COMP 5900V: Intrusion Detection
Carleton University, Winter 2006
Course Outline
Instructor: Anil
Somayaji (Office Hours: TBA and by
appointment)
Meeting Time: Monday and Wednesday, 9:35-10:55 AM, January
4th through April 3rd (Note the time change!)
Meeting Place: Leeds 118, Carleton University
Official Course Description: Course on intrusion detection
and prevention systems, with additional material on virus and worm
detection systems. Topics covered include signature, specification,
and anomaly-based systems for detecting violations of security policy,
automated response strategies, and experimental methodologies for
comparing systems.
Prerequisites: COMP 4108 (Computer Systems Security), COMP
5406 (Network Security and Cryptography), or equivalent background.
Format of Course: While the early part of the course will
include introductory lectures, the bulk of class time will be spent
discussing assigned readings. Students are expected to come to class
prepared to discuss the readings in depth: participation is expected
and will be evaluated. To encourage preparation, students will turn
in reading responses at the start of each week; also, there will be a
term project on intrusion detection divided into a formal outline and
bibliography, oral presentation, and final paper.
Texts: Readings will be available online through this web
page.
Grading: Final grades will be calculated based on 60% for a
class project and 40% on class participation, divided as follows:
- 15% Class Project Outline & Bibliography (due February 27th)
- 35% Class Project Final Report (due April 10th)
- 10% Class Project Presentation (due March 27th)
- 20% Reading responses (one per week, due Monday)
- 20% Class Participation
The "reading responses" are a short (approximately one page) write-ups
that discuss the readings for a given week, due at the beginning of
class on each Monday. I will not grade these for style or grammar
(although I appreciate both); instead, I am looking for evidence that
you have read and thought about the readings. To aid this process, I
will suggest that you address certain questions each week; as the
semester progresses, I expect you to go beyond the suggested questions
and ask ones that pertain to your own interests and views. From time
to time, you may find some readings hard to understand; if this is the
case, your write-up should explain why you had difficulty
understanding the work. Remember that the primary purpose of these
assignments is to ensure that everyone comes to class prepared.
The project outline is to be 2-5 pages in length, while the final
report is to be 5-10 pages (single-spaced, 12 point font). Students
will receive extensive feedback on their outline and will primarily be
graded on effort. To increase the value of the outline, please make a
detailed argument and include references. The final project is
expected to be a polished presentation of material, complete with
appropriate citations. Ideas for appropriate projects will be
discussed in class.
Ethics & Intellectual Honesty: I view all students in
this course as independent junior researchers. In this context, I
expect everyone to uphold the highest intellectual and ethical
standards. Ideas should be properly credited, whether in written or
oral communications. Further, individuals should be respected, no
matter how strange their ideas or presentation may seem. Disrespect
to other class members will be negatively reflected in class
participation grades. Intellectual dishonesty in any form will result
in failing grades on the assignment and, as appropriate, university
disciplinary action.
Please note that in the context of the term project, I expect you to
turn in a paper that reflects your ideas about your chosen
topic. Any content, whether it be direct quotation, figure,
organization of material, or idea that is not your own or "common
knowledge" in the context of the course must be properly cited in
proper scholarly form. Do not simply paraphrase paragraphs and cite
them - such lifting of material is considered plagarism and will be
dealt with harshly.
Special Needs Students: Students with disabilities requiring
academic accommodations in this course are encouraged to contact a
coordinator at the Paul Menton Centre (PMC) for Students with
Disabilities and to make an appointment to meet and discuss your needs
with me by January 25, 2005. I will do my best to make reasonable
accommodations within the context of the course.
