Foreword
When I first got into information security in the early 1970s, the little research
that existed was focused on mechanisms for preventing attacks. The goal was
airtight security, and much of the research by the end of decade and into the
next focused on building systems that were provably secure. Although there
was widespread recognition that insiders with legitimate access could always
exploit their privileges to cause harm, the prevailing sentiment was that we
could at least design systems that were not inherently faulty and vulnerable
to trivial attacks by outsiders.
We were wrong. This became rapidly apparent to me as I witnessed the
rapid evolution of information technology relative to progress in information
security. The quest to design the perfect system could not keep up with market
demands and developments in personal computers and computer networks. A
few Herculean efforts in industry did in fact produce highly secure systems,
but potential customers paid more attention to applications, performance, and
price. They bought systems that were rich in functionality, but riddled with
holes. The security on the Internet was aptly compared to “Swiss cheese.”
Today, it is widely recognized that our computers and networks are unlikely
to ever be capable of preventing all attacks. They are just way too complex.
Thousands of new vulnerabilities are reported to the Computer Emergency
Response Team Coordination Center (CERT/CC) annually. We might signifi-
cantly reduce the security flaws through good software development practices,
but we cannot expect foolproof security as technology continues to advance
at breakneck speeds. Further, the problems do not reside solely with the ven-
dors; networks must also be properly configured and managed. This can be
a daunting task given the vast and growing number of products that can be
networked together and interact in unpredictable ways.
In the middle 1980s, a small group of us at SRI International began inves-
tigating an alternative approach to security. Recognizing the limitations of a
strategy based solely on prevention, we began to design a system that could
detect intrusions and insider abuse in real time as they occurred. Our research
and that of others led to the development of intrusion detection systems. Also
