This paper summarizes the EMERALD (Event Monioring Enabling Responses to Anomalous Live Disturbances) environment, a distributed scalable tool suite for tracking malicious activity through and across large networks. EMERALD introduces a highly distributed, building-block approach to network surveillance, attack isolation, and automated response. It combines models from research in distributed high-volume event-correlation methodologies with over a decade worth of intrusion-detection research and engineering experience. The approach is novel in its use of highly distributed, independently tunable, surveillance and response monitors that are deployable polymorphically at various abstract layers in a large network. These monitors demonstrate a streamlined intrusion-detection design that combines signature-analysis with statistical profiling to provide localized real-time protection of the most widely used network services on the Internet. Equally important, EMERALD introduces a recursive framework for coordinating the dissemination of analyses from the distributed monitors to provide a global detection and response capability to counter attacks occurring across and entire network enterprise. Further, EMERALD introduces a versatile application programmers’ interface that enhances its ability to integrate with the target hosts and provides a high degree of interoperability with third-party tool suites.

In research conducted over the last year, we have concluded that the class of attacks known as data driven attacks have become somewhat popular with the interloper population. These attacks generally are transmitted in the guise of an innocent data structure, such as a document, spreadsheet or image, while in reality the data is an object in the modern sense. That is, the data object consists of potentially passive and potentially active portions, the latter generally acting as a collection of methods that support viewing the passive portions of the object.

This paper presents the prelimiary architechture of a network level-intrusion detection system. The proposed system will monitor base level information in network packets (source, destination, packet size, and time), learning the ‘normal’ patterns and announcing anomalies as they occur. The goal of this research is to determine the applicability of current intrusion detection technology to the detection of network level intrusions. In particular, we are investigating the possibility of using this technology to detect and react to worm programs.

This paper presents a potential solution to the intrusion detection problem in computer security. It uses a combiniation of work in the fields of Artificial Life and computer security. It shows how an intrusion detection system can be implemented using autonomous agents, and how these agents can be built using Genetic Programming. It also shows how Automatically Defined Functions (ADF’s) can be used to evolve genetic programs that contain multiple data types and yet retain type-safety. Future work arising from this is also discussed.

This paper examines how Genetic Programming has shortcomings in an event-driven environment. The need for event-driven programming is motivated by some examples. We then describe the difficulty in handling these examples using the traditional genetic programming approach. A potential solution that uses colored Petri nets is outlined. We present an experimental setup to test our theory.

Digital signatures provide a mechanism for guaranteeing integrity and authenticity of Web content but not more general notions of security or trust. Web-aware applications must permit users to state clearly their own security policies and, of course, must provide the cryptographic tools for manipulating digital signatures. This paper describes the REFEREE trust management system for Web applications; REFEREE provides both a general policy-evaluation mechanism for Web clients and servers and a language for specifying trust policies. REFEREE places all trust decisions under explicit policy control; in the REFEREE model, every action, including evaluation of compliance with policy, happens under the control of some policy. That is, REFEREE is a system for writing policies about policies, as well as policies about cryptographic keys, PICS label bureaus, cerification authorities, trust delegation, or anything else. In this paper, we flesh out the need for ‘trust management’ in Web applications, explain the design philosophy of the REFEREE trust management system, and describe a prototype implementation of REFEREE.

We address the problem of ‘trust management in information labeling’. The Platform Internet Content Selection (PICS), proposed by Resnick and Miller, establishes a flexible way to label documents according to various aspects of their contents, thus permitting a large and diverse group of potential viewers to make (automated) informed judgements about whether or not to view them. For some viewers, the relevant aspects may be quantity or quality of material in certain topical areas, and for others, they may be the presence or absence of potentially offensive language or images. Thus PICS users need a language in which to specify their PICS profiles, i.e., the aspects according to which they want documents to be labeled, the acceptable values of those labels, and the parties whom they trust to do the labeling. Furthermore, PICS compliant client software (e.g., a web browser) needs a mechanism for checking whether a document meets the requirements set forth in a viewer’s profile. A trust management solution for the PICS information-labeling system must provide both a language for specifying profiles and a mechanism for checking whether a document meets the requirements given in a profile. This paper describes our design and implementation of a PICS profile language and our experience integrating the PolicyMaker trust managment engine with a PICS- compliant browser to provide a checking mechanism. PolicyMaker was originally designed to address trust management problems in network services that process signed requests for action and use public-key cyrptography. Because information labeling is not inherently a cryptographically based service, and thus is outside the original scope of the PolicyMaker framework, our work on information labeling is evidence of PolicyMaker’s power and adaptability.

