COMP 5900V: Intrusion Detection

Carleton University, Winter 2006
Course Outline

Instructor: Anil Somayaji (Office Hours: TBA and by appointment)
Meeting Time: Monday and Wednesday, 9:35-10:55 AM, January 4th through April 3rd (Note the time change!)
Meeting Place: Leeds 118, Carleton University

Official Course Description: Course on intrusion detection and prevention systems, with additional material on virus and worm detection systems. Topics covered include signature, specification, and anomaly-based systems for detecting violations of security policy, automated response strategies, and experimental methodologies for comparing systems.

Prerequisites: COMP 4108 (Computer Systems Security), COMP 5406 (Network Security and Cryptography), or equivalent background.

Format of Course: While the early part of the course will include introductory lectures, the bulk of class time will be spent discussing assigned readings. Students are expected to come to class prepared to discuss the readings in depth: participation is expected and will be evaluated. To encourage preparation, students will turn in reading responses at the start of each week; also, there will be a term project on intrusion detection divided into a formal outline and bibliography, oral presentation, and final paper.

Texts: Readings will be available online through this web page.

Grading: Final grades will be calculated based on 60% for a class project and 40% on class participation, divided as follows:

The "reading responses" are a short (approximately one page) write-ups that discuss the readings for a given week, due at the beginning of class on each Monday. I will not grade these for style or grammar (although I appreciate both); instead, I am looking for evidence that you have read and thought about the readings. To aid this process, I will suggest that you address certain questions each week; as the semester progresses, I expect you to go beyond the suggested questions and ask ones that pertain to your own interests and views. From time to time, you may find some readings hard to understand; if this is the case, your write-up should explain why you had difficulty understanding the work. Remember that the primary purpose of these assignments is to ensure that everyone comes to class prepared.

The project outline is to be 2-5 pages in length, while the final report is to be 5-10 pages (single-spaced, 12 point font). Students will receive extensive feedback on their outline and will primarily be graded on effort. To increase the value of the outline, please make a detailed argument and include references. The final project is expected to be a polished presentation of material, complete with appropriate citations. Ideas for appropriate projects will be discussed in class.

Ethics & Intellectual Honesty: I view all students in this course as independent junior researchers. In this context, I expect everyone to uphold the highest intellectual and ethical standards. Ideas should be properly credited, whether in written or oral communications. Further, individuals should be respected, no matter how strange their ideas or presentation may seem. Disrespect to other class members will be negatively reflected in class participation grades. Intellectual dishonesty in any form will result in failing grades on the assignment and, as appropriate, university disciplinary action.

Please note that in the context of the term project, I expect you to turn in a paper that reflects your ideas about your chosen topic. Any content, whether it be direct quotation, figure, organization of material, or idea that is not your own or "common knowledge" in the context of the course must be properly cited in proper scholarly form. Do not simply paraphrase paragraphs and cite them - such lifting of material is considered plagarism and will be dealt with harshly.

Special Needs Students: Students with disabilities requiring academic accommodations in this course are encouraged to contact a coordinator at the Paul Menton Centre (PMC) for Students with Disabilities and to make an appointment to meet and discuss your needs with me by January 25, 2005. I will do my best to make reasonable accommodations within the context of the course.

Daily class outline (subject to change)




Jan. 4th



Jan. 9th & 11th

Early Approaches

Anderson (1980), Computer Security Threat Monitoring and Surveillance
Denning (1986), An Intrusion Detection Model

Jan. 16th & 18th

Agents & Cells

Spafford & Zamboni (2000), Intrusion detection using autonomous agents
Forrest, Hofmeyr, & Somayaji (1997), Computer Immunology

Jan. 23rd & 25th

Signature-based Network IDSs

Paxson (1998), Bro: A System for Detecting Network Intruders in Real-Time
Roesch (1999), Snort - Lightweight Intrusion Detection for Networks
Patton, Yurick, & Doss (2001), An Achilles' Heel in Signature-Based IDS: Squealing False Positives in SNORT

Jan. 30th & Feb. 1st


Heberlein et al. (1990), A Network Security Monitor
Hofmeyr & Forrest (1999), Immunity by Design: An Artificial Immune System
Kim & Bentley (2001), An Evaluation of Negative Selection in an Artificial Immune System for Network Intrusion Detection
Balthrop et al. (2002), Revisiting LISYS: Parameters and Normal Behavior

Feb. 6th & 8th

DARPA IDS Evaluation

Lippmann et al. (2000), Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation for Detecting Network Intruders in Real-Time
McHugh (2000), Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory
Axelsson (2000), The Base-Rate Fallacy and the Difficulty of Intrusion Detection
Mahoney & Chan (2003), An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection
Lippmann et al. (2000), Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line I ntrusion Detection Evaluation (OPTIONAL)

Feb. 13th & 15th

System Calls 1

Forrest et al. (1996), A Sense of Self for Unix Processes
Lee & Stolfo (1998), Data Mining Approaches for Intrusion Detection
Warrender et al. (1999), Detecting Intrusions Using System Calls: Alternative Data Models
Tan & Maxion (2002), "Why 6?": Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector

Feb. 27th & Mar. 1st

System Calls 2

Wagner & Soto (2002), Mimicry Attacks on Host-Based Intrusion Detection Systems
Wagner & Dean (2001), Intrusion Detection via Static Analysis
Sekar et al. (2001), A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
Kruegel & Kirda (2005), Automating Mimicry Attacks Using Static Binary Analysis

Mar. 6th & 8th


Somayaji (2002), Operating System Stability and Security through Process Homeostasis

Mar. 13th & 15th


Kim & Karp (2004), Autograph: Toward Automated, Distributed Worm Signature Detection
Singh et al. (2004), Automated Worm Fingerprinting
Wang & Stolfo (2004), Anomalous Payload-Based Network Intrusion Detection
Twycross & Williamson (2003), Implementing and testing a virus throttle

Mar. 20th

App-specific IDSs (no write-up required)

Kruegel et al. (2005), A multi-model approach to the detection of web-based attacks
Li & Somayaji (2005), Securing Email Archives through User Modeling

Mar. 22nd


Class wrap-up discussion

Mar. 27th

Project Presentations (in 5115 HP): Dave, Ervin, Abiola

Mar. 29th

Project Presentations (in 5115 HP): Shaun, Lindy, Thomas

Apr. 3rd

Project Presentations (in 5115 HP): Amir, Preeti, Mohammad

Apr. 5th

Project Presentations (in 5115 HP): Abdulrahman, Chen, Francois

I'm soma at (Use @ to put them together to email me.)
[Home] Last modified: March 20, 2006