Notes for March 18, 1998

  1. Greetings and Felicitations
    1. Reading: none
    2. Review session: 176 Chemistry, Monday, March 23, 10:30-12:30
    3. Final: this room, Wednesday, March 25, 4:00-6:00
  2. Puzzle
  3. Intrusion Detection Systems
    1. Anomaly detectors: look for unusual patterns
    2. Misuse detectors: look for sequences known to cause problems
    3. Specification detectors: look for actions outside specifications
  4. Anomaly Detection
    1. Original type: used login times
    2. Can be used to detect viruses, etc. by profiling expected number of writes
    3. Basis: statistically build a profile of users' expected actions, and look for actions which do not fit into the profile
    4. Issue: periodically modify the profile, or leave it static?
    5. User vs. group profiles
    6. Problems
  5. Misuse Detection
    1. Look for specific patterns that indicate a security violation
    2. Basis: need a database or ruleset of attack signatures
    3. Issues: handling log data, correllating logs
    4. Problems: can't find new attacks
  6. Specification Detection
    1. Look for violations of specifications
    2. Basis: need a representation of specifications
    3. Issues: similar to misuse detection
    4. Advantage: can detect attacks you don't know about.
  7. Network IDS
    1. What they do
    2. Discuss DIDS organization
[ ended here ]

You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
Send email to

Department of Computer Science
University of California at Davis
Davis, CA 95616-8562

Page last modified on 3/18/98