Highly available information networks are an increasingly essential component of the modern society. Targeted attacks are a key threat to the availability of these networks. These attacks exploit weak components in network infrastructure and attack them, triggering side-effects that harm the ultimate victim. Targeted attacks are carried out using highly distributed attacker networks called botnets comprising between thousands and hundreds of thousands of compromised computers. A key feature is that botnets are programmable allowing the attacker to adapt to evolve and adapt to defences developed by infrastructure providers. However current network infrastructure is largely static and hence cannot adapt to a fast evolving attacker. To design effective responses, a programmable network infrastructure enabling large-scale cooperation is necessary. Our research will create a new form of secure network infrastructure which detects targeted attacks on itself. It then automatically restructures the infrastructure to maximise attack resilience. Finally, it self-verifies whether global properties of safety and correctness can be assured even though each part of the infrastructure only has a local view of the world. Our research will examine techniques to collect and merge inferences across distributed vantage points within a network whilst minimising risks to user privacy from data-aggregation using novel privacy techniques. We make a start on addressing the risks introduced by programmability itself, by developing smart assurance techniques that can verify evidence of good intention before the infrastructure is reprogrammed. We set three fundamental design objectives for our design: (1) Automated and seamless restructuring of network infrastructure to withstand attacks aimed at strategic targets on the infrastructure. (2) A measurement system that allows dynamic allocation of resources and fine control over the manner, location, frequency, and intensity of data collected at each monitoring location on the infrastructure. (3) Assurance of safety and compliance to sound principles of structural resilience when infrastructure is reprogrammed. Our aim is to develop future network defences based on a smart and evolving network infrastructure.

We aim to solve computing's most pressing problem - concurrency and distribution - by adapting one of computing's most successful concepts - the data type. Data types codify the structure of data; session types codify the structure of communication. Session types will enable a revolution in the development of concurrent and distributed software, making it cheaper to construct and maintain, and more reliable. Concurrency and distribution are computing's most pressing problem: unless we discover a way to routinely and reliably build concurrent and distributed systems, a half century of unprecedented technical progress will draw to a close. We are approaching the 50th anniversary of Moore's Law, the observation that component counts and clock speeds double every 18 months. No exponential improvement can continue forever, and recently this rule has changed: clock speeds now remain fixed while the number of processors doubles, so exploitation of concurrency is essential. Meanwhile, everyone now has a computer in their pocket, and these computers depend crucially on communication to achieve their function. We inhabit a world of web applications, cloud services, and mobile apps: society increasingly depends on a technological infrastructure of concurrent and distributed systems. Programming concurrent and distributed systems is notoriously difficult. Many solutions are based on shared memory, which requires the programmer to reason about every possible interleaving by which many processors access a common resource. Shared memory scales only to a certain point; it is not appropriate for programming the server farms that drive the web or for mobile applications. The most successful solutions so far appear to be those that replace shared memory with communication as the central structuring technique. Communication usually centres around the notion of a protocol, a series of operations in a specific order. However, direct support for protocols at the language level has been lacking, as compared with data types. The data type is one of computing's most successful concepts. Data types appear from the oldest programming language to the newest, and cover concepts ranging from a single byte to organised tables containing information on customers and orders. Types act as the fundamental unit of compositionality: the first thing a programmer writes or reads about each method is its data type, and type discipline guarantees that each call of a method matches its definition. Data types play a central role in all aspects of software, from architectural design to interactive development environments to efficient compilation. The analogue of the data type for concurrency and distribution is the session type. A session type codifies the notion of a protocol. Session types build on data types, as data types specify the lowest level of data exchange, upon which more complex protocols are built. Just as type discipline matches use and definition of a method, so session types ensure consistency between the two ends of a communication. We expect session types to play a role in all aspects of software. Today, architects discuss the high-level structure of a system in terms of its types, but must resort to informal notions of protocol to describe communication; in future, they will describe communication in terms of session types. Today, programmers use tools that let them search for methods and modules based on their type, and give immediate feedback if their program violates type discipline, but must resort to informal notions of protocol when coding communications; in future, they will search for components based on their session type, and get immediate feedback if their program violates session type discipline. Today, software tools exploit types to optimise code, but cannot exploit the informal notions of protocol to optimise communication; in future, communication middleware will exploit session types to support efficient messaging.

