Specification-based monitoring Specification-based monitoring is a type of behavior-based detection. In the specification-based approach to detection, all events from the program to the operating system are mediated by a specification or policy. The policy dictates what action should be taken for a sequence of events. Typically, the actions are allow, deny or log.Specification-based monitoring has the following two advantages over anomaly detection. Advantage No. 1: It has flexibility Specification-based monitoring decouples policy construction from enforcement. For example, one can imagine having a policy in a specification-based monitoring system that is derived using anomaly detection. Therefore, in an abstract sense, specification-based monitoring is more general than anomaly detection. Advantage No. 2: It has low false positives Since policies in a well-engineered, specification-based monitoring system can be easily tuned, it can result in very low false positives. Dr. Somesh Jha is co-founder and chief scientist of NovaShield. He has more than 19 years of research and development experience (both academic and industrial) in security and IT. He is currently a member of the faculty at the Department of Computer Science at the University of Wisconsin-Madison. He focuses primarily on computer system security and is a frequent speaker at security-related conferences and events across the United States. Dr. Jha has been recognized through numerous awards including the NSF CAREER award, ACM SIGSOFT distinguished paper award and best paper award at ACSAC. He also conducted four years of advanced research during a postdoctoral fellowship at Carnegie Mellon University's Computer Emergency Response Team (CERT). He also serves on the editorial board of the Journal of Computer Security, and on the program committees for WORM05, RAID05, USNIX Security Symposium and WWW (Security and Privacy Track). Dr. Jha completed his PhD in Computer Science at Carnegie Mellon University and B.Tech in Electrical Engineering from IIT-Delhi, India. He can be reached email@example.com.
For example, we might have a policy for a browser which states that "any files downloaded from a Web site (not on a whitelist) cannot be automatically executed." This policy will not allow a user to download files from a Web site which are not on a whitelist and execute them. These kinds of policies can be very effective in addressing important infection vectors such as drive-by-downloads.