Abstract
This paper presents a new technique for intrusion detection based on concurrent monitoring of user operations. In this scheme, prior to starting a session on a computer, an auxiliary process called watchdog first queries users for a scope file and then generates a table called a sprint-plan. The sprint-plan is composed of carefully derived assertions that can be used as a basis for concurrent monitoring of user commands. The plan is general enough to allow a normal user to perform his task without much interference from the watchdog or system administrator and is specific enough to detect intrusions, both external and inernal. A distributed watchdog process architecture based on the notion of verifiable assertions is presented. This scheme is a signigicant enhancement over the traditional approaches that rely on audit trail analysis in that the intrusion detection latency could be much shorter.