URL: http://everest.cs.ucdavis.edu/Security.html Research in the Computer Security Laboratory (a.k.a. seclab) is concerned with the development of new techniques for the design of secure systems and for demonstrating such systems to be secure. Current research activities include (1) developing techniques for understanding malicious code (e.g. computer viruses) and for detecting and preventing the occurrence of such code in programs, and (2) developing techniques for network intrusion detection. The latter topic is aimed at developing monitoring techniques for existing data networks. The intent is to flag network intruders and abusers with a low probability of false alarms. The basic philosophy is to employ rule-based approaches to detect policy violations or attempts at exploiting system vulnerabilities as well as profiles for users, groups of users, hosts, etc., and then use statistical methods to detect anomalies from normal behavior. Techniques being developed include the theory of hierarchical monitoring (particularly for detecting attacks on wide area networks), machine learning, automatic rule generation, characterization of (network) attacks, and distributed learning. A current project is developing an intrusion detection system that could be used on the INTERNET. This system will detect attempts to subvert the infrastructure of the INTERNET or to use the INTERNET to attack remote hosts. Facilities include over 125 workstations from Sun, DEC, and Next. Projects Intrusion Detection for Large Networks (ARPA) Machine Learning for Intrusion Detection (ARPA) AWB: Audit Workbench (NSA) Models for Testing Intrusion Detection Systems (NSA) From Generic Policies to Enforcement Rules (NSA) Machine Learning for Intrusion Detection (NSA & ARPA) Authetications in a Distributed Intrusion Detection System (Trident) Vulnerabilities (Trident) NID (LLNL) Virus (LLNL) JT