System health and intrusion monitoring using a hierarchy of constraints

Calvin Ko, Paul Brutch, Jeff Rowe, Guy Tsafnat, Karl Levitt

Research output: Chapter in Book/Report/Conference proceedingConference proceeding contributionpeer-review

1 Citation (Scopus)


This paper presents a new approach to run-time security monitoring that can detect system abnormalities including attacks, faults, or operational errors. The approach, System Health and Intrusion Monitoring (SHIM), employs a hierarchy of constraints to describe correct operation of a system at various levels of abstraction. The constraints capture static behavior, dynamic behavior, and time-critical behavior of a system. A system in execution will be monitored for violation of the constraints, which may indicate potential security problems in the system. SHIM is based on specification-based intrusion detection, but it attempts to provide a systematic framework for developing the specifications/constraints. SHIM does not detect directly the intrusive actions in an attack, but their manifestations as violations of constraints. In this paper, we describe the constraint model and the methodology for developing the constraints. In addition, we present preliminary results on the constraints developed for host programs and network protocols. By bounding the behavior of various system components at different levels of abstraction, SHIM has a high chance of detecting different types of attacks and their variants.

Original languageEnglish
Title of host publicationRecent Advances in Intrusion Detection
Subtitle of host publication4th International Symposium, RAID 2001, Proceedings
EditorsWenke Lee, Ludovic Mé, Andreas Wespi
Place of PublicationBerlin
PublisherSpringer, Springer Nature
Number of pages14
ISBN (Electronic)9783540454748
ISBN (Print)3540427023, 9783540427025
Publication statusPublished - 2001
Externally publishedYes
Event4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001 - Davis, United States
Duration: 10 Oct 200112 Oct 2001

Publication series

NameLecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)
ISSN (Print)03029743
ISSN (Electronic)16113349


Other4th International Symposium on Recent Advances in Intrusion Detection, RAID 2001
CountryUnited States

Fingerprint Dive into the research topics of 'System health and intrusion monitoring using a hierarchy of constraints'. Together they form a unique fingerprint.

Cite this