CS 690E
Computer Incident Detection and Response

Directory of Topics

Course Description

This course will examine technology for detecting misuse of computer systems, and the methodology of response and investigation. It will include discussion of static and dynamic audit tools, intrusion detection systems, authentication and tracking methods, law enforcement questions, international issues, and the technology of "hardening" systems against misuse.

Coursework will include reading, at least one project, and a term paper or project. There will also be assignments of various sorts every few weeks. Projects will hopefully include hands-on experimentation with one or more real intrusion detection systems and security tools. There will be no midterm or final exam.

Course Schedule and Topics

1/09 -- Introduction

What is a computer incident? What is a computer intrusion? Anomalies vs. misuse. The rise in numbers of incidents. Accidental vs. purposeful incidents. The role of policy.

1/16 -- Mixed topics

Review of the 3rd CMAD Guru Workshop. Additional introductory material. Introduction to Tcl and Expect.

1/23 -- Intrusion detection and vulnerabilities

What makes a vulnerability? Bugs vs. configuration errors vs. accidents. Discussion of exploitation. What makes an intrusion?

1/30 -- Methods of detection

Static vs. dynamic monitoring methods. Statistical methods. Inference and expert systems. Pattern and incident matching. Keystroke monitoring. Other methods.

2/06 -- Network considerations

Tracking a network-based attack. Session vs. login. Identification and authentication. Consistency of configuration.

2/13 -- Firewalls, proxies, and monitors

Stopping network-based attacks. Monitoring network activity. Types of filters and monitors (e.g., rule-based, history-based, protocol-based).

2/20 -- Malicious software

Viruses, worms, automated probes and toolkits. Denial of service floods.

2/27 -- Open week.

No specific topics schedule. Open for further discussion of previous topics. Discussion of readings.

3/06 -- Spring break

No classes!

3/13 -- Counterattacks.

Active defenses beyond detection.

3/20 -- Software forensics

Identifying perpetrators through analysis. Identifying vulnerabities, attack tools and activities through audit and analysis.

3/27 -- The role of disclosure

How should flaws and intrusions be reported? Damage from disclosures. Damage from non-disclosure. The role of incident responders in the community.

4/03 -- The nature of attackers

Psychology of hacking. Motivations of intruders. Computer intrusion as an addiction. The "service to society" argument. Are computer break-ins ethical?

4/10 -- Open week.

No specific topics schedule. Open for further discussion of previous topics. Discussion of readings.

4/17 -- Response teams

What is the role of response? How to organize a response group. Tracking and history. The FIRST.

4/24 -- Incident response and the law

U.S. and Indiana laws about computer tampering, intrusion, abuse. Statutes regarding computer viruses. Copyright, trade secret, espionage. Multinational considerations.

5/01 -- Finals week

No classes! Final project/paper due by 5pm on Wednesday.

Course Details

Credit

Scheduling

Location

Instructor

Office hours

T/Th 1-2:30

W 2-4

Phone

494-7825 (x47825)

E-mail

spaf@cs.purdue.edu

Prerequisites

Texts & Readings

Required

Strongly Recommended

Reference

UNIX System Security, by David Curry, Addison-Wesley, 1991.

Tcl and the Tk Toolkit by John K. Ousterhout, Addison-Wesley, 1994.

Computer Security Basics, by D. Russell and G. Gangemi, Sr., O'Reilly & Associates, 1991.

Other readings

Miscellanous topics

An archive of the class mailing list is available.