Daily class outline (subject to change)
|
Date
|
Topics
|
Readings
|
|
Jan. 4th
|
Introduction
|
none
|
|
Jan. 9th & 11th
|
Early
Approaches
|
Anderson (1980), Computer Security
Threat Monitoring and Surveillance
Denning (1986), An
Intrusion Detection Model
|
|
Jan. 16th & 18th
|
Agents & Cells
|
Spafford & Zamboni (2000), Intrusion
detection using autonomous agents
Forrest, Hofmeyr, & Somayaji (1997),
Computer Immunology
|
|
Jan. 23rd & 25th
|
Signature-based Network IDSs
|
Paxson (1998), Bro: A System
for Detecting Network Intruders in Real-Time
Roesch (1999),
Snort - Lightweight Intrusion Detection for
Networks
Patton, Yurick, & Doss (2001),
An Achilles' Heel in Signature-Based IDS:
Squealing False Positives in SNORT
|
|
Jan. 30th & Feb. 1st
|
NSM and LISYS
|
Heberlein et al. (1990),
A Network Security Monitor
Hofmeyr & Forrest (1999),
Immunity by Design: An Artificial Immune
System
Kim & Bentley (2001),
An Evaluation of Negative Selection in an
Artificial Immune System for Network Intrusion
Detection
Balthrop et al. (2002),
Revisiting LISYS: Parameters and Normal
Behavior
|
|
Feb. 6th & 8th
|
DARPA IDS Evaluation
|
Lippmann et al. (2000), Analysis
and Results of the 1999 DARPA Off-Line
Intrusion Detection Evaluation for Detecting
Network Intruders in Real-Time
McHugh (2000), Testing Intrusion Detection Systems: A
Critique of the 1998 and 1999 DARPA Intrusion
Detection System Evaluations as Performed by
Lincoln Laboratory
Axelsson (2000), The Base-Rate Fallacy and the Difficulty of
Intrusion Detection
Mahoney & Chan (2003),
An Analysis of the 1999 DARPA/Lincoln Laboratory
Evaluation Data for Network Anomaly Detection
Lippmann et al. (2000), Evaluating Intrusion Detection Systems: The
1998 DARPA Off-line I ntrusion Detection
Evaluation (OPTIONAL)
|
|
Feb. 13th & 15th
|
System Calls 1
|
Forrest et al. (1996),
A Sense of Self for Unix Processes
Lee & Stolfo (1998),
Data Mining Approaches for Intrusion
Detection
Warrender et al. (1999),
Detecting Intrusions Using System Calls:
Alternative Data Models
Tan & Maxion (2002),
"Why 6?": Defining the Operational Limits of
stide, an Anomaly-Based Intrusion Detector
|
|
Feb. 27th & Mar. 1st
|
System Calls 2
|
Wagner & Soto (2002),
Mimicry Attacks on Host-Based Intrusion
Detection Systems
Wagner & Dean (2001),
Intrusion Detection via Static
Analysis
Sekar et al. (2001),
A Fast Automaton-Based Method for Detecting
Anomalous Program Behaviors
Kruegel & Kirda (2005),
Automating Mimicry Attacks Using Static
Binary Analysis
|
|
Mar. 6th & 8th
|
pH
|
Somayaji (2002),
Operating System Stability and Security
through Process Homeostasis
|
|
Mar. 13th & 15th
|
Worms
|
Kim & Karp (2004),
Autograph: Toward Automated, Distributed Worm
Signature Detection
Singh et al. (2004),
Automated Worm Fingerprinting
Wang & Stolfo (2004),
Anomalous Payload-Based Network Intrusion
Detection
Twycross & Williamson (2003),
Implementing and testing a virus throttle
|
|
Mar. 20th
|
App-specific IDSs (no write-up required)
|
Kruegel et al. (2005),
A multi-model approach to the detection of
web-based attacks
Li & Somayaji (2005),
Securing Email Archives through User Modeling
|
|
Mar. 22nd
|
|
Class wrap-up discussion
|
|
Mar. 27th
|
Project Presentations (in 5115 HP): Dave,
Ervin, Abiola
|
|
|
Mar. 29th
|
Project Presentations (in 5115 HP): Shaun,
Lindy, Thomas
|
|
|
Apr. 3rd
|
Project Presentations (in 5115 HP): Amir,
Preeti, Mohammad
|
|
|
Apr. 5th
|
Project Presentations (in 5115 HP):
Abdulrahman, Chen, Francois
|
|
I'm soma at scs.carleton.ca.
(Use @ to put them together to email me.)
[Home]
Last modified: March 20, 2006