I'm Steve Smaha, president of Haystack Labs in Austin, Texas. I've been working in the design and development of intrusion and misuse detection tools since 1987. Along with other people in my company (we're about 10 people), I was involved in the original design and implementation of the Haystack system (for Unisys mainframes, later retargeted to distributed networks of Sun's and VMS boxes), DIDS (a real-time monitor for heterogeneous networks of Unix and VMS machines), several systems we can't talk about, and our commercially available Stalker (TM) product (shipping for SunOS since 11/93, now also on Solaris and Sun's high-security CMW OS, and coming soon on AIX). Quite a few of these systems are fielded and operational. In terms of input data sources, we've worked with system audit trails, system accounting files, application-level log files, TCP/IP and SNA network traffic logs, NFS logs, firewall logs, and inputs from a variety of security analysis programs (like COPS). Analysis techniques we've used include multivariate statistics, nonparametric statistics, AI-based techniques (including Prolog, Lisp-based and C-based expert systems shells), and signature-based pattern recognition techniques. Some of these work better than others in particular situations. My own personal work is about 30% software development, 50% managing a software development business, and 20% consulting in computer security. This is an incredibly rich and difficult problem domain. Once one gives up any hope (fantasy!) of effective PREVENTION of misuse in the "real world" (that's where people use hardware and software that evolved to its current state), it's a continual game of "cat and mouse" to get better at detecting the new tricks that appear all the time (as well as the old tricks that never seem to go away or become 100% ineffective). Steve Smaha Haystack Labs, Inc., 10713 RR 620N, Suite 521, Austin, TX 78726 512-918-3555 (voice), 512-918-1265 (fax), smaha@dockmaster.ncsc.mil