Original link: http://homes.cerias.purdue.edu/~spaf/classes/CS690E/

CS 690E
Computer Incident Detection and Response

Directory of Topics

  • Course description
  • Course schedule
  • Weekly assignments
  • Course details
  • Instructor
  • Prerequisites
  • Texts and readings
  • Projects
  • Final project/term paper
  • Class policies
  • Miscellaneous stuff

  • Course Description

    Computer security is an imperfect concept. Systems may have bugs, configuration errors, or lax controls that allow misuse. This then creates a need to discover and investigate such incidents.

    This course will examine technology for detecting misuse of computer systems, and the methodology of response and investigation. It will include discussion of static and dynamic audit tools, intrusion detection systems, authentication and tracking methods, law enforcement questions, international issues, and the technology of "hardening" systems against misuse.

    Coursework will include reading, at least one project, and a term paper or project. There will also be assignments of various sorts every few weeks. Projects will hopefully include hands-on experimentation with one or more real intrusion detection systems and security tools. There will be no midterm or final exam.

    Course Schedule and Topics

    The following is a schedule of topics by week. This is approximate, and may change based on class interest, availability of outside speakers, and other factors.
    1/09 -- Introduction
    What is a computer incident? What is a computer intrusion? Anomalies vs. misuse. The rise in numbers of incidents. Accidental vs. purposeful incidents. The role of policy.
    1/16 -- Mixed topics
    Review of the 3rd CMAD Guru Workshop. Additional introductory material. Introduction to Tcl and Expect.
    1/23 -- Intrusion detection and vulnerabilities
    What makes a vulnerability? Bugs vs. configuration errors vs. accidents. Discussion of exploitation. What makes an intrusion?
    1/30 -- Methods of detection
    Static vs. dynamic monitoring methods. Statistical methods. Inference and expert systems. Pattern and incident matching. Keystroke monitoring. Other methods.
    2/06 -- Network considerations
    Tracking a network-based attack. Session vs. login. Identification and authentication. Consistency of configuration.
    2/13 -- Firewalls, proxies, and monitors
    Stopping network-based attacks. Monitoring network activity. Types of filters and monitors (e.g., rule-based, history-based, protocol-based).
    2/20 -- Malicious software
    Viruses, worms, automated probes and toolkits. Denial of service floods.
    2/27 -- Open week.
    No specific topics schedule. Open for further discussion of previous topics. Discussion of readings.
    3/06 -- Spring break
    No classes!
    3/13 -- Counterattacks.
    Active defenses beyond detection.
    3/20 -- Software forensics
    Identifying perpetrators through analysis. Identifying vulnerabities, attack tools and activities through audit and analysis.
    3/27 -- The role of disclosure
    How should flaws and intrusions be reported? Damage from disclosures. Damage from non-disclosure. The role of incident responders in the community.
    4/03 -- The nature of attackers
    Psychology of hacking. Motivations of intruders. Computer intrusion as an addiction. The "service to society" argument. Are computer break-ins ethical?
    4/10 -- Open week.
    No specific topics schedule. Open for further discussion of previous topics. Discussion of readings.
    4/17 -- Response teams
    What is the role of response? How to organize a response group. Tracking and history. The FIRST.
    4/24 -- Incident response and the law
    U.S. and Indiana laws about computer tampering, intrusion, abuse. Statutes regarding computer viruses. Copyright, trade secret, espionage. Multinational considerations.
    5/01 -- Finals week
    No classes! Final project/paper due by 5pm on Wednesday.

    Course Details


    3 class hours, 3 credit hours


    Spring 1995. Tues/Thur 2:30-3:45


    REC 314


    Gene Spafford
    Office hours
    T/Th 1-2:30
    W 2-4
    494-7825 (x47825)


    CS 503 (Graduate Operating Systems) (or) permission of instructor
    CS 555 (Cryptography and Data Security) is strongly recommended

    Texts & Readings



    Strongly Recommended

    Exploring Expect by Don Libes, O'Reilly & Associates, 1995.


    Practical UNIX Security, by Simson Garfinke and G. Spafford, O'Reilly & Associates, 1991.

    UNIX System Security, by David Curry, Addison-Wesley, 1991.

    Tcl and the Tk Toolkit by John K. Ousterhout, Addison-Wesley, 1994.

    Computer Security Basics, by D. Russell and G. Gangemi, Sr., O'Reilly & Associates, 1991.

    Other readings

    Other readings will be given during the semester. These will be placed on reserve in the Math/Science library (MATH). A list of those readings will be linked in here as they are assigned.

    Miscellanous topics

    Sandeep Kumar, Steve Lodin, and Christoph Schuba missed the first week of classes while they attended the 3rd Workshop on Computer Misuse and Anomaly Detection. They have prepared a trip report.

    An archive of the class mailing list is available.

    Gene Spafford