The Monitor Specification Language (MSL.prime) was developed in the framework of the “Industrial Project” course of the Computer Science faculty in the Technion. The project was performed by: Hesham Yassin and Sari Saba Sadiya

Project Description

The project concerns the development of a platform for the‬‬ definition and integration of high-level monitors that detect security related events and‬‬ augments intrusion detection systems. The work includes participating in the definition‬‬ of an appropriate language for such monitors as well as their synthesis and integration‬‬ in an analysis tool‬‬. The monitor language should enable the definition of temporal monitors that detect‬‬ distributed security related events in a cloud based environment‬‬ The project should also inspect possibilities of integration of adaptive temporal ‪monitors as a proactive measurement of security in the cloud‬‬.

Project Goal

Our goal was the construction of a platform in which a user could define integrate and synthesize monitors for traffic analysis purposes. This entailed:

  1. Constructing a language for monitor definition: MSL prime.
  2. Building a GUI in which the user can define monitors.
  3. Creating an interpreter from our MSL language to compilable C++ code.

one should note that although we focused on cloud security, our tool is “purpose generic” and can support any kind of data analysis where temporal expressions are used. (financial transactions, physical interactions …)


  • An application with a user interface that supports the following:
    1. Importing new languages definitions, providing the statments of the new language are translated to valid statments in MSL prime.
    2. The user will be able to specify the Data files format.
    3. The smart user will be able to create monitor templates for the usage of the simple user (see template detection under Screenshots).
    4. Compiling the defined monitors into an executable file which given data in the format specified by the user will process it and:
      1. Detect the “events” specified by the user.
      2. Act as the user specified in the “monitors” and “actions”.
    5. Loading vriables and monitors form automatically from a file without the need of performing these actions manually.
  • Documentation: user manual, language definition and documentation.


Software development

During the development of our tool the following software was used:

  1. JJTree was used to create an interpreter from MSL prime to an “augmented C++” files containing PSL blocks. These were in turn sent to an IBM TOOL to create clean C++ files.
  2. SWT platform was used to create the GUI. It was edited on eclipse and compiled using Java platform se7.
  3. The development was performed on a linux 32 bit machine. However the IBM TOOL runs only on 64 bit machines; Thus we use vmware player to simulate a 64 bit machine.

MSL language definition

The monitor specification language MSL prime was derived from known temporal logic languages such as PSL and SVA and modified for user convenience and functionality purposes. Full language definition and specification can be found under the links section.

Usage Example

DDOS attack


DDOS, short for Distributed Denial of Service, is a type of DOS attack where multiple compromised systems — which are usually infected with a Trojan — are used to target a single system causing a Denial of Service (DOS) attack.
We will define a monitor which detecs such attacks and logs them.

Language and Format Definition

we will need the format to include ip_dest and actionTime attributes. The first is the destination ip of each transaction and the second is the time of the transaction. Also we will define the attributes “dummy” (which value does not matter and will be simply used to create a logical tautology) as well as “numThreshold” and “timeThershold”. A machine is said to be under a DDOS attack if it recieves “numThreshold” requests during a “timeThreshold” interval.


one can either use the GUI to define the language attributes and variabels, or take advantage of the console by typing:

addatt ip_dest
addatt actiontime
addvar dummy 1
addvar timeThreshold 4
addvar numThreshold 3

Event definition

Now we will define the ddos event:

logic ipVar;
logic timeVar;
{(dummy == dummy), ipVar=ip_dest, timeVar=actionTime ; (ip_dest == ipVar)[=numThreshold] ; ((ip_dest==ipVar) && (actionTime – timeVar <= timeThreshold))}

The first “state” simply saves the destination ip and time of execution for each transaction. The second one records “numThreshold” transactions with the same detination ip and the last state checks the first and last transaction happened during a “timeThreshold” interval.


Defining a monitor and action

First we define an action which logs the transactions into a log file:


Now we will define a monitor using the previously defined action and event:


Exporting And Compiling

After exporting and compiling the monitors (the export all option in the console) an executable file will be created. Given a data file containing a ddos attack, the executable file will create the log file “alarmDDOS” in which the attack transactions will be logged.

Some Screenshots



Editing event specification


Template detection


 Download Here