Proposal for a Directed Reading on Intrusion Detection Systems |
Purpose of this directed reading
- To understand the state of art in the field of Intrusion Detection Systems
- To evaluate the different free and commercial IDS Tools
- Undertaking a project related to IDS
Deliverables
- A final one hour presentation
- Report – Minimum 25 pages excluding title page, glossary, references and appendices, Font Size 11, Times New Roman
- Submission of a weekly journal of activities – papers read, presentations made
- A written critique of minimum 30 current research papers. Submissions done on a weekly basis. Submissions will also be posted on the student’s website (http://h.students.umkc.edu/hg24d/dr/ids.htm)
Objective for writing the critiques:
a) Read, understood and critically assessed the paper at an advanced level
b) Moved beyond the facts presented by critically evaluating the implications of the results and the way in which the paper was written
c) Successfully express ideas through clear and careful writing
Critiques are of minimum one page, Time New Roman, Font Size11
- A working project that highlights a specific technological aspect or solution to a problem in current IDS’s
Topics Outline
- IDS – Technology, Infrastructure/Architecture, Policies, Approaches, Solutions
- Review of RFC’, active Internet drafts defining IDS requirements, language, and framework from the IETF Intrusion Detection Working Group(IDWG) [www.ietf.org/html.charters/idwg-charter.html]
- Review and analysis of IDS Tools.
(Note: - Analysis of commercial tools will be done depending on their availability)
- Free - e.g. Snort (open source NIDS), Argus(Unix based network Monitoring tool with IDS capabilities), SWATCH(Simple watcher- It is a log file monitor for Unix based systems).
- Commercial – e.g. Enterasys Network Dragon, Realsecure (from ISS), Netprowler (Symantec), NFR NID (NFR Security)
- Review and analysis of NIDS “Attack and Evasion” Tools
e.g. Stick, Fragroute, Tribe Flood Network, Network Scanning Tool - nmap
- IDS Enterprise System strategies
- IDS Evolutionary Trends - VoIP IDS, Clustering of IDS, Hybrid IDS
- The problems that have not been solved yet
Issues to be studied
- Scalability
- Pattern matching in IDS
- Root Cause Analysis
- Analysis of anomalous network traffic events
- Use of Mobile Agents
- Use of Artificial Intelligence in IDS
- Eluding IDS’s
- Testing and Evaluating IDS’s
Reading List
1. Intrusion Detection Message Exchange Requirements -draft-ietf-idwg-requirements-10
http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt
2. The Intrusion Detection Message Exchange Format draft-ietf-idwg-idmef-xml-12
http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt
3. The Intrusion Detection Exchange Protocol (IDXP) draft-ietf-idwg-beep-idxp-07
http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt
4. The TUNNEL Profile (RFC 3620)
http://www.ietf.org/rfc/rfc3620.txt
5. SANS NIDS FAQ
www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm
6. NIST Special Publication 800-31 “Intrusion Detection Systems”
http://csrc.nist.gov/publications
7. Proxy-Annotated Control Flow Graphs: Deterministic Context-Sensitive Monitoring
for Intrusion Detection, ICDCIT 2004 (Samik Basu and Prem Uppuluri,)
http://www.sce.umkc.edu/~uppulurip/research/icdcit.pdf
8. Improving Feature Selection in Anomaly Intrusion Detection Using Specifications,
Workshop on Data Mining with Applications to Security, ICDCIT 2004 (Yanxin Wang,
Johnny Wong, Andrew Miner and Prem Uppuluri)
(Paper not yet located)
9. Prem Uppuluri, Intrusion Detection/Prevention Using Behavior Specification, Ph.D Dissertation, SUNY Stony Brook, August 2003
http://www.sce.umkc.edu/~uppulurip/research/dissertation.ps
10. Experiences with Specification Based Intrusion Detection System, Recent Advances in Intrusion Detection (RAID) October 2001 (Prem Uppuluri and R. Sekar)
http://www.sce.umkc.edu/~uppulurip/research/raid01.ps
11. Building Survivable Systems: An Integrated Approach based on Intrusion Detection and Damage Containment, , IEEE DISCEX 2000, Hilton Head Island, SC (T. Bowen, M. Segal, R. Sekar, T. Shanbhag and Prem Uppuluri)
http://www.sce.umkc.edu/~uppulurip/research/discex01.ps
12. Pattern Based Intrusion Detection Systems, P. Uppuluri & R. Sekar, TR 99-02, Iowa State University, Ames, IA, 1999
http://www.seclab.cs.sunysb.edu/~prem/tr99.ps
13. Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications, (with R. Sekar), USENIX Security Symposium 1999, Washington D.C.
http://www.seclab.cs.sunysb.edu/~prem/usenix99.ps
14. “An Introduction to Intrusion Detection Assessment for System and Network Security Management”
http://www.icsa.net/services/consortia/intrusion/intrusion.pdf.
15. Intrusion Detection System Product Survey
http://lib-www.lanl.gov/lapubs/00416750.pdf
16. Optimizing Pattern Matching for Intrusion Detection
http://www.sourcefire.com/products/downloads/secured/sf_OPMforID.pdf
17. A New Approach to Vulnerability Management and Intrusion Detection - by Sourcefire and IBM
http://www.sourcefire.com/products/downloads/secured/IBM-SF_white_paper.pdf
18. HTTP IDS Evasions Revisited
http://www.sourcefire.com/products/downloads/secured/sf_HTTP_IDS_evasions.pdf
19. Real-time Network Awareness
http://www.sourcefire.com/products/downloads/secured/sf_RNA.pdf
20. Moving Beyond Detection - Solving the data management problem
http://www.sourcefire.com/products/downloads/secured/sf_beyond_detection.pdf
21. Intelligent Threat Mitigation & Response
http://www.sourcefire.com/products/downloads/secured/SF_threat_mitigation.pdf
22. Snort 2.0 - Detection Revisited
http://www.sourcefire.com/products/downloads/secured/sf_snort20_detection_rvstd.pdf
23. Rules definition for anomaly based intrusion detection
http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf
24. The Science of Intrusion Detection System Attack Identification
http://cisco.com/en/US/products/sw/secursw/ps2113/products_white_paper09186a0080092334.shtml
25. Network Security Policy: Best Practices White Paper
http://cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a008014f945.shtml
26. State of the Practice of Intrusion Detection Technologies
http://www.cert.org/archive/pdf/99tr028.pdf
27. Intrusion Detection and Prevention: Protecting Your Network From Attacks
http://www.juniper.net/solutions/literature/white_papers/wp_idp.pdf
28. Intrusion Prevention Systems(Mike Barkett, CISSP, NFR® Security, Inc.)
http://www.nfr.com/resource/downloads/SentivistIPS-WP.pdf
29. Left open (to be added as the reading proceeds)
30. Left open (to be added as the reading proceeds)
Copyright: Himanshu Gupta 2003-2004.