Notes for March 18, 1998

  1. Greetings and Felicitations
    1. Reading: none
    2. Review session: 176 Chemistry, Monday, March 23, 10:30-12:30
    3. Final: this room, Wednesday, March 25, 4:00-6:00
  2. Puzzle
  3. Intrusion Detection Systems
    1. Anomaly detectors: look for unusual patterns
    2. Misuse detectors: look for sequences known to cause problems
    3. Specification detectors: look for actions outside specifications
  4. Anomaly Detection
    1. Original type: used login times
    2. Can be used to detect viruses, etc. by profiling expected number of writes
    3. Basis: statistically build a profile of users' expected actions, and look for actions which do not fit into the profile
    4. Issue: periodically modify the profile, or leave it static?
    5. User vs. group profiles
    6. Problems
  5. Misuse Detection
    1. Look for specific patterns that indicate a security violation
    2. Basis: need a database or ruleset of attack signatures
    3. Issues: handling log data, correllating logs
    4. Problems: can't find new attacks
  6. Specification Detection
    1. Look for violations of specifications
    2. Basis: need a representation of specifications
    3. Issues: similar to misuse detection
    4. Advantage: can detect attacks you don't know about.
  7. Network IDS
    1. What they do
    2. Discuss DIDS organization
[ ended here ]

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to [email protected].

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562


Page last modified on 3/18/98