COMP 5900W: Intrusion Detection

Carleton University, Winter 2007

Instructor: Anil Somayaji

The official course outline is available through the main SCS website.

Daily class outline (subject to change)




Jan. 3rd



Jan. 8th & 10th

Early Approaches

Anderson (1980), Computer Security Threat Monitoring and Surveillance
Denning (1986), An Intrusion Detection Model
Smaha (1988), Haystack: An Intrusion Detection System
Vaccaro & Liepins (1989), Detection of Anomalous Computer Session Activity

Jan. 15th & 17th


Cheswick (1990), The Design of a Secure Internet Gateway
Bellovin & Cheswick (1994), Network Firewalls
Andreasson (2006), IP Filtering Introduction

Jan. 22nd & 24th

Signature-based Network IDSs

Paxson (1998), Bro: A System for Detecting Network Intruders in Real-Time
Roesch (1999), Snort - Lightweight Intrusion Detection for Networks
Patton, Yurick, & Doss (2001), An Achilles' Heel in Signature-Based IDS: Squealing False Positives in SNORT

Jan. 29th & 31st


Heberlein et al. (1990), A Network Security Monitor
Hofmeyr & Forrest (1999), Immunity by Design: An Artificial Immune System
Kim & Bentley (2001), An Evaluation of Negative Selection in an Artificial Immune System for Network Intrusion Detection
Balthrop et al. (2002), Revisiting LISYS: Parameters and Normal Behavior

Feb. 5th & 7th

DARPA IDS Evaluation

Lippmann et al. (2000), Analysis and Results of the 1999 DARPA Off-Line Intrusion Detection Evaluation for Detecting Network Intruders in Real-Time
McHugh (2000), Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Intrusion Detection System Evaluations as Performed by Lincoln Laboratory
Axelsson (2000), The Base-Rate Fallacy and the Difficulty of Intrusion Detection
Mahoney & Chan (2003), An Analysis of the 1999 DARPA/Lincoln Laboratory Evaluation Data for Network Anomaly Detection
Lippmann et al. (2000), Evaluating Intrusion Detection Systems: The 1998 DARPA Off-line I ntrusion Detection Evaluation (OPTIONAL)

Feb. 12th & 14th

System Calls 1

Forrest et al. (1996), A Sense of Self for Unix Processes
Lee & Stolfo (1998), Data Mining Approaches for Intrusion Detection
Warrender et al. (1999), Detecting Intrusions Using System Calls: Alternative Data Models

Feb. 26th & Feb. 28th

System Calls 2 & Project Outlines

Tan & Maxion (2002), "Why 6?": Defining the Operational Limits of stide, an Anomaly-Based Intrusion Detector
Somayaji & Forrest (2000), Automated Response Using System-Call Delays

March 5th & 7th

System Calls 3

Wagner & Dean (2001), Intrusion Detection via Static Analysis
Wagner & Soto (2002), Mimicry Attacks on Host-Based Intrusion Detection Systems
Sekar et al. (2001), A Fast Automaton-Based Method for Detecting Anomalous Program Behaviors
Kruegel & Kirda (2005), Automating Mimicry Attacks Using Static Binary Analysis

Mar. 12th & 14th

Web and Kernel IDSs

(Jinfei) Kruegel et al. (2005), A multi-model approach to the detection of web-based attacks
(Anil) Ingham et al. (2007), Learning DFA representations of HTTP for protecting web applications
(Rohan) Vogt et al. (2007), Cross-Site Scripting Prevention with Dynamic Data Tainting and Static Analysis
(Mario) Petroni et al. (2006), An Architecture for Specification-Based Detection of Semantic Integrity Violations in Kernel Dynamic Data

Mar. 19th & 21st

App-specific IDSs

(Sonia) Twycross & Williamson (2003), Implementing and testing a virus throttle
(Jennifer) Kirda et al. (2006), Behavior-based Spyware Detection
(Aleks) Wang et al. (2006), Anagram: A Content Anomaly Detector Resistant To Mimicry Attack
(Anil) Li & Somayaji (2005), Securing Email Archives through User Modeling

Mar. 26th


Class wrap-up discussion

Mar. 28th

Project Presentations 1

Apr. 2nd

Project Presentations 2

soma at
[Home] Last modified: March 8, 2007