This talk will describe an approach to detecting intrusions in which specifications of valid behavior of critical components are used to distinguish between good and intrusive behavior. The approach has the merit that it is able to detect unknown attacks. The rationale is that attacks cause objects to behave in an incorrect manner and can be detected using valid behavior specifications. The approach has been successfully applied to monitor privileged programs, and are being used to monitor network protocols, subsystems, etc. I will talk about various way to create good specifications and experiences with the method. Also, techniques for proving the correctness of specification with respect to the enforcement of a high-level policy will be discussed. Last, I will present current intrusion research at NAI Labs.
Gates 4B (opposite 490), 6/11/02, 4:30 PM