pith. sign in

arxiv: 2506.23964 · v3 · submitted 2025-06-30 · 💻 cs.NI · cs.LG

Making Logic a First-Class Citizen in Generative ML for Networking

Hongyu H\`e , Minhao Jin , Maria Apostolaki This is my paper

Pith reviewed 2026-05-19 07:21 UTC · model grok-4.3

classification 💻 cs.NI cs.LG
keywords generative MLnetworkingfirst-order logicSMT solverrule learningtelemetry imputationtraffic forecastingsynthetic data generation
0
0 comments X

The pith

Enforcing learned networking logic rules on a generic GPT-2 model matches or exceeds specialized systems across three tasks.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

Generative ML models for networking frequently output results that break established rules such as latency preceding packet loss, and they require full retraining for any behavioral tweak. NetNomos addresses this by learning first-order logic rules directly from measurements, filtering them down to semantically meaningful subsets, and enforcing them during generation through collaboration between the ML model and an SMT solver. The result is more trustworthy and controllable outputs while preserving the flexibility of general-purpose models. A sympathetic reader would care because the approach promises to replace task-specific architectures with a single model guided by explicit, adjustable knowledge.

Core claim

NetNomos is a multi-stage framework that learns first-order logic rules from network data, filters them to retain only semantically meaningful ones, and enforces them via collaborative generation between a generative ML model and an SMT solver. When these rules are applied to a generic GPT-2 model, the resulting system achieves performance on par with or surpassing specialized state-of-the-art systems such as Zoom2Net and NetShare on telemetry imputation, traffic forecasting, and synthetic data generation across four real-world network datasets, while also proving 1.6 to 6.5 times more scalable than prior rule-learning methods.

What carries the argument

Collaborative generation between the ML model and SMT solver that enforces filtered first-order logic rules during output production.

If this is right

  • Generative outputs respect known networking relationships instead of visibly violating them.
  • Behavioral adjustments are possible by editing the rule set rather than retraining the underlying model.
  • Rule discovery scales 1.6 to 6.5 times better than previous state-of-the-art methods across diverse datasets.
  • A single general model can handle imputation, forecasting, and synthetic trace generation at competitive quality levels.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same learn-filter-enforce pattern could be applied to generative models in other constrained domains such as physics or biology simulations.
  • Live network deployments would reveal whether the SMT step introduces latency that limits real-time use.
  • Combining data-learned rules with a small amount of expert-provided rules might cover edge cases the current pipeline misses.
  • The explicit rules could serve as an interpretable interface for operators to audit or override model behavior.

Load-bearing premise

Rules automatically learned from data can be filtered into a set that is both semantically meaningful and sufficient to improve model behavior when enforced via SMT collaboration without the enforcement step degrading generative quality.

What would settle it

Demonstrating that SMT-enforced outputs have measurably lower accuracy or realism than the base unenforced GPT-2 model on any of the three tasks would falsify the central claim.

Figures

Figures reproduced from arXiv: 2506.23964 by Hongyu H\`e, Maria Apostolaki, Minhao Jin.

