Abstract
Haystack is a prototype system for the detection of intrusions in multi-user Air
Force computer systems. Haystack reduces voluminous system audit trails to short
summaries of user behaviors, anomalous events, and security incidents. This is
designed to help the System Security Officer (SSO) detect and investigate intusions,
particulary by insiders (authorized users.) Haystack's operation is based on
behavioral constraints imposed by security policies and on models of typical
behavior for user groups and individual users.