We identify the trust management problem as a distinct and important component of security in network services. Aspects of the trust managment problem include formulating security policies and security credentials, determining whether particular sets of credentials satisfy the relevant policies, and deferring trust to third parties. Existing systems that support security in networked applications, including X.509 and PGP, address only narrow subsets of the overall trust management problem and often do so in a manner that is appropriate to only one application. This paper presents a comprehensive approach to trust management, based on a simple language for specifying trusted actions and trust relationships. It also describes a prototype implementation of a new trust management system, called PolicyMaker, that will facilitate the development of security features in a wide range of network services.

Lack of widely available Internet security has discouraged some commercial users. The author describes efforts to make cryptographic security more widely available and looks at efforts to secure the Internet infrastructure.

Test coverage criteria define a set of entities of a program flowgraph and require that every entity is covered by some test. In this paper we first indentify E(c), the set of entities to be covered according to a criterion (c), for a family of widely used test coverage criteria. We then present a method to derive a minimum set of entities, called a spanning set, such that a set of test paths covering the entities in this set covers every entity in E(c). We provide a generalised algorithm, which is parametrized by the coverage criterion. We suggest several useful applications of spanning sets of entities to testing. In particular, they help to reduce and to estimate the number of tests needed to satisfy test coverage criteria.

As a complex software system evolves, its implementation tends to deverge from the intended or documented design models. Such undesirable deviation makes the system hard to understand, modify, and maintain. This paper presents a hybrid computer-assisted approach for confirming that the implementation of a system maintains its expected design models and rules. Our approach closely integrates logic-based static analysis and dynamic visualization, providing multiple code views and perspectives. We show that the hybrid technique helps determine design implementations congruence at various levels of abstarction: concrete rules like coding guidelines, architectural models like design patterns or connectors, and subjective design principles like low coupling and high cohesion. The utility of our approach has been demonstrated in the development of Choices, a new multimedia operating system which inherits many design decisions and guidelines learned from experience in the construction and maintenance of its predecessor, Choices.

The study of providing security in computer networks is a rapidly growing area of interest because the network is the medium over which most attacks or intrusions on computer systems are launched. One approach to solving this problem is the “intrusion-detection” concept, whose basic premise is that not only abandoning the existing and huge infrastructure of possibly-insecure computer and network systems is impossible, but also replacing them by totally-secure systems may not be feasible or cost effective. Previous work on intrusion detection systems were performed on stand-alone hosts and on a broadcast local area network (LAN) environment. The focus of our present research is to extend our network intrusion-detection concept from the LAN environment to arbitrarily wider areas with the network topology being arbitary as well. The generalized distributed environment is heterogeneous, i.e., the network nodes can be hosts or servers from different vendors, or some of them could be LAN managers, like our previous work, a network security monitor (NSM), as well. The proposed architecture for this distributed intrusion-detection system consists of the following components: a host manager (viz. a monitoring process or collection of processes running in background) in each host; a LAN manager for monitoring each LAN in the system; and a central manager which receives reports from various host and LAN managers to process these reports, correlate them, and detect intrusions.

This paper presents the design of SAINT, a tool being developed at the National Autonomous University of Mexico that will allow integrated analysis of information gathered from various sources, such as security tools and system logs. By simulating events occuring in the system, and collected from the different sources, SATAN will allow dectection, or even prevention of problems that may otherwise go undectected due to lack of information about them in any single place. SATAN’s modular and extensible architecture make it feasible to add new modules for processing new data types, detecting new kinds of problems, or presenting the results in different formats.

Haystack is a prototype system for the detection of intrusions in multi-user Air Force computer systems. Haystack reduces voluminous system audit trails to short summaries of user behaviors, anomalous events, and security incidents. This is designed to help the System Security Officer (SSO) detect and investigate intusions, particulary by insiders (authorized users.) Haystack’s operation is based on behavioral constraints imposed by security policies and on models of typical behavior for user groups and individual users.

Flaws due to race conditions in which the binding of a name to an object changes between repeated references occur in many programs. We examine one type of this flaw in the UNIX operating system, and describe a semantic method for detecting possible instances of this problem. We present the results of one such analysis in which previouly undiscovered race condition flaw was found.