Figure 1
Figure 1. Figure 1: Valiant’s algorithm results in exhaustive and [PITH_FULL_IMAGE:figures/full_fig_p004_1.png] view at source ↗
Figure 2
Figure 2. Figure 2: NetNomos automatically discovers rules as formal constraints from network data, while allow￾ing network operators to conduct various downstream tasks with the resulting constraint theory. against the measurements in D. Candidates that are incon￾sistent with any measurement are eliminated, yielding the consistent subset C: 𝐼(𝑒) |=C,∀𝑒 ∈D. Eq. 1 is guaranteed to be included in C as Valiant’s algorithm is the… view at source ↗
Figure 3
Figure 3. Figure 3: 𝐿(C𝑎 , 𝑎 ⪯) reduces learning complexity from superquadratic (exhaustive search) to logarithmic (structured traversal). Traversal follows 𝑎 ⪯, which orders candidates by decreasing specificity and succinctness. New candidates are generated only when more specific ones are eliminated, avoiding learning redundant generalizations. refinement: constraints are gradually generalized by relaxing bounds until they … view at source ↗
Figure 5
Figure 5. Figure 5: NetNomos ’s proof system enables efficient querying of whether a constraint is entailed by the learned rules and thus holds in the dataset. Here, sim￾ple pattern matching would fail since such verification relies on logical reasoning. which encodes DHCP semantics layered on top of Eq.1. Since R3 exceeds the arity limit and contains duplicated variables, it cannot be learned directly. However, it is logical… view at source ↗
Figure 6
Figure 6. Figure 6: Distribution of the benchmark rules. Rules [PITH_FULL_IMAGE:figures/full_fig_p010_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: shows that NetNomos achieves 100% rule coverage using only a fraction of the data across all datasets, as DC￾sampling helps discover rare rules. In contrast, both the DTs and FlowChronicle identify only about 20% of the rules, de￾spite processing thousands of examples. FlowChronicle and the DTs sometimes even “unlearn” rules, indicating the un￾reliability of probabilistic learning. Note that FlowChronicle … view at source ↗
Figure 8
Figure 8. Figure 8: NetNomos learning algorithm scales logarith￾mically with the number of examples used. 2 7 2 8 2 9 2 10 2 11 2 12 2 13 # of Examples (log) 0 1 2 3 Search Lattice Size [M] CIDDS NetNomos w/o DC NetNomos with DC 2 5 2 6 2 7 2 8 2 9 2 10 2 11 2 12 # of Examples (log) 0 5 10 Netflix 2 7 2 8 2 9 2 10 2 11 2 12 2 13 # of Examples (log) 0.0 0.5 1.0 1.5 CIC-IDS [PITH_FULL_IMAGE:figures/full_fig_p011_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: DC-sampling substantially improves sample [PITH_FULL_IMAGE:figures/full_fig_p011_9.png] view at source ↗
Figure 11
Figure 11. Figure 11: NetNomos reveals that network-specific gen￾erators (e.g., NetShare) offer no rule-compliance advan￾tage over general ones, exposing a gap between statisti￾cal similarity and network semantics. and CIC-IDS datasets violate at least one rule. While we ac￾knowledge the presence of strict, dataset-specific constraints (e.g., deployment rules in §2.1), most violated constraints are fundamental, with examples s… view at source ↗
Figure 12
Figure 12. Figure 12: Distribution similarity (measured by JSD, left) [PITH_FULL_IMAGE:figures/full_fig_p013_12.png] view at source ↗
Figure 15
Figure 15. Figure 15: Runtime overhead of using NetNomos as a filter to generate 100% rule-compliant traffic is substan￾tial. (9) Negation Elimination: From ¬¬𝜙, infer 𝜙: ¬¬𝜙 𝜙 (10) Conditional Proof: From assuming 𝜙 and deriving 𝜓, infer 𝜙 =⇒𝜓: 𝜙 ⊢𝜓 𝜙 =⇒𝜓 E BENCHMARK RULES USED FOR EVALUATING RULE COVERAGE E.1 Rules for CIDDS 1: SrcIp∈{ ✁ "multicast", "broadcast"} 2: DstIp≠0.0.0.0 3: Flags✚≡ ∅⇐⇒Proto="TCP" 4: SrcPort ∈ {80,44… view at source ↗
Figure 13
Figure 13. Figure 13: Rules discovered by NetNomos effectively distinguish between normal and malicious traffic for CIDDS and UGR. Please refer to [PITH_FULL_IMAGE:figures/full_fig_p017_13.png] view at source ↗
Figure 14
Figure 14. Figure 14: Using NetNomos as a filter to generate 100% rule-compliant traffic. Statistical fidelity could degrade when a large number of samples are rejected. (7) Disjunction Elimination: From 𝜙 ∨𝜓, 𝜙 =⇒ 𝜒, and 𝜓 =⇒ 𝜒, infer 𝜒: 𝜙∨𝜓,𝜙 =⇒ 𝜒,𝜓 =⇒ 𝜒 𝜒 (8) Negation Introduction: From assuming 𝜙 and deriving a contradiction, infer ¬𝜙: 𝜙 ⊢⊥ ¬𝜙 CIDDS NetflixCIC-IDS 0.0 0.5 1.0 1.5 Generation Time [h] W/o Filtering With Filt… view at source ↗
read the original abstract

Generative ML models are increasingly popular in networking for tasks such as telemetry imputation, prediction, and synthetic trace generation. Despite their capabilities, they suffer from two shortcomings: \emph{(i)} their output is often visibly violating well-known networking rules, which undermines their trustworthiness; and \emph{(ii)} they are difficult to control, frequently requiring retraining even for minor changes. To address these limitations and unlock the benefits of generative models for networking, we propose a new paradigm for integrating explicit network knowledge, in the form of first-order logic rules, into ML models used for networking tasks. Rules capture well-known relationships among observed signals, e.g., that increased latency precedes packet loss. While the idea is conceptually straightforward, its realization is challenging: networking knowledge is rarely formalized into rules, and naively injecting rules into ML models often hampers their effectiveness. This paper introduces NetNomos, a multi-stage framework that \emph{(i)} learns rules directly from data (e.g., measurements); \emph{(ii)} filters them to select semantically meaningful ones; and \emph{(iii)} enforces them through collaborative generation between an ML model and a Satisfiability Modulo Theories (SMT) solver. %We evaluate NetNomos both component-wise and end-to-end across four diverse network datasets. We show that NetNomos learns diverse, meaningful rules from four real-world datasets and is 1.6--6.5$\times$ more scalable than DuoAI, a state-of-the-art (SOTA) rule-learning method. By enforcing these rules on a generic GPT-2 model, NetNomos achieves performance on par with or even surpassing specialized SOTA systems such as Zoom2Net and NetShare across three networking tasks: telemetry imputation, traffic forecasting, and synthetic data generation.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

