Lecture: 3 hours

Discussion: 1 hour

Prerequisite: Course ECS 150; ECS 153 recommended

Grading: Letter; 2-3 homework assignments (20%), 2 presentations of recent technical papers (40%), project (40%)

Catalog Description:
Concepts of intrusion detection, anomaly detection based on machine learning, signature-based detection using pattern matching, automated response to attacks using artificial intelligence planning, tracing intruders based on principal component analysis, security policy languages. Offered in alternate years.

Computer security is becoming increasingly important as a new wave of network applications interconnect almost all of the world’s computers. The concept of asymmetric warfare, an appealing way to look at the threat to our computers, allows someone with access to just a personal computer and the Internet to attack almost any computer on the Internet — and with impunity. This class will introduce the concept of intrusion detection, whereby insecure activity is detected using sensors (such as network sniffers, syslogs and audit logs), and the output of the sensors is analyzed to determine the severity of the threat. Intrusion detection is appealing in practice because it does not require any significant change to the insecure system being monitored. There are two basic approaches to intrusion detection:

Anomaly Detection, whereby any behavior inconsistent with what has been previously observed or inconsistent with a specification of acceptable activity is noted. Misuse Detection, whereby any behavior that matches previously observed attacks is noted.

Beyond just detection, of interest is responding to attacks in progress. From an academic standpoint, intrusion detection is an interesting application of numerous computer science and mathematical theories, including: machine learning, statistical methods, pattern matching, artificial intelligence planning, computer immunology, statistical detection theory, language design, operating systems, computer networks, optimization methods, expert systems, among others.

Expanded Course Description:

  1. Introduction to computer security
  2. Overview of intrusion detection methods
  3. The many threats computers and networks are vulnerable to
  4. Anomaly detection
  5. Misuse detection
  6. Machine learning methods with application to intrusion detection
  7. Correlation methods to detection multi-stage attacks
  8. Traceback methods
  9. Automated response

E. Amoroso, Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Responses, Intrusion.Net Books, Sparta, New Jersey, 1999

Computer Usage:
Project, primarily to research and acquire an existing intrusion detection tool, and to modify it to meet a threat for which the tool was not intended to apply.

Instructor: K. Levitt

Prepared by: K. Levitt (January 2002)

Overlap Statement:

ECS 236 is an advanced and specialized class in computer security, emphasizing the new area of intrusion detection which uses concepts from other disciplines, including artificial intelligence, programming languages, statistics, operating systems, networks, and theory of computing. It naturally complements ECS 235, which is a general overview of computer security; ECS 235 provides good background for ECS 236, but not all that is covered in 235 is essential. No other courses constitute a significant overlap.