Locality as a unifying concept for understanding the normal behavior
of benign users of computer systems is suggested as a unifying
paradigm that will support the detection of malicious anomalous
behaviors. The paper notes that locality appears in many dimensions
and applies to such diverse mechanisms as the working set of IP
addresses contacted during a web browsing session, the set of email
addresses with which one customarily corresponds, the way in which
pages are fetched from a web site. In every case intrusive behaviors
that violate locality are known to exist and in some cases, the
violation is necessary for the intrusive behavior to achieve its goal.
If this observation holds up under further investigation, we will have
a powerful way of thinking about security and intrusive activity.
Friday, Sept. 19 at 3:00 p.m. in DH 1070
About John McHugh
John McHugh is a senior member of the technical staff at the CERT
Coordination Center, part of the Software Engineering Institute at
Carnegie Mellon University where he does research in survivability,
network security, and intrusion detection. .
Prior to joining CERT, Dr. McHugh was a professor and chairman of the
Computer Science Department at Portland State University, where he held a Tektronix Professorship. He has been a member
of the research faculty at the University of North Carolina and has
taught at UNC and at Duke University. For a number of years,
Dr. McHugh was a Vice President of Computational Logic, Inc., a
contract research company formed to further the application of formal
methods of software design and analysis in support of security and
safety critical systems. While at CLI, he developed tools for the
analysis of covert channels in multilevel secure systems and worked on
the problems associated with the efficient implementation of formally
specified systems.
![[RiceCS]](http://www.cs.rice.edu/Database/media/CSLogo.gif){kind=small}
![[Rice]](http://www.cs.rice.edu/Database/media/Owl.gif){kind=small}