3 major / 3 minor

Summary. The paper proposes NetNomos, a multi-stage framework that learns first-order logic rules directly from network measurement data, filters them for semantic meaningfulness, and enforces them during inference through collaborative generation between a generic GPT-2 model and an SMT solver. The central claims are that this integration addresses rule violations and lack of controllability in generative ML for networking, yields 1.6–6.5× better scalability than DuoAI for rule learning, and achieves performance on par with or exceeding specialized SOTA systems (Zoom2Net, NetShare) on telemetry imputation, traffic forecasting, and synthetic trace generation across four real-world datasets.

Significance. If the empirical claims are substantiated, the work offers a practical route to embedding explicit domain knowledge as first-class constraints in generative models without full retraining, which could improve trustworthiness in safety-critical networking applications. The reported scalability gains in rule extraction and the ability to retrofit a generic language model with SMT collaboration are potentially impactful if the enforcement mechanism is shown not to harm generative fidelity.

major comments (3)
  1. [§3] §3 (Framework): The collaborative generation procedure between GPT-2 and the SMT solver is load-bearing for the performance-parity claim, yet the manuscript provides no quantitative diagnostics (e.g., sample diversity, KL divergence to real traces, or ablation removing the SMT step) demonstrating that hard rule enforcement preserves or improves task metrics rather than introducing bias or mode collapse.
  2. [§5.1] §5.1 (Rule-learning evaluation): The 1.6–6.5× scalability advantage over DuoAI is asserted, but the comparison lacks explicit controls for dataset size, rule-set cardinality after filtering, and hardware normalization; without these, it is unclear whether the reported speedup is attributable to the proposed pipeline or to implementation differences.
  3. [§4.3] §4.3 (Filtering stage): The rule-filtering criteria are described as selecting 'semantically meaningful' rules, yet the manuscript treats the filtering thresholds as free parameters without a sensitivity analysis or automated criterion; this directly affects reproducibility of the downstream performance results.
minor comments (3)
  1. [§2] §2: The related-work discussion of prior logic-injection methods could cite more recent SMT+ML hybrids outside networking to better situate the novelty.
  2. [Table 2] Table 2: Performance tables report point estimates without standard deviations or confidence intervals across the 22 runs mentioned in the text.
  3. [Figure 3] Figure 3: The y-axis scale for the scalability plot is logarithmic but the caption does not state the base or the exact metric (wall-clock time vs. memory).

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for their constructive and detailed feedback. We address each major comment below, providing our responses and indicating planned revisions to strengthen the manuscript.

read point-by-point responses

  1. Referee: [§3] §3 (Framework): The collaborative generation procedure between GPT-2 and the SMT solver is load-bearing for the performance-parity claim, yet the manuscript provides no quantitative diagnostics (e.g., sample diversity, KL divergence to real traces, or ablation removing the SMT step) demonstrating that hard rule enforcement preserves or improves task metrics rather than introducing bias or mode collapse.

    Authors: We agree that explicit diagnostics on the SMT solver's contribution would strengthen the performance-parity claim. The manuscript shows end-to-end results comparable to or better than specialized systems, but lacks a direct ablation of the collaborative generation. In the revised version, we will add an ablation study removing the SMT step and report quantitative metrics including sample diversity, KL divergence to real traces, and task-specific performance to demonstrate that rule enforcement preserves generative fidelity without introducing bias or mode collapse. revision: yes

  2. Referee: [§5.1] §5.1 (Rule-learning evaluation): The 1.6–6.5× scalability advantage over DuoAI is asserted, but the comparison lacks explicit controls for dataset size, rule-set cardinality after filtering, and hardware normalization; without these, it is unclear whether the reported speedup is attributable to the proposed pipeline or to implementation differences.

    Authors: The referee correctly notes that additional controls would clarify the source of the reported scalability gains. Our experiments used consistent datasets and hardware for both methods. We will revise §5.1 to explicitly report dataset sizes, the cardinality of rule sets after filtering for NetNomos and DuoAI, and hardware-normalized timing measurements. These additions will make the comparison transparent and confirm that the 1.6–6.5× advantage stems from our pipeline's efficiency. revision: yes

  3. Referee: [§4.3] §4.3 (Filtering stage): The rule-filtering criteria are described as selecting 'semantically meaningful' rules, yet the manuscript treats the filtering thresholds as free parameters without a sensitivity analysis or automated criterion; this directly affects reproducibility of the downstream performance results.

