R&D Projects & Software Programs

Cube Dreams

Most recent release: 2014

Cube Dreams is a 3D game for iOS devices where the player runs and jumps through various maps trying to grab all the jewels in the fastest time possible. The program  leverages many of the core iOS capabilities including its 3D engine, gesture detection, and gyroscopes and compass for motion and position detection.  (Version 1.0 released July 2014; available through the Apple App Store). More information.

Data Fence

Most recent release: 2014

Data Fence is a security tool that uses Apple's BSM audit data to monitor access to a user’s data, alerting the user when hackers, government spies, or overly curious co-workers access the user’s personal files. Data Fence puts a virtual fence around data and generates alerts when that fence is crossed in a suspicious manner. It doesn't care what the malicious software looks like. It doesn't care if an attacker has logged in with stolen credentials. It doesn't care if the user lets others mount the file system to access just some of the files. It doesn't care about any of the ways the threat might manifest itself, but it does care when the threat accesses protected data. (Version 1.0 released April 2014; available through the Mac App Store). More information.

Audit Viewer

Most recent release: 2014

Audit Viewer is a forensics tool for Mac OS X computers. It is a little like tcpdump for BSM audit data. It identifies individual processes, shows the programs the processes were running, and lets you drill down to the individual audit records. (Version 1.1 released April 2014; available through the Mac App Store). More information.

Audit Explorer

Most recent release: 2011

Audit Explorer is a security tool for Mac OS X computers. Audit Explorer analyzes the BSM audit files generated by the OS, highlights security relevant events, lets you drill down to the actions of individual processes, and lets you explore the relationships between processes (Version 1.1 released 2011; available through the Mac App Store). More information.

Log Browser

Most recent release: 2013

Log Browser is a front-end GUI to connect to the Free Audit Aggregation System (FAAS) web service to visually browse the logs on the server and quickly find log files of interest. You can then download the files to your computer for in-depth analysis using other tools such as Audit Explorer, Audit Viewer, and Data Fence. More information.

Free Audit Aggregation System (FAAS)

Most recent release: 2013

The Free Audit Aggregation System (FAAS) is a web service to aggregate, large, high fidelity security relevant logs, browse the logs in the archive, and download logs of interest to explorer with security tools such as Audit Explorer, Audit Viewer, and Data Fence. More information and video.

Audit Control Manager

Most recent release: 2011

Audit Control Manager (also known as ACManager) manages configurations for the BSM audit trail system for the Apple's Snow Leopard operating system. Audit Control Manager lets users generate, store, and share configurations. The purpose was to create a collection of audit configurations that were effective for various security scenarios and that could be shared within the security community.

Environment-Aware Security System

2003-2005 (Navy, ARDA)

The Environment-Aware Security project consumed detailed information about a network (e.g., vulnerabilities and topology) and a (potentially hypothetical) adversary's capabilities and produced (1) a set of your computer systems that could be penetrated by the adversary and (2) a prioritized list of changes to the network (e.g., patches to specific systems) that would maximally disrupt the adversary's ability to move through the network. The prioritized list of changes, referred to as Network Tasking Orders (NTOs), would be the primary way network and system administrators would interact with the system.

2003 ARDA presentation "Environment-Aware Security"

Automatic Signature Generation

2003-2004 (Air Force)

Automatic Signature Generation was designed to address self-propagating attacks (e.g., worms), especially so-called zero-day worms targeting previously unknown vulnerabilities, by automatically  generating a signature as soon as the attack is first observed. The system used suffix-trees to nearly instantaneously determine expected false positive rates of automatically generated candidate signatures. The best candidates would be pushed into intrusion prevention systems (IPS) to quickly stop the worm.

Intrusion Detection for FAA's Next-Generation ATC

2002-2004 (FAA, Northrop Grumman)

This work examined the possibility of bringing network-based intrusion detection to the FAA's next generation air traffic control network. The NextGen ATC network was not based on TCP/IP but what had been considered the future networking standard – the International Standards Organization's Open System Interconnection protocols, ISO/OSI.


