The goal of System Health & Intrusion Monitoring is 1) to perform continuous monitoring of the health of a system for security, stability, performance and reliability; 2) to provide accurate sensors at different system layers that can detect unknown attacks with good coverage and a low false alarm rate; and 3) to provide strategic information about intrusions for correlation analysis.

The approach is to 1) employ a hierarchy of constraints that models expected system behavior at different levels of abstraction to detect system anomalies; 2) utilize sensor data at different system layers: network logs, audit trails, wrappers, application logs; 3) use specification-based techniques that detect manifestations of attacks instead of attacker's actions; and 4) use formal projection/reasoning of constraints.

Formal validation of the capability and a software prototype IDS for free distribution are the expected results of the project.

DARPA / Network Associates, Inc.