    Authors: We recognize that treating filtering thresholds as free parameters without further analysis limits reproducibility. The thresholds were selected empirically to retain semantically relevant rules. In the revised manuscript, we will add a sensitivity analysis varying the thresholds and reporting effects on rule count and downstream performance. We will also introduce an automated criterion based on data-driven measures such as minimum support and confidence to systematize the process. revision: yes

Circularity Check

0 steps flagged

No significant circularity; claims rest on empirical evaluation of external components.

full rationale

The paper's core pipeline—learning rules from data, filtering for semantic meaning, and enforcing via SMT collaboration with a generic GPT-2 model—is presented as a multi-stage framework evaluated on real datasets against external baselines (DuoAI, Zoom2Net, NetShare). No equations or steps reduce a claimed performance gain to a fitted parameter or self-citation by construction. The abstract and framework description treat rule learning, filtering, and SMT enforcement as independent modules whose outputs are measured on downstream tasks, without redefining success metrics in terms of the inputs themselves. This is the expected non-circular case for an applied systems paper whose results are benchmarked externally.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The approach rests on the premise that networking relationships can be captured as first-order logic rules learnable from data and that SMT solvers can enforce them during generation without harming model utility.

free parameters (1)
  • rule filtering criteria
    Thresholds or heuristics used to select semantically meaningful rules from the larger set learned from data.
axioms (1)
  • domain assumption Networking domain knowledge can be expressed as first-order logic rules that relate observable signals such as latency and packet loss.
    Invoked when stating that rules capture well-known relationships among observed signals.

pith-pipeline@v0.9.0 · 5867 in / 1179 out tokens · 31180 ms · 2026-05-19T07:21:24.223776+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

73 extracted references · 73 canonical work pages · 1 internal anchor

  1. [1]

    1995.Mining Sequential Patterns

    R Agrawal. 1995.Mining Sequential Patterns. Technical Report. Research report

    work page 1995

  2. [2]

    Dana Angluin. 1987. Learning regular sets from queries and counterex- amples. Information and computation 75, 2 (1987), 87–106

    work page 1987

  3. [3]

    Domagoj Babić, Daniel Reynaud, and Dawn Song. 2011. Malware Analysis with Tree Automata Inference. InComputer Aided Verification, Ganesh Gopalakrishnan and Shaz Qadeer (Eds.). Vol. 6806. Springer Berlin Heidelberg, Berlin, Heidelberg, 116–131. https://doi.org/10.1007/ 978-3-642-22110-1_10 Series Title: Lecture Notes in Computer Science

    work page 2011

  4. [4]

    Osbert Bastani, Yewen Pu, and Armando Solar-Lezama. 2018. Verifi- able reinforcement learning via policy extraction.Advances in neural information processing systems 31 (2018)

    work page 2018

  5. [5]

    Nicolas Beldiceanu and Helmut Simonis. 2012. A Model Seeker: Extracting Global Constraint Models from Positive Examples. In Principles and Practice of Constraint Programming , Michela Milano (Ed.). Springer, Berlin, Heidelberg, 141–157. https://doi.org/10.1007/ 978-3-642-33558-7_13

    work page 2012

  6. [6]

    Christian Bessiere, Remi Coletta, Frédéric Koriche, and Barry O’Sullivan

    work page

  7. [7]

    InMachine Learning: ECML 2005: 16th European Conference on Machine Learning, Porto, Portugal, October 3-7, 2005

    A SAT-based version space algorithm for acquiring constraint satisfaction problems. InMachine Learning: ECML 2005: 16th European Conference on Machine Learning, Porto, Portugal, October 3-7, 2005. Pro- ceedings 16. Springer, 23–34

    work page 2005

  8. [8]

    Luca Beurer-Kellner, Marc Fischer, and Martin Vechev. 2024. Guiding llms the right way: Fast, non-invasive constrained generation.arXiv preprint arXiv:2403.06988 (2024)

    work page arXiv 2024

  9. [9]

    Armin Biere. 2021. Bounded model checking. In Handbook of satisfia- bility. IOS press, 739–764

    work page 2021

  10. [10]

    Garrett Birkhoff. 1940. Lattice theory. Vol. 25. American Mathematical Soc

    work page 1940

  11. [11]

    Garrett Birkhoff. 1967. Lattice Theory. American Mathematical Society. Providence, RI (1967)

    work page 1967

  12. [12]

    Francesco Bronzino, Paul Schmitt, Sara Ayoubi, Guilherme Martins, Renata Teixeira, and Nick Feamster. 2019. Inferring streaming video quality from encrypted traffic: Practical models and deployment experi- ence. Proceedings of the ACM on Measurement and Analysis of Computing Systems 3, 3 (2019), 1–25

    work page 2019

  13. [13]

