Notes for October 22, 1999

1. Greetings and Felicitations!
   1. Bibliography: I'll have copies made for Monday or Wednesday of next week
   2. Program hints: see newsgroup. Should I extend homework due date to Wednesday?
2. Puzzle of the Day
3. Example of Flaw Hypothesis Methodology
   1. Go through Burroughs B6700 penetration
4. Intrusion Detection Systems
   1. Anomaly detectors: look for unusual patterns
   2. Misuse detectors: look for sequences known to cause problems
   3. Specification detectors: look for actions outside specifications
5. Anomaly Detection
   1. Original type: used login times
   2. Can be used to detect viruses, etc. by profiling expected number of writes
   3. Basis: statistically build a profile of users' expected actions, and look for actions which do not fit into the profile
   4. Issue: periodically modify the profile, or leave it static?
   5. User vs. group profiles
   6. Problems
6. Misuse Detection
   1. Look for specific patterns that indicate a security violation
   2. Basis: need a database or ruleset of attack signatures
   3. Issues: handling log data, correllating logs
   4. Problems: can't find new attacks
7. Specification Detection
   1. Look for violations of specifications
   2. Basis: need a representation of specifications
   3. Issues: similar to misuse detection
   4. Advantage: can detect attacks you don't know about.
8. Cryptography
   1. Ciphers vs. Codes
   2. Attacks: ciphertext-only, known plaintext, known ciphertext
9. Classical
   1. monoalphabetic (simple substitution): f(a) = a + k mod n
   2. example: Cæ with k = 3, RENAISSANCE -> UHQDLVVDQFH
   3. polyalphabetic: Vigenère, f_i(a) = a + k_i mod n
   4. cryptanalysis: first do index of coincidence to see if it's monoalphabetic or polyalphabetic, then Kasiski method.
   5. problem: eliminate periodicity of key