He has authored or co-authored approximately 70 papers. At Davis under his supervision, ten Ph.D. students have completed their studies, five students have advanced to candidacy, and 12 Master's students have completed their studies. Papers he has co-authored received the Best Paper Award at conferences in 1968 and 1991. He co-chaired the 1991 HOL conference at U.C. Davis and three intrusion detection workshops at UC Davis sponsored by NSA and the U.S. Air Force.
Under Professor Levitt's leadership, UC Davis has been involved in experimental computer security research for approximately 10 years. Completed and current project work related to this project include the following (supported by DoE, AFCSC, NSA, and ARPA).
UCD developed the first intrusion detection system for networks (the NSM -- Network Security Monitor), which observes network traffic and reports anomalous or suspicious activity. The NSM has a novel pattern-matching algorithm and a convenient user interface, and is used extensively in incident analysis by DoD agencies.
Also developed at Davis was the first intrusion detection system (DIDS -- Distributed Intrusion Detection System) that aggregates audit reports from a collection of hosts on a single LAN. Unique to DIDS is its ability to track a user as he establishes connections across the LAN, some perhaps under different account names. Currently, under ARPA support, we are developing a large-scale intrusion detection system in which component intrusion detection systems associated with domains (such as a department at a company) cooperate in the detection of and response to an attack. Unique to the work is a new approach to intrusion detection based on specifications for host and network services that characterize what behavior is allowed with respect to security; specifications have been developed for Unix privileged programs, for the DNS, for NFS, and for several routing protocols, as the basis for intrusion detection systems corresponding to each of these services.