    Chia Yuan Cho, Domagoj Babi Ć, Eui Chul Richard Shin, and Dawn Song. 2010. Inference and analysis of formal models of botnet command and control protocols. In Proceedings of the 17th ACM conference on Computer and communications security . ACM, Chicago Illinois USA, 426–439. https://doi.org/10.1145/1866307.1866355

    work page doi:10.1145/1866307.1866355 2010

  14. [14]

    2011.{MACE}:{Model- inference-Assisted} concolic exploration for protocol and vulnerability discovery

    Chia Yuan Cho, Domagoj Babić, Pongsin Poosankam, Kevin Zhijie Chen, Edward XueJun Wu, and Dawn Song. 2011.{MACE}:{Model- inference-Assisted} concolic exploration for protocol and vulnerability discovery. In20th USENIX Security Symposium (USENIX Security 11)

    work page 2011

  15. [15]

    Edmund Clarke, Armin Biere, Richard Raimi, and Yunshan Zhu. 2001. Bounded model checking using satisfiability solving.Formal methods in system design 19 (2001), 7–34

    work page 2001

  16. [16]

    David Cohen and Peter Jeavons. 2006. The complexity of constraint languages. In Foundations of Artificial Intelligence. Vol. 2. Elsevier, 245– 280

    work page 2006

  17. [17]

    Fady Copty, Limor Fix, Ranan Fraer, Enrico Giunchiglia, Gila Kamhi, Armando Tacchella, and Moshe Y Vardi. 2001. Benefits of bounded model checking at an industrial setting. InComputer Aided Verification: 13th International Conference, CA V 2001 Paris, France, July 18–22, 2001 Proceedings 13. Springer, 436–453

    work page 2001

  18. [18]

    Miles Cranmer, Alvaro Sanchez Gonzalez, Peter Battaglia, Rui Xu, Kyle Cranmer, David Spergel, and Shirley Ho. 2020. Discovering symbolic models from deep learning with inductive biases.Advances in neural information processing systems 33 (2020), 17429–17442

    work page 2020

  19. [19]

    Andrew Cropper and Sebastijan Dumančić. 2022. Inductive logic pro- gramming at 30: a new introduction. Journal of Artificial Intelligence Research 74 (2022), 765–850

    work page 2022

  20. [20]

    Joscha Cüppers, Adrien Schoen, Gregory Blanc, and Pierre-Francois Gimenez. 2024. FlowChronicle: Synthetic Network Flow Generation through Pattern Set Mining. Proceedings of the ACM on Networking 2, CoNEXT4 (2024), 1–20

    work page 2024

  21. [21]

    2002.Introduction to lattices and order

    Brian A Davey and Hilary A Priestley. 2002.Introduction to lattices and order. Cambridge university press

    work page 2002

  22. [22]

    Nachum Dershowitz, Ziyad Hanna, and Alexander Nadel. 2006. A scalable algorithm for minimal unsatisfiable core extraction. InTheory and Applications of Satisfiability Testing-SAT 2006: 9th International Conference, Seattle, W A, USA, August 12-15, 2006. Proceedings 9. Springer, 36–41

    work page 2006

  23. [23]

    Franck Djeumou, Cyrus Neary, Eric Goubault, Sylvie Putot, and Ufuk Topcu. 2022. Neural Networks with Physics-Informed Architectures and Constraints for Dynamical Systems Modeling. In Proceedings of The 4th Annual Learning for Dynamics and Control Conference (Pro- ceedings of Machine Learning Research) , Vol. 168. PMLR, 263–277. https://proceedings.mlr.pre...

    work page 2022

  24. [24]

    Pedro Domingos. 1999. The role of Occam’s razor in knowledge discov- ery. Data mining and knowledge discovery 3 (1999), 409–425

    work page 1999

  25. [25]

    Frederic B Fitch. 1963. A logical analysis of some value concepts1.The journal of symbolic logic 28, 2 (1963), 135–142

    work page 1963

  26. [26]

    Center for Applied Internet Data Analysis. 2018. The CAIDA Anonymized Internet Traces Dataset. (April 2018). https://www.caida. org/catalog/datasets/passive_dataset/

    work page 2018

  27. [27]

    Ehab Ghabashneh, Yimeng Zhao, Cristian Lumezanu, Neil Spring, Srikanth Sundaresan, and Sanjay Rao. 2022. A microscopic view of bursts, buffer contention, and loss in data centers. InProceedings of the 22nd ACM Internet Measurement Conference. 567–580

    work page 2022

  28. [28]

    Fengchen Gong, Divya Raghunathan, Aarti Gupta, and Maria Aposto- laki. 2024. Zoom2net: Constrained network telemetry imputation. In Proceedings of the ACM SIGCOMM 2024 Conference. 764–777

    work page 2024

  29. [29]

