search menu icon-carat-right cmu-wordmark

Locality: A New Paradigm for Thinking About Normal Behavior and Outsider Threat

White Paper
In this paper, the authors describe how locality appears in many dimensions and applies to diverse mechanisms.

Software Engineering Institute


Locality as a unifying concept for understanding the normal behavior of benign users of computer systems is suggested as a unifying paradigm that will support the detection of malicious anomalous behaviors. The paper notes that locality appears in many dimensions and applies to such diverse mechanisms as the working set of IP addresses contacted during a web browsing session, the set of email addresses with which one customarily corresponds, the way in which pages are fetched from a web site. In every case intrusive behaviors that violate locality are known to exist and in some cases, the violation is necessary for the intrusive behavior to achieve its goal. If this observation holds up under further investigation, we will have a powerful way of thinking about security and intrusive activity.

This content was created for a conference series or symposium and does not necessarily reflect the positions and views of the Software Engineering Institute.