Salvatore J. Stolfo 606 CEPSR

Transcription

1 CSW6998 Topics in Computer Science: Intrusion and Anomaly Detection Systems Fall 2004 Monday 4:10pm 6:00pm 13 September 13 December 253 Engineering Terrace <Room subject to change> Salvatore J. Stolfo 606 CEPSR URL of sal: URL of Lab: URL of this password protected page: (Access provided by TA. User name is your address) FINAL EXAM SCHEDULE W6998 Topics In CS: TBA The Web-based bboard for the class is UNKNOWN

2 This is the first time this course is offered. It is a work in progress. Thank you for experimenting with me while we debug the course together. Recommended Reading (not required to be purchased): Data Mining for Security Applications. Jajodia and Barbara (Eds.) Kluwer 2002 Stealing the Network: How to Own the Box Russell et al Syngress Publishing ISBN: Fundamentals of Computer Security Technology Edward Amoroso Prentice-Hall, ISBN Pre- or Co-requisite: CSW4180 Network Security SYLLABUS: - The state of threats against computers, and networked systems - Overview of computer security solutions and why they fail - Vulnerability assessment, firewalls, vpn s - Overview of Intrusion Detection and Intrusion Prevention - Network and Host-based - Classes of attacks -network layer: scans, denial of service, penetration -application layer: software exploits, code injection -human layer: identity theft, root access - Classes of attackers -Kids/hackers/sophisticated groups -Automated: Drones, Worms, Viruses - A General model and taxonomy - Signature-based Solutions, Snort, Snort rules - Assignment #1: Familiarity with Snort - Evaluation of, Cost sensitive - Anomaly Detection Systems and algorithms - Network Behavior Based Anomaly Detectors (rate based) - Host-based Anomaly Detectors -Software Vulnerabilities -State transition, immunology, Payload Anomaly Detection - Attack trees and Correlation of alerts

3 Materials: - Autopsy of Worms - /IM security issues - Viruses/Spam - From signatures to thumbprints to zero-day detection - Identity theft issues - Masquerade and Impersonation - Future: Collaborative Security A number of materials have been gathered from open sources on the internet and provided in this course. These include slide presentations from other faculty at other universities who made their source materials openly available. In some cases the style formats were changed, but not the contents. Likewise, papers are provided for background reading that are also openly available on the internet. They have been copied and stored locally for convenience. DETAILED COURSE SCHEDULE: Sessio n Date Topic/chapte r 1 9/13 2 9/20 3 9/27 Overview of Course Scale of security problem Attacks and Attackers Vulnerabilities (protocols, data, code) Satan Taxonomy Audit Tools: tcpdump Libpcap/Winp cap Papers and Projects Introduction to Cybersecurity CERT-Guidelines\CERT-CC Intruder Detection Checklist.htm CERT-Guidelines\CERT -CC Steps for Recovering from a UNIX or NT System Compromise.htm CERT-Guidelines\List of Security Tools.htm Common Exploited Ports: efault.htm SATAN Taxonomy NIST Overview Early Pattern Matching Model N Roesch paper on Snort Tcpdump pocket guide

4 Signaturebased N, Snort and Snort Rules Evaluation of s 4 10/4 Cost-sensitive 5 10/ / / /1 9 11/ /1 5 General Model Data Miningbased Unsupervised Anomaly Detection, CV5 Clustering, SVM, Probabilistic NBAD Specificationbased, Ratebased DDOS, Scans/Probes Predicting (new) attacks Host-based Anomaly Detection Why 6? GUEST LECTURE from industry Correlation Attack Trees Project #1-snort/network project DARPA Evaluations Denning Model on A Data Mining Framework for Constructing Features and Models for Intrusion Detection Systems Data Mining-based Intrusion Detectors Project #2 lipcap/winpcap/tcp_wrappers host project Unsupervised Anomaly Detection Statistical Modeling background Network based Anomaly Detection Stealthy Surveillance Detection Defending Against Denial of Service Attacks in Scout Taxonomy-of-Security-Flaws in Software Sense of Self Modeling System Calls for Intrusion Detection with Dynamic Window Sizes Contact Morgan Stanley DARPA Video of CyberPanel Correlation Engine-SRI Project # 3- correlate multiple sensors/or EMT/Masquerade/etc.

5 11 11/ / / /1 3 Autopsy of network WORMS Payload AD Misuse, Spam, Viruses Traitors, Masqueraders, Impersonators LAST CLASS Collaborative Security FINAL 12/1 PROJECT 7 DUE Code Red Analysis Spread of Sapphire/Slammer Anatomy of the Network Worm Flash and Stealthy Worms and the Warhol Worm Malicious Payload Detection and Buffer Overflow Code Detection SPAM Detecting Viral Propagations Using Behavior Profiles Insiders Masquerade Detection and One-class ATT Masquerade Data set Collaborative Distributed Intrusion Detection Worminator TA DETAILS: Name: Wei-Jen Li Office: 604 CEPSR Phone: weijen@cs.columbia.edu URL: TA office hours: TBA GRADE DISTRIBUTION: Final grades are curved. The distribution is HW/Test Percentage Project #1 30% Project #2 30% Project #3 40%