    Sven Gowal, Krishnamurthy Dvijotham, Robert Stanforth, Rudy Bunel, Chongli Qin, Jonathan Uesato, Relja Arandjelovic, Timothy Mann, and Pushmeet Kohli. 2018. On the effectiveness of interval bound propagation for training verifiably robust models. arXiv preprint arXiv:1810.12715 (2018)

    work page arXiv 2018

  30. [30]

    2002.General lattice theory

    George Grätzer. 2002.General lattice theory. Springer Science & Business Media

    work page 2002

  31. [31]

    2007.The minimum description length principle

    Peter D Grünwald. 2007.The minimum description length principle. MIT press

    work page 2007

  32. [32]

    Ishaan Gulrajani, Faruk Ahmed, Martin Arjovsky, Vincent Dumoulin, and Aaron C Courville. 2017. Improved training of wasserstein gans. Advances in neural information processing systems 30 (2017)

    work page 2017

  33. [33]

    Matthias Höschele and Andreas Zeller. 2016. Mining input grammars from dynamic taints. InProceedings of the 31st IEEE/ACM International Conference on Automated Software Engineering. 720–725

    work page 2016

  34. [34]

    Alexey Ignatiev, Alessandro Previti, Mark Liffiton, and Joao Marques- Silva. 2015. Smallest MUS extraction with minimal hitting set dualiza- tion. In International Conference on Principles and Practice of Constraint Programming. Springer, 173–182

    work page 2015

  35. [35]

    Katsumi Inoue, Andrei Doncescu, and Hidetomo Nabeshima. 2013. Com- pleting causal networks by meta-level abduction.Machine learning 91, 2 (2013), 239–277

    work page 2013

  36. [36]

    Jacobs, Roman Beltiukov, Walter Willinger, Ronaldo A

    Arthur S. Jacobs, Roman Beltiukov, Walter Willinger, Ronaldo A. Fer- reira, Arpit Gupta, and Lisandro Z. Granville. 2022. AI/ML for Network Security: The Emperor has no Clothes. InProceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security (CCS ’22). Association for Computing Machinery, New York, NY, USA, 1537–1551. https://doi.o...

    work page doi:10.1145/3548606.3560609 2022

  37. [37]

    Xiaodong Jia and Gang Tan. 2024. V-Star: Learning Visibly Pushdown Grammars from Program Inputs. Proceedings of the ACM on Program- ming Languages 8, PLDI (2024), 2003–2026

    work page 2024

  38. [38]

    Xi Jiang, Shinan Liu, Aaron Gember-Jacobson, Arjun Nitin Bhagoji, Paul Schmitt, Francesco Bronzino, and Nick Feamster. 2024. Netdiffu- sion: Network data augmentation through protocol-constrained traffic generation. Proceedings of the ACM on Measurement and Analysis of Computing Systems 8, 1 (2024), 1–32

    work page 2024

  39. [39]

    Minhao Jin and Maria Apostolaki. 2025. Robustifying ML-powered Network Classifiers with PANTS. In34th USENIX Security Symposium (USENIX Security 25)

    work page 2025

  40. [40]

    George Em Karniadakis, Ioannis G Kevrekidis, Lu Lu, Paris Perdikaris, Sifan Wang, and Liu Yang. 2021. Physics-informed machine learning. Nature Reviews Physics 3, 6 (2021), 422–440

    work page 2021

  41. [41]

    Huang, Duligur Ibeling, Kyle Julian, Christopher Lazarus, Rachel Lim, Parth Shah, Shantanu Thakoor, Haoze Wu, Alek- sandar Zeljić, David L

    Guy Katz, Derek A. Huang, Duligur Ibeling, Kyle Julian, Christopher Lazarus, Rachel Lim, Parth Shah, Shantanu Thakoor, Haoze Wu, Alek- sandar Zeljić, David L. Dill, Mykel J. Kochenderfer, and Clark Barrett. [n. d.]. The Marabou Framework for Verification and Analysis of Deep Neural Networks. In Computer Aided Verification, Isil Dillig and Serdar Tasiran (...

    work page doi:10.1007/978-3-030-25540-4_26

  42. [42]

    Samuel Kolb, Sergey Paramonov, Tias Guns, and Luc De Raedt. 2017. Learning constraints in spreadsheets and tabular data.Machine Learning 106 (2017), 1441–1468

    work page 2017

  43. [43]

    Mohit Kumar, Samuel Kolb, and Tias Guns. 2022. Learning constraint programming models from data using generate-and-aggregate. In28th International Conference on Principles and Practice of Constraint Program- ming (CP 2022). Schloss Dagstuhl-Leibniz-Zentrum für Informatik

    work page 2022

  44. [44]

