Abstract
Locality as a unifying concept for understanding the normal behavior of benign users of computer systems is suggested as a unifying paradigm that will support the detection of malicious anomalous behaviors. The paper notes that locality appears in many dimensions and applies to such diverse mechanisms as the working set of IP addresses contacted during a web browsing session, the set of email addresses with which one customarily corresponds, the way in which pages are fetched from a web site. In every case intrusive behaviors that violate locality are known to exist and in some cases, the violation is necessary for the intrusive behavior to achieve its goal. If this observation holds up under further investigation, we will have a powerful way of thinking about security and intrusive activity.
Friday, Sept. 19 at 3:00 p.m. in DH 1070
About John McHugh John McHugh is a senior member of the technical staff at the CERT Coordination Center, part of the Software Engineering Institute at Carnegie Mellon University where he does research in survivability, network security, and intrusion detection. .
Prior to joining CERT, Dr. McHugh was a professor and chairman of the Computer Science Department at Portland State University, where he held a Tektronix Professorship. He has been a member of the research faculty at the University of North Carolina and has taught at UNC and at Duke University. For a number of years, Dr. McHugh was a Vice President of Computational Logic, Inc., a contract research company formed to further the application of formal methods of software design and analysis in support of security and safety critical systems. While at CLI, he developed tools for the analysis of covert channels in multilevel secure systems and worked on the problems associated with the efficient implementation of formally specified systems.