₉) →(f₂₀) (f₁₉): H (f₂₀) (f₂₀) →(f₁₉) (f₂₀) →FALSE O (⋄ H) (f₂₁) (f₂₁) →(f₁₉) (f₂₂) →(f₁₆) (f₁₆): (⋄ H) (f₂₂) (f₂₃) →(f₂₂) (f₂₂): H V O (⋄ H) (f₂₃) (f₂₄) →(f₂₃) (f₂₃): H (f₂₄) (f₂₄) →FALSE (f₂₅) →(f₂₃) O (⋄ H) (f₂₅) (f₂₅) →FALSE (f₂₆) →FALSE (f₁₇): F (f₂₆) (f₂₆) Λ (f₂₇) → (f₁₇) ⋄ H (f₂₇) (f₂₈) →(f₂₇) (f₂₇): H V O (⋄ H) (f₂₈) (f₂₉) →(f₂₈) (f₂₈): H (f₂₉) (f₂₉) →FALSE (f₃₀) →(f₂₈) (f₃₀) →FALSE O ( ⋄ H) (f₃₀)

Inventors
Roger, Muriel; Goubault-Larrecq, Jean;
Assignee
BULL S.A. (Louveciennes, FR); INRIA (LeChesnay, FR)
Published
May-9-2006
Current US Classes:
707/1
707/3
707/4
713/200
713/201
713/202
726/22
Application #
661448
International Classes
G06F 11/30 (20060101)
Field of Search
713/200 713/201 713/202 707/1 707/3 707/4
Examiner
Barron, Jr.; Gilberto
Agent
Miles & Stockbridge P.C., Kondracki; Edward J.
US Patent References:
5355474
5481650
5557742
5694590

Same subclass

Automatic document reading system for technical drawings	6996295
Apparatus and method therefor of intelligently searching for information in a personal communications device	5708804
Transparent object instantiation/initialization from a relational store	6405209
Retrieval system of secondary data added documents in database, and program	6697798
Deployment of snapshots with parameterized data description language strings	6529904
Method and apparatus for storing and printing digital images	6332146
Computing system for operating report production facilities	6256624
System and method for using a relational database to enable the dynamic configuration of an application program	6266675
Method and system for attaching customized indexes to periodicals	6377963
Efficient computational techniques for authorization control	6928427
Method of determining the unique ID of an object in a peer to peer configuration of object indexes	5946680
Method and apparatus for expandable biometric searching	6047281

Same class

Context-sensitive authorization in an RDBMS	6289344
Device for retaining important data on a preferential basis	7020668
Method for maintaining consistent states of a file system and for creating user-accessible read-only copies of a file system	5819292
Pluggable tablespaces on a transportable medium	5873102
Method and apparatus for change data capture in a database system	6999977
Method and system for transforming a textual form of object-oriented database entries into an intermediate form configurable to populate an object-oriented database for sending to java program	6598052
Linked lists of transfer descriptors scheduled at intervals	6061687
System and method for creating, generating and processing user-defined generic specs	6226656
Personal smart pointing device	6980175
Techniques for eliminating database table joins based on a join index	6615206
Integrated collaborative/content-based filter structure employing selectively shared, content-based profile data to evaluate information entities in a massive information network	6308175
Method and system for storing and accessing user-defined attributes within a data processing system	5680586

Consider this

Method and system for process expression and resolution including a generally and inherently concurrent computer language	5355496
Correspondence-oriented state-transition-model-based programming systems	5721926
Network computer emulator systems, methods and computer program products for personal computers	5926631
Model trace view for object-oriented systems	5960199
Method for versioning a UML model in a repository in accordance with an updated XML representation of the UML model	6330569
Collaborative model for software systems with synchronization submodel with merge feature, automatic conflict resolution and isolation of potential changes for reuse	6678882
Apparatus and methods for preventing denial of service attacks	6742123
Methods and systems for generating a structured language model from a spreadsheet model	6766512
Method and apparatus for conducting linked simulation operations utilizing a computer-based system model	6983237
Method and system for generating program source code of a computer application from an information model	7032210