2000-2001 (Air Force)

TrendCenter aggregated alerts from many organizations, spotted trends, and predicted the attacks a site was most likely to encounter in the near future (what we called "over-the-horizon intrusion detection"). We prototyped the first version on SANS intrusion detection data. Based on a site's attack prediction, TrendCenter generated a custom Nessus vulnerability scanner configuration file to find the vulnerabilities most likely to be exploited at your site.

2000 presentation "TrendCenter: Accelerating SANS GIAC"

Audit Work Bench

1999-2000 (Air Force)

Audit Workbench extended the Network Radar approach to audit trail analysis. It consisted of a flexible object oriented library (Audit Monitoring Framework, AMF) that could be extended and assembled into a range of audit trail monitors. Many of our current tools such as Audit Explorer, Audit Viewer, and Data Fence were built using this design.

Network Radar

1996-2000 (Air Force, DARPA)

Network Radar took the lessons learned from the NSM to build a next-generating network monitoring capability. The core of Network Radar was an object oriented library (called the Network Monitoring Framework, NMF) that could be extended and assembled into a wide range of network monitors to meet custom monitoring needs. The technology was designed to be purpose-agnostic so that it could deployed against a wide range of threats. Many years later the NSA's XKeyScore systems looked very much like Network Radar.

2013 presentation "XScoreKey: Network Radar Deja Vu"

1997 report "Network Radar: STTR Phase I Final Report"

Attack Classification

1995-1996 (Air Force)

The Attack Classification effort moved beyond describing specific instances of attacks to developing a taxonomy for describing attacks. The taxonomical approach would let us understand threats at a more fundamental level, giving us insights into potential variations of the attack, and suggesting solutions and detection strategies that would be more robust than dealing with each specific attack.

1996 paper "Attack Class: Address Spoofing"

Intrusion Detection for Large Networks

1993-1995 (DARPA)

The Intrusion Detection for Large Networks project was designed to extend the DIDS concepts to arbitrarily large networks. The project included a basket of other security technologies, including specification-based detection and tracking users across networks by fingerprinting connection content over specified chunks of time. Eventually this worked morphed into the Graph-based Intrusion Detection System (GrIDS).

1995 network fingerprinting paper "Holding Intruders Accountable on the Internet".

1992 network fingerprinting paper "Internet Security Monitor: An Intrusion-Detection System for Large-Scale Networks".

Distributed Intrusion Detection System (DIDS)

1990-1993 (Air Force)

DIDS was a distributed, heterogeneous intrusion detection system. It included host monitors (for SunOS and VMS), network monitors (based on the Network Security Monitor), and a Director that could aggregate low-level suspicious behavior into a stronger signal. The Director also tracked lateral movement in a network and could identify suspicious movement patterns that could not be detected by any one sensor. The Air Force eventually took the network monitor and Director, renamed the system ASIM, and by 1997 rolled it out across all Air Force sites.

1991 paper "DIDS (Distributed Intrusion Detection System) – Motivation, Architecture, and An Early Prototype".

Network Security Monitor (NSM)

1988-1995 (DOE)

The Network Security Monitor (NSM) was the first network-based intrusion detection system and the first widely deployed intrusion detection system (deployed by the Air Force under the name ASIM and DISA under the name JIDS). By 1991 the NSM included statistical profiling, content pattern matching, and rules to combine these analyses into an aggregated warning value. The NSM also included transcript and playback tools to observe an attacker's actual activity down to the keystroke level.

Original 1990 paper "A Network Security Monitor".

1991 thesis appendix "Network Security Monitor".

1991 technical report "Towards Detecting Intrusions in a Networked Environment".


  • Quinn Emanuel Urquhart & Sullivan, LLP, 2014
  • Kirkland & Ellis LLP – SRI vs. McAfee, 2013
  • Perkins Coie – Finjan vs. Secure Computing Corp., 2007
  • Lawrence Livermore National Laboratory (LLNL), 2005
  • Day Casebeer Madrid & Batchelder LLP – SRI vs. Symantec (and ISS/IBM), 2005
  • Akin Grump & Strauss LLP – Veridian vs. Ball Aerospace Technology Corp., 2001
  • Boeing, 2000