Evolving Defenses Moving away from static signatures Virus software, traditional IDS Assume we can't keep up with a worm's spread By the time you identify it, damage is being done Several passes at detection, defense Anomaly detection IDS Relational models Statistical models Anomaly prevention systems System calls (Forrest) Network flows (Williamson)