Learn More
The problem of protecting computer systems can be viewed generally as the problem of learning to distinguish self from other. We describe a method for change detection which is based on the generation of T cells in the immune system. Mathematical analysis reveals computational costs of the system, and preliminary experiments illustrate how the method might(More)
A method for anomaly detection is introduced in which ``normal'' is defined by short-range correlations in a process' system calls. Initial experiments suggest that the definition is stable during normal behavior for standard UNIX programs. Further, it is able to detect several common intrusions involving sendmail and lpr. This work is part of a research(More)
Intrusion detection systems rely on a wide variety of observable data to distinguish between legitimate and illegitimate activities. In this paper we study one such observable— sequences of system calls into the kernel of an operating system. Using system-call data sets generated by several different programs, we compare the ability of different data(More)
An artificial immune system (ARTIS) is described which incorporates many properties of natural immune systems, including diversity, distributed computation, error tolerance, dynamic learning and adaptation, and self-monitoring. ARTIS is a general framework for a distributed adaptive system and could, in principle, be applied to many domains. In this paper,(More)
There are more bugs in real-world programs than human programmers can realistically address. This paper evaluates two research questions: ``What fraction of bugs can be repaired automatically?'' and ``How much does it cost to repair a bug automatically?'' In previous work, we presented GenProg, which uses genetic programming to repair defects in(More)
SFI Working Papers contain accounts of scientific work of the author(s) and do not necessarily represent the views of the Santa Fe Institute. We accept papers intended for publication in peer-reviewed journals or proceedings volumes, but not papers that have already appeared in print. Except for papers by our external faculty, papers must be based on work(More)
The building-block hypothesis states that the GA works well when short, low-order, highly-t schemas recombine to form even more highly t higher-order schemas. The ability to produce tter and tter partial solutions by combining building blocks is believed to be a primary source of the GA's search power, but the GA research community currently lacks precise(More)
This paper describes GenProg, an automated method for repairing defects in off-the-shelf, legacy programs without formal specifications, program annotations, or special coding practices. GenProg uses an extended form of genetic programming to evolve a program variant that retains required functionality but is not susceptible to a given defect, using(More)
A method is introduced for detecting intrusions at the level of privileged processes. Evidence is given that short sequences of system calls executed by running programs are a good discriminator between normal and abnormal operating characteristics of several common UNIX programs. Normal behavior is collected in two ways: Synthetically, by exercising as(More)