Notes for March 18, 1998
- Greetings and Felicitations
- Reading: none
- Review session: 176 Chemistry, Monday, March 23, 10:30-12:30
- Final: this room, Wednesday, March 25, 4:00-6:00
- Puzzle
- Intrusion Detection Systems
- Anomaly detectors: look for unusual patterns
- Misuse detectors: look for sequences known to cause problems
- Specification detectors: look for actions outside specifications
- Anomaly Detection
- Original type: used login times
- Can be used to detect viruses, etc. by profiling expected number of writes
- Basis: statistically build a profile of users' expected actions, and look
for actions which do not fit into the profile
- Issue: periodically modify the profile, or leave it static?
- User vs. group profiles
- Problems
- Misuse Detection
- Look for specific patterns that indicate a security violation
- Basis: need a database or ruleset of attack signatures
- Issues: handling log data, correllating logs
- Problems: can't find new attacks
- Specification Detection
- Look for violations of specifications
- Basis: need a representation of specifications
- Issues: similar to misuse detection
- Advantage: can detect attacks you don't know about.
- Network IDS
- What they do
- Discuss DIDS organization
[ ended here ]
You can also see this document
in its native format,
in Postscript,
in PDF,
or
in ASCII text.
Send email to
cs153@csif.cs.ucdavis.edu.
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 3/18/98