Highly available information networks are an increasingly essential component of the modern society. Targeted attacks are a key threat to the availability of these networks. These attacks exploit weak components in network infrastructure and attack them, triggering side-effects that harm the ultimate victim. Targeted attacks are carried out using highly distributed attacker networks called botnets comprising between thousands and hundreds of thousands of compromised computers. A key feature is that botnets are programmable allowing the attacker to adapt to evolve and adapt to defences developed by infrastructure providers. However current network infrastructure is largely static and hence cannot adapt to a fast evolving attacker. To design effective responses, a programmable network infrastructure enabling large-scale cooperation is necessary. Our research will create a new form of secure network infrastructure which detects targeted attacks on itself. It then automatically restructures the infrastructure to maximise attack resilience. Finally, it self-verifies whether global properties of safety and correctness can be assured even though each part of the infrastructure only has a local view of the world. Our research will examine techniques to collect and merge inferences across distributed vantage points within a network whilst minimising risks to user privacy from data-aggregation using novel privacy techniques. We make a start on addressing the risks introduced by programmability itself, by developing smart assurance techniques that can verify evidence of good intention before the infrastructure is reprogrammed. We set three fundamental design objectives for our design: (1) Automated and seamless restructuring of network infrastructure to withstand attacks aimed at strategic targets on the infrastructure. (2) A measurement system that allows dynamic allocation of resources and fine control over the manner, location, frequency, and intensity of data collected at each monitoring location on the infrastructure. (3) Assurance of safety and compliance to sound principles of structural resilience when infrastructure is reprogrammed. Our aim is to develop future network defences based on a smart and evolving network infrastructure.

Software is increasingly organised centring on distributed communicating processes. This is especially true in large-scale distributed computing platforms such as the backend of popular Web-based services and public sector platforms for e-healthcare and e-science, which often provide lifelines of society. An application is organised as a dynamic collection of distributed components. The framework is based on interacting processes, which extends the traditional paradigm of functions and objects and which allows far more versatile and scalable organisation of software components. Assuring safety in such distributed systems is a vital societal concern: many platforms are long-lived, offer socially critical services, and collect security-sensitive data; safety violations, including security breaches, can have wide-ranging consequences, from temporary service outage to information leakage to exploitation of security vulnerability by criminal organisations. However, existing assurance methodologies are based on objects and functions: no well-established formal assurance methodologies are known for distributed systems. Large-scale distributed computing infrastructures are like skyscrapers used by hundreds of thousands of people, for building which the well-established structural engineering principles are used as a foundation of safe engineering. Can we establish the corresponding engineering principles for building software skyscrapers vital to modern society? Against this background, the central aim of this project is to establish a general, formally based safety assurance methodology for distributed systems, which we call conversation-based governance. The conversation-based governance starts from advanced types for capturing conversations, called multiparty session types (MPSTs), recently introduced by the PIs and extensively studied by researchers. Building on the latest theoretical results and on the PIs' ongoing collaborations with the project partners, we introduce the new development and assurance framework based on MPSTs. At the centre of our approach is a high-level, programming-language-agnostic MPST-based declarative protocol description language. The safety assurance in this framework is realised through verifications of distributed components against formal specifications in this protocol language, performed either statically (at the development time) or dynamically (at runtime), of which we place an emphasis on the latter: large-scale distributed systems are rarely amenable to static verification as a whole due to, for example, heterogeneous components, so that only the dynamic verification and enforcement can offer a comprehensive safety assurance. It is due to this emphasis on runtime policing of conversations that we call the proposed assurance framework, conversation-based governance. The project will establish this new methodology through the following tasks: (1) The development of a programing-language-agnostic protocol description language, called Scribble, and its open source tool chain, programming interfaces (APIs) and runtimes, backed up by a uniform type theory of MPSTs. (2) The development of an assertion language for specifying and verifying refined safety properties as elaboration of protocols, together with a policy language linked to the assertion language. Decentralised monitors backed up by a theory of the pi-calculus offer efficient, scalable runtime verification and enforcement. (3) Large-scale experiments through collaboration with project partners, realising formal safety assurance for real-world applications, including global cyberinfrastructure, enterprise software, and messaging middleware. Throughout the project, an extensive dialogue between theories and practice will be conducted, leading to truly effective principles and tools for general safety assurance methodologies of distributed systems vital for future IT infrastructures and society.

Data centre networks are poorly equipped to rapidly spot and address failures, resulting in countless well-documented application performance degradation or outages. This is because the investigation process is performed in centralised commodity servers (collectors) that do not have per-packet visibility, but instead aggregated and sampled statistics from the data plane. The NEAT project will address this deficiency by moving traffic analysis directly into switches that have per-packet visibility. Exploiting advances in programmable hardware, e.g. P4, NEAT will rethink data plane operation and will transform switches from just packet forwarder with limited monitoring capabilities to more intelligent systems capable of analysing traffic and exporting only relevant results. This will enable the level of fine-grained data plane visibility required to allow operators to rapidly identify and adapt to changes in network conditions, which hurts applications.