    Gabriel Maciá-Fernández, José Camacho, Roberto Magán-Carrión, Pe- dro García-Teodoro, and Roberto Therón. 2018. UGR ‘16: A new dataset for the evaluation of cyclostationarity-based network IDSs.Computers & Security 73 (2018), 411–424

    work page 2018

  45. [45]

    Zili Meng, Minhu Wang, Jiasong Bai, Mingwei Xu, Hongzi Mao, and Hongxin Hu. [n. d.]. Interpreting Deep Learning-Based Networking Systems. In Proceedings of the Annual conference of the ACM Special Interest Group on Data Communication on the applications, technologies, architectures, and protocols for computer communication (2020-07-30) (SIGCOMM ’20). Asso...

    work page doi:10.1145/3387514.3405859 2020

  46. [46]

    Tom M Mitchell. 1982. Generalization as search.Artificial intelligence 18, 2 (1982), 203–226

    work page 1982

  47. [47]

    1997.Machine learning

    Tom M Mitchell and Tom M Mitchell. 1997.Machine learning. Vol. 1. McGraw-hill New York

    work page 1997

  48. [48]

    Soo-Jin Moon, Jeffrey Helt, Yifei Yuan, Yves Bieri, Sujata Banerjee, Vyas Sekar, Wenfei Wu, Mihalis Yannakakis, and Ying Zhang. 2019. Alembic: Automated model inference for stateful network functions. In 16th USENIX Symposium on Networked Systems Design and Implementation (NSDI 19). 699–718

    work page 2019

  49. [49]

    Alexander Nadel. 2010. Boosting minimal unsatisfiable core extraction. In Formal methods in computer aided design. IEEE, 221–229

    work page 2010

  50. [50]

    Jon Postel. 1981. Transmission Control Protocol. RFC 793. (Sept. 1981). https://doi.org/10.17487/RFC0793

    work page doi:10.17487/rfc0793 1981

  51. [51]

    Markus Ring, Daniel Schlör, Dieter Landes, and Andreas Hotho. 2019. Flow-based network traffic generation using generative adversarial networks. Computers & Security 82 (2019), 156–172

    work page 2019

  52. [52]

    Markus Ring, Sarah Wunderlich, Dominik Grüdl, Dieter Landes, and Andreas Hotho. 2017. Creation of Flow-Based Data Sets for Intrusion Detection. Journal of Information Warfare 16 (2017), 40–53. Issue 4

    work page 2017

  53. [53]

    Adrien Schoen, Gregory Blanc, Pierre-François Gimenez, Yufei Han, Frédéric Majorczyk, and Ludovic Me. 2024. A Tale of Two Methods: Unveiling the limitations of GAN and the Rise of Bayesian Networks for Synthetic Network Traffic Generation. In2024 IEEE European Sym- posium on Security and Privacy Workshops (EuroS&PW). IEEE, 273–286

    work page 2024

  54. [54]

    Iman Sharafaldin, Arash Habibi Lashkari, and Ali A Ghorbani. 2018. Intrusion detection evaluation dataset (CIC-IDS2017).Proceedings of the of Canadian Institute for Cybersecurity (2018)

    work page 2018

  55. [55]

    Solatorio and Olivier Dupriez

    Aivin V. Solatorio and Olivier Dupriez. 2023. REaLTabFormer: Generat- ing Realistic Relational and Tabular Data using Transformers.arXiv preprint arXiv:2302.02041 (2023)

    work page arXiv 2023

  56. [56]

    Ramakrishnan Srikant and Rakesh Agrawal. 1996. Mining sequential patterns: Generalizations and performance improvements. InInterna- tional conference on extending database technology. Springer, 1–17

    work page 1996

  57. [57]

    Leslie G Valiant. 1984. A theory of the learnable.Commun. ACM 27, 11 (1984), 1134–1142

    work page 1984

  58. [58]

    Pan Wang, Shuhang Li, Feng Ye, Zixuan Wang, and Moxuan Zhang

    work page

  59. [59]

    In IEEE International Conference on Communications (ICC) (IEEE): 1–6

    PacketCGAN: Exploratory Study of Class Imbalance for Encrypted Traffic Classification Using CGAN. InICC 2020 - 2020 IEEE International Conference on Communications (ICC) . 1–7. https://doi.org/10.1109/ ICC40277.2020.9148946

    work page arXiv 2020

  60. [60]

    Brandon T Willard and Rémi Louf. 2023. Efficient Guided Generation for LLMs. arXiv preprint arXiv:2307.09702 (2023)

    work page internal anchor Pith review Pith/arXiv arXiv 2023

  61. [61]

    Kerry N Wood and Richard E Harang. 2015. Grammatical inference and language frameworks for langsec. In2015 IEEE Security and Privacy Workshops. IEEE, 88–98

    work page 2015

  62. [62]

