Each MatchStates entry is a 4-tuple, (, C, State, count). Given the aforementioned notions, we explain how incoming flow instances are matched against the constructed RETE network containing the whitelist information, in the following section. A flow instance traverses the RETE network as specified in Algorithm 1. TimedRETE computes the match states of the flow instance during the traversal. This algorithm can be explained best with a series of examples illustrated in Figs 7, 8, 9, 10, 11, 12, 13 and 14.

The located alpha node sets match states of this flow instance at the child nodes to INIT. Suppose that the initial state of RETE is as in Fig 7(a).

When flow instance, enters this network, TimedRETE finds the alpha node A1 and sets the state of at the immediate child node B1 to INIT. Count of is initialized to 1 as there is only one immediate child node for A1.

state value of INIT indicates that the flow instance newly entered the system, and the process of the waiting for matching subsequent instances has started.

This match state information and the initial count value is added to MatchStates (MS) of A1. Subsequently, A1 forwards the to its immediate child node. If the child node receives the flow instance as a trigger instance, it the instance to the WaitList (WL) and waits for an action instance to be forwarded by the action parent, as shown in Fig 7(b).

When flow instance enters the RETE network, TimedRETE finds alpha node A2 and repeats the MatchStates update procedure and forwards to its immediate child node B1. B1 takes as an instance as it was sent by A2, the action parent. Upon receipt of B1 iterates through the WaitList to see if there is any previous trigger instance that occurred prior to F2 within the duration bounds, as shown in Fig 8(c-1).

If no trigger action satisfies the duration bounds, then we can regard the action instance to be unrelated with the trigger instances. This indicates that there is no relationship between the trigger instances and the action instance, as shown in Fig 9(c-3). Subsequently the count of is decremented by 1. For example, is forwarded to B2, as shown in Fig 8(c-2).

Such matching and relay operation is repeated until a flow instance reaches a leaf node, as shown in Fig 10. When the flow instance enters the network as shown in Fig 10(d-1), MatchState information is initialized to INIT at A3. Note that we cannot prematurely judge that the fully-matched time sequence to be normal, because the flow instances could have been invoked as a part of other applications. Therefore, along with application ID, TimedRETE transfers the fully-matched time sequence to the WoT platform in order to get a final confirmation that the time sequence actually occurred according to application execution log as shown in Fig 11(e-2).

Immediately after the count value becomes zero, the node relays the state information to its parents along with the final match state, as shown in Fig 12(e-4). In the following section, we show how TimedRETE sweeps through the set of alpha nodes to retrieve normal and abnormal time sequence of flow instances. The periodic process of identifying normal and abnormal flow instances is specified in Algorithm 2. that this checking procedure is based on the following theorem.

Proof: We prove 1 by contradiction. Suppose that there can be a state value of INIT for f in the MatchStates of an alpha node while the count value is zero. Therefore, the initial count of f can never become zero. We guarantee this by getting the confirmation from the WoT platform base on its application execution log.



