intro

Steve Smaha (Smaha@DOCKMASTER.NCSC.MIL)
Sun, 7 Aug 94 16:38 EDT

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Justin Lister: "digest coming soon"
Previous message: Ping Wei: "Hi"

I'm Steve Smaha, president of Haystack Labs in Austin, Texas.  I've been
working in the design and development of intrusion and misuse detection
tools since 1987.  Along with other people in my company (we're about 10
people), I was involved in the original design and implementation of the
Haystack system (for Unisys mainframes, later retargeted to distributed
networks of Sun's and VMS boxes), DIDS (a real-time monitor for
heterogeneous networks of Unix and VMS machines), several systems we
can't talk about, and our commercially available Stalker (TM) product
(shipping for SunOS since 11/93, now also on Solaris and Sun's
high-security CMW OS, and coming soon on AIX).  Quite a few of these
systems are fielded and operational.

In terms of input data sources, we've worked with system audit trails,
system accounting files, application-level log files, TCP/IP and SNA
network traffic logs, NFS logs, firewall logs, and inputs from a variety
of security analysis programs (like COPS).  Analysis techniques we've
used include multivariate statistics, nonparametric statistics, AI-based
techniques (including Prolog, Lisp-based and C-based expert systems
shells), and signature-based pattern recognition techniques.  Some of
these work better than others in particular situations.

My own personal work is about 30% software development, 50% managing a
software development business, and 20% consulting in computer security.

This is an incredibly rich and difficult problem domain.  Once one gives
up any hope (fantasy!)  of effective PREVENTION of misuse in the "real
world" (that's where people use hardware and software that evolved to
its current state), it's a continual game of "cat and mouse" to get
better at detecting the new tricks that appear all the time (as well as
the old tricks that never seem to go away or become 100% ineffective).

Steve Smaha

Haystack Labs, Inc., 10713 RR 620N, Suite 521, Austin, TX 78726
512-918-3555 (voice), 512-918-1265 (fax), smaha@dockmaster.ncsc.mil

Next message: Justin Lister: "digest coming soon"
Previous message: Ping Wei: "Hi"