    Lei Xu, Maria Skoularidou, Alfredo Cuesta-Infante, and Kalyan Veera- machaneni. 2019. Modeling tabular data using conditional gan. Ad- vances in neural information processing systems 32 (2019)

    work page 2019

  63. [63]

    Yucheng Yin, Zinan Lin, Minhao Jin, Giulia Fanti, and Vyas Sekar. 2022. Practical gan-based synthetic ip header trace generation using netshare. In Proceedings of the ACM SIGCOMM 2022 Conference. 458–472

    work page 2022

  64. [64]

    Yifei Yuan, Dong Lin, Rajeev Alur, and Boon Thau Loo. 2015. Scenario- based programming for SDN policies. InProceedings of the 11th ACM Conference on Emerging Networking Experiments and Technologies. 1–13. A SEMANTICS LEARNING ON CIDDS AND UGR Fig. 13 shows the rule violation rates for CIDDS and UGR. Similarly, NetNomos is able to capture semantic differe...

    work page 2015

  65. [65]

    Since 𝐶3 |=𝐶2, one of𝐶2 1 and 𝐶2 2 is semantically equivalent to𝐶2; as- sume it is𝐶2

    work page

  66. [66]

    By the same token, one can find another arity-2 constraint that is equivalent to𝐶2

    work page

  67. [67]

    ICMP") ⇒ (DstIp =

    As the learner traverses downward from the lowest arity value in𝐿, the equivalents of 𝐶2 1 and 𝐶2 2 will be encountered by the learner before𝐶3. Thus, prioritizing the more general but more succinct𝐶2 would not lead to missing𝐶3. In fact, when the learner starts to exam- ine 𝐶3 with, the set C2 of learned arity-2 constraints yields C2 |=𝐶3, making it redu...

    work page

  68. [68]

    server") =⇒ ( DstPort =

    ∧ (Ack3 = Seq2 +1)) 3: Seq1 +Len1 = Ack2 TCP packet sequencing. 4: (Ack2 = Seq1 + 1 ∧ SrcIp1 = DstIp2) =⇒ ( Tsval1 = Tsecr2) Timestamp echo. 5: (Ack3 = Seq2 + 1 ∧ SrcIp2 = DstIp3) =⇒ ( Tsval2 = Tsecr3) 6: (SrcIp1 = SrcIp2) =⇒ ( Seq1 +Len1 = SeqNum2) Timestamp continuity. 7: (SrcIp ="server") =⇒ ( DstPort ="client_port"∧SrcPort = "server_port") 8: (SrcIp =...

    work page

  69. [69]

    ∨ (RstFlagCount > 0) ∨ (PshFlagCount > 0) ∨ (AckFlagCount >

    work page

  70. [70]

    ∨ ( CweFlagCount > 0) ∨ ( EceFlagCount > 0)) =⇒ (Protocol ≠ 17) 7: (SynFlagCount > 0) =⇒ (TotalLengthOfFwdPackets > 0) 8: (RstFlagCount > 0) =⇒ (TotalLengthOfFwdPackets > 0) 9: (CweFlagCount > 0) =⇒ (TotalLengthOfFwdPackets > 0) 10: (EceFlagCount > 0) =⇒ (TotalLengthOfFwdPackets > 0) 11: (( SynFlagCount > 0) ∨ (RstFlagCount > 0) ∨(CweFlagCount > 0) ∨ (Ece...

    work page

  71. [71]

    ∧ (TotalLengthOfBwdPackets > 0) =⇒ ( FlowBytesPerSecond > 0) 15: (PacketLengthMean > 0) ∧ ( PacketLengthMax > 0) ∧ (PacketLengthMin > 0) =⇒ ( PacketLengthVariance ≥ 0) 16: (FwdPacketLengthMean > 0) ∧ (BwdPacketLengthMean >

    work page

  72. [72]

    ∧ (FwdPacketCount > 0) ∧ (BwdPacketCount > 0) =⇒ (FlowPacketMean > 0) 17: (FlowIatMean > 0) ∧ (FlowIatStd > 0) ∧ (FlowIatMin >

    work page

  73. [73]

    Training and inference of ML models are all conducted on an A100 NVIDIA GPU

    ∧ (FlowIatMax > 0) =⇒ ( ActiveMean > 0) ∧ (IdleMean > 0) 18: (FwdPacketCount > 0) ∨ ( BwdPacketCount > 0) =⇒ (TotalPacketCount = FwdPacketCount+BwdPacketCount) 19: (( TcpFlagsCount > 0) ∧ (Protocol = 6)) ∨(( UdpPacketCount > 0) ∧(Protocol = 17))∨ (( IcmpPacketCount > 0) ∧ (Protocol = 1)) 20: (PacketCount > 0) =⇒ ( MinPacketLength ≤ MeanPacketLength ≤ MaxP...

    work page