Event Monitoring Enabling Responses to Anomalous Live Disturbances


SRI International Introduces EMERALD: A Novel Approach to Network Surveillance and Intrusion Detection

Menlo Park, CA (May 9, 2000) - Silicon Valley-based SRI International, a leading independent technology innovator, announced today the release of an evaluation edition of one component from a suite of advanced technologies being developed for the Department of Defense's cyber defense research program. Available for free download on the Internet, the component, called eXpert-BSM, provides a complete host-based intrusion detection solution for Sun Microsystems SPARC SolarisTM servers and will run on other major systems in the future. Funded by the U.S. Defense Advanced Research Projects Agency (DARPA), the technology suite, EMERALD (Event Monitoring Enabling Responses to Anomalous Live Disturbances), further underscores the need to develop advanced technologies for cyber defense against hacking and other malicious activities.

To widely distribute this state-of-the-art intrusion detection and surveillance technology, SRI applied EMERALD to the Sun SolarisTM Operating EnvironmentTM - the most widely-deployed platform used in eBusiness today - so that it is available to a large number of users. This free Internet distribution of eXpert-BSM is the first in a series of proactive measures SRI and DARPA will be taking this year to give corporate security administrators a glimpse into the capabilities that will set the standards for next-generation intrusion detection products. First in a series of advanced EMERALD intrusion detection sensors, eXpert-BSM is now available for free download and use at http://www.sdl.sri.com/emerald/releases/

"DARPA has been intent on providing innovative research and solutions for DoD network security, and we continue to do so in our Information Assurance and Survivability suite of programs. We are excited to make available results of this research to the broader network security community," said Michael Skroch, program manager for the Defense Advanced Research Projects Agency.


EMERALD is a patent-pending, software-based solution that utilizes lightweight sensors distributed over a network or series of networks for real-time detection of anomalous or suspicious activity. The EMERALD sensors monitor activity both on host servers and network traffic streams, and empower system defenders with the capacity to detect and ultimately thwart cyber attacks across large networks. By targeting external threat agents who attempt to subvert or bypass network interfaces, EMERALD has taken a giant leap forward in real-time security monitoring technology.

By using highly distributed surveillance and response monitors, EMERALD provides a wide range of information security coverage, real-time monitoring and response, and localized protection of informational assets throughout an enterprise network. EMERALD implements an enterprise-wide analysis to correlate the activity reports produced across asset of monitored domains. Enterprise-layer monitors focus on network-wide threats such as Internet worm-like attacks, attacks repeated against common network services across domains, or coordinated attacks from multiple domains against a single domain. Alerts are consolidated across multiple network domains within a single reporting console.

Through correlation and sharing of analysis results, reports of problems found by one monitor may propagate to other monitors throughout the network. This type of approach, which SRI believes will help form an Intelligent Internet Infrastructure, promises to speed the creation of new detection mechanisms and will allow faster technology transfer from research into product if such structures are adopted as commercial standards.

"EMERALD is a critical project within DARPA's Information Assurance and Survivability program. With the EMERALD network surveillance system, SRI International continues its long tradition of developing technology solutions for various markets," said William Mark, vice president of Information and Computing Sciences for SRI International. "As society relies increasingly on complex networking infrastructures, SRI's collaboration with DARPA for the EMERALD solution will provide the much-needed intrusion detection capabilities to protect these systems from external and internal attacks."

About eXpert-BSM

EMERALD's eXpert-BSM monitor is a host-based intrusion detection system that provides an unprecedented degree of real-time security monitoring for critical application servers and workstations in the SolarisTM Operating EnvironmentTM. It incorporates the most comprehensive knowledge base for detecting insider misuse, policy violations, privilege misuse or subversion, illegal resource manipulation, and other site policy violations upon operating systems. This fully packaged solution provides users with:

  • a knowledge base of 39 host-oriented misuse-detection methods,
  • extensive user ability to configure both the knowledge-base and surveillance policy,
  • a graphical reporting console for managing sensor alerts,
  • detailed response directives and human readable countermeasure recommendations,
  • and real-time and batch data processing.

When run on SolarisTM hosts, eXpert-BSM provides a significant enhancement to the security posture of any SolarisTM server or workstation. This type of host-based intrusion detection complements other surveillance methods such as network traffic analysis and provides direct, correlated intrusion reports on malicious activity occurring within the host, providing global visibility of malicious activity detected through local sensor deployments and making remote sensor management scalable and manageable.

"Sun is committed to ensuring the highest levels of secure and reliable operations to all customers," said Ravi Iyer, senior product manager for Sun Microsystems. "We see advanced high-performance security sensors such as the EMERALD host monitor as a valuable complement to aid the secure administration of our systems."

About SRI International

Silicon Valley-based SRI International http://www.sri.com is one of the world's largest independent research, technology development and consulting organizations. Founded in 1946 as the Stanford Research Institute, SRI has been meeting the strategic needs of global markets for more than 50 years. As part of its strategy to bring its technologies to the marketplace, SRI licenses its technologies, forms strategic partnerships and creates spin-off companies.

Solaris is a trademark of Sun Microsystems.

Visit SRI on the web at http://www.sri.com/
Alice Galloway
Corporate Communications
(650) 859-2711


  Project Description Conceptual Overview Publications
  Research Opportunities Component Releases IDS Research
  System Design Lab SRI International Contact