Eugene H. Spafford

Learn More
At the heart of most computer systems is a file system. The file system contains user data, executable programs, configuration and authorization information, and (usually) the base executable version of the operating system itself. The ability to monitor file systems for unauthorized or unexpected changes gives system administrators valuable data for(More)
AAFID is a distributed intrusion detection architecture and system, developed in CERIAS at Purdue University. AAFID was the ®rst architecture that proposed the use of autonomous agents for doing intrusion detection. With its prototype implementation, it constitutes a useful framework for the research and testing of intrusion detection algorithms and(More)
Programmers spend considerable time debugging code. Symbolic debuggers provide some help but the task remains complex and difficult. Other than breakpoints and tracing, these tools provide little high-level help. Programmers must perform many tasks manually that the tools could perform automatically, such as finding which statements in the program affect(More)
On the evening of 2 November 1988, someone infected the Internet with a <i>worm</i> program. That program exploited flaws in utility programs in systems based on BSD-derived versions of UNIX. The flaws allowed the program to break into those machines and copy itself, thus <i>infecting</i> those systems. This program eventually spread to thousands of(More)
Authorship analysis on computer software is a difficult problem. In this paper we explore the classification of programmers’ style, and try to find a set of characteristics that remain constant for a significant portion of the programs that this programmer might produce. Our goal is to show that it is possible to identify the author of a program by(More)
The Intrusion Detection System architectures commonly used in commercial and research systems have a number of problems that limit their configurability, scalability or efficiency. The most common shortcoming in the existing architectures is that they are built around a single monolithic entity that does most of the data collection and processing. In this(More)
This paper analyzes a network-based denial of service attack for IP (Internet Protocol) based networks. It is popularly called SYN flooding. It works by an attacker sending many TCP (Transmission Control Protocol) connection requests with spoofed source addresses to a victim’s machine. Each request causes the targeted host to instantiate data structures out(More)