One embodiment of the present invention provides a providing policy-driven
intrusion detection system for a networked computer system. This system
operates by receiving a global policy for intrusion detection for the
networked computer system. This global policy specifies rules in the form
of a global security condition for the networked computer system and a
global response to be performed in response to the global security
condition. The system compiles the global policy into local policies for
local regions of the networked computer system. Each local policy
specifies at least one rule in the form of a local security condition for
an associated local region of the networked computer system and a local
response to be performed in response to the local security condition. The
system communicates the local policies to local analyzers that control
security for the local regions. A local analyzer compiles a local policy
into specifiers for local sensors in a local region associated with the
local analyzer. These specifiers are communicated to the local computer
systems in the local region. This allows local computer systems to
implement the local sensors.