Dorothy E. Denning

Learn More
A model of a real-time intrusion-detection expert system capable of detecting break-ins, penetrations, and other forms of computer abuse is described. The model is based on the hypothesis that security violations can be detected by monitoring a system's audit records for abnormal patterns of system usage. The model includes profiles for representing the(More)
This paper investigates mechanisms that guarantee secure information flow in a computer system. These mechanisms are examined within a mathematical framework suitable for formulating the requirements of secure information flow among security classes. The central component of the model is a lattice structure derived from the security classes and justified by(More)
ertification mechanism for verifying the secure flow of information through a program. Because it exploits the properties of a lattice structure among security classes, the procedure is sufficiently simple that it can easily be included in the analysis phase of most existing compilers. Appropriate semantics are presented and proved correct. An important(More)
The query programs of certain databases report raw statistics for query sets, which are groups of records specified implicitly by a characteristic formula. The raw statistics include query set size and sums of powers of values in the query set. Many users and designers believe that the individual records will remain confidential as long as query programs(More)
The 1982 ilr Force Summer Study on Multilevel Data Management Security recommended several approaches to designing a multilevel secure database system. One of the approaches uses an untrusted database system to manage the data, and an isolated trusted filter to enforce security.The filter attaches a security classification label to each data record,(More)
A multilevel relational data model that meets the basic operational requirements for a multilevel database system is described. The model is an extension of the standard relational model, and consists of multilevel relations, which contain classification attributes as well as data attributes; multilevel relational integrity rules, which extend the integrity(More)