Colloquium Speaker

Somesh Jha
Context-sensitive Host-based Intrusion Detection
Date: Thursday, October 9, 2003
Time: 11:00AM
Place: Gould-Simpson, Room 701
Refreshments will be served in the 7th floor lobby of Gould-Simpson at 12:00 PM


Model-based monitoring compares a process's execution against that program's model to detect intrusion attempts. Models constructed from static program analysis have historically traded precision for efficiency. We address this problem with our Dyck model, the first efficient statically-constructed context-sensitive specification. Our Dyck automaton models both the correct sequences of system calls that a program can generate and the stack changes occurring at function call sites. Experiments show the Dyck model to be an order of magnitude more precise than a context-insensitive finite state machine model. With null call squelching, a dynamic technique to bound cost, the Dyck model operates in time similar to the context-insensitive model.

Somesh Jha received his B.Tech from Indian Institute of Technology, New Delhi in Electrical Engineering. He received his Ph.D. in Computer Science from Carnegie Mellon University in 1996. Currently, Somesh Jha is an Assistant Professor in the Computer Sciences Department at the University of Wisconsin (Madison), which he joined in 2000. His work focuses on analysis of security protocols, survivability analysis, intrusion detection, and analyzing malicious code.