R. Sekar from Iowa State University (via Bellcore and Stony Brook) will be interviewing with us on Monday, March 22nd. I'm including details of his talk below: Date: Mon., Mar. 22nd Time: 2--3 p.m. Place: CS Seminar Room BUILDING SURVIVABLE SYSTEMS: An Integrated Approach Based on Intrusion Prevention, Detection and Response R. Sekar Iowa State University Our increasing reliance on networked information systems to support critical infrastructures (e.g., telecommunication, commerce and banking, power distribution, and transportation) has prompted interest in making the information systems survivable so that they continue to perform their primary functions even in the face of coordinated attacks and spontaneous failures. Of particular importance are techniques that can enhance the survivability of today's systems, as opposed to requiring them to be completely redesigned and/or reimplemented. Most attacks on current networked information systems exploit vulnerabilities that can ultimately be traced to software flaws. Experience with well-known and mature server programs such as sendmail shows that such security-compromising flaws are likely to persist. Consequently, recent research has focussed on techniques to identify actual exploitation of these vulnerabilities (intrusion detection) rather than eliminating them. Whereas previous efforts could only detect attacks after the fact, we present a new approach that can _prevent_ large classes of attacks before they cause damage. When prevention is not possible (or desirable), our approach can launch automatic actions to respond in a timely fashion to the attack and contain any damage. An important observation behind our approach is that regardless of how an intrusion takes place, damage must ultimately be effected via system calls provided by the operating system or network packets delivered to the system. We therefore specify intended behaviors in terms of interactions of processes with the operating system kernel, and network packets received or transmitted or received by a host. We then develop algorithms for compiling these specifications into efficient automata. These automata monitor the system calls and network packets at runtime to detect deviations from specified behaviors, which are indicative of potential intrusions. We discuss our implementation of these techniques into a fast intrusion prevention/detection system, and the results of its participation in a recent competition of intrusion detection systems organized by MIT Lincoln Laboratories and DARPA.