Notes for October 21, 1998

  1. Greetings and Felicitations!
    1. Office hours 3:00-4:00PM today.
    2. Security lab seminar 1:00-2:00PM in 1131 EU-II. We will talk about ongoing projects!
  2. Puzzle of the Day
  3. Examples
    1. Go through Burroughs B6700 penetration
    2. Go through Michigan Terminal System penetration
  4. Intrusion Detection Systems
    1. Anomaly detectors: look for unusual patterns
    2. Misuse detectors: look for sequences known to cause problems
    3. Specification detectors: look for actions outside specifications
  5. Anomaly Detection
  6. Original type: used login times
  7. Can be used to detect viruses, etc. by profiling expected number of writes
  8. Basis: statistically build a profile of users' expected actions, and look for actions which do not fit into the profile
  9. Issue: periodically modify the profile, or leave it static?
  10. User vs. group profiles
  11. Problems
  • Misuse Detection
    1. Look for specific patterns that indicate a security violation
    2. Basis: need a database or ruleset of attack signatures
    3. Issues: handling log data, correllating logs
    4. Problems: can't find new attacks
  • Specification Detection
    1. Look for violations of specifications
    2. Basis: need a representation of specifications
    3. Issues: similar to misuse detection
    4. Advantage: can detect attacks you don't know about.
  • Classical Cryptography
    1. monoalphabetic (simple substitution): f(a) = a + k mod n
    2. example: Cæsar with k = 3, RENAISSANCE -> UHQDLVVDQFH
    3. polyalphabetic: Vigenère, fi(a) = (a + ki) mod n
    4. cryptanalysis: first do index of coincidence to see if it's monoalphabetic or polyalphabetic, then Kasiski method.
    5. problem: eliminate periodicity of key

    You can also see this document in its native format, in Postscript, in PDF, or in ASCII text.
    Send email to

    Department of Computer Science
    University of California at Davis
    Davis, CA 95616-8562

    Page last modified on 11/28/98