CS4920 (Section 1), Intrusion Detection and Response (3-2).  An introduction
to methods of intrusion detection in computer systems and methods for
responding to intrusions including active responses.  The first part will
focus on finding suspicious behavior in a computer system, with analysis of
the advantages and disadvantages of each method, and some managerial issues.
The second part will focus on defense methods based on ideas from information
warfare with special attention to deception.  Prerequisite: CS3600.

Textbook: Proctor, The Practical Intrusion Detection Handbook, Prentice Hall
PTR, 2001, plus additional readings.

Course outline:
I. Introduction: The cyber-attack threat; attacker types; attack types
II. Methods of detection: Rule-based systems and signatures; statistical
modeling and detection of anomalies
III. Network-based intrusion detection methods
IV. Host-based intrusion detection methods
V. Practical considerations: "Myths"; kinds of attacks; connections to
forensics; data mining of intrusion data
VI. Managerial issues: Requirements definition; policies for staff;
acquisition, installation, and maintenance of detection software
VII. Overview of response methods: Logging; access controls; active deception
VIII. Theory of deception: Deception in warfare; psychology of deception;
difficulty of detection of deception
IX. Simple deceptive tactics for software: delays, false error messages,
fake files and directories
X. Honeypots and honeynet technology: Setting up dummy sites, collecting
data on attackers, protecting the site from exploitation
XI. Software wrapper technology for protecting software; counterplanning for
known attack methods
XII. Ethics of intrusion defense; legal aspects of intrusion defense

Contact: Prof. Neil Rowe, ncrowe@nps.navy.mil, CS/Rp, x2462.