Proposal for a Directed Reading on Intrusion Detection Systems

 

Purpose of this directed reading 

  1. To understand the state of art in the field of Intrusion Detection Systems
  2. To evaluate the different free and commercial IDS Tools
  3. Undertaking  a project related to IDS

 Deliverables 

  1. A final one hour presentation
  2. Report – Minimum 25 pages excluding title page, glossary, references and appendices, Font Size 11, Times New Roman
  3. Submission of a weekly journal of activities – papers read, presentations made
  4. A written critique of minimum 30 current research papers. Submissions done on a weekly basis. Submissions will also be posted on the student’s website (http://h.students.umkc.edu/hg24d/dr/ids.htm)

Objective for writing the critiques:

a)      Read, understood and critically assessed the paper at an advanced level

b)      Moved beyond the facts presented by critically evaluating the implications of the results and the way in which the paper was written

c)      Successfully express ideas through clear and careful writing

            Critiques are of minimum one page, Time New Roman, Font Size11

  1. A working project that highlights a specific technological aspect or solution to a problem in current IDS’s

 

 Topics Outline 

  1. IDS – Technology, Infrastructure/Architecture, Policies, Approaches, Solutions
  2. Review of RFC’, active Internet drafts defining IDS requirements, language, and framework  from the IETF Intrusion Detection Working Group(IDWG) [www.ietf.org/html.charters/idwg-charter.html]
  3. Review and analysis of IDS Tools.

(Note: - Analysis of commercial tools will be done depending on their availability)

    • Free - e.g. Snort (open source NIDS), Argus(Unix based network Monitoring tool with IDS capabilities),  SWATCH(Simple watcher- It is a log file monitor for Unix based systems).
    • Commercial – e.g. Enterasys Network Dragon, Realsecure (from ISS), Netprowler (Symantec), NFR NID (NFR Security)
  1. Review and analysis of NIDS “Attack and Evasion” Tools

e.g. Stick, Fragroute, Tribe Flood Network, Network Scanning Tool - nmap

  1. IDS Enterprise System strategies
  2. IDS Evolutionary Trends - VoIP IDS, Clustering of IDS, Hybrid IDS
  3. The problems that have not been solved yet

 Issues to be studied

    • Scalability
    • Pattern matching in IDS
    • Root Cause Analysis
    • Analysis of anomalous network traffic events
    • Use of Mobile Agents
    • Use of Artificial Intelligence in IDS
    • Eluding IDS’s
    • Testing and Evaluating IDS’s

 

Reading List

 1. Intrusion Detection Message Exchange Requirements -draft-ietf-idwg-requirements-10

    http://www.ietf.org/internet-drafts/draft-ietf-idwg-requirements-10.txt

 2. The Intrusion Detection Message Exchange Format draft-ietf-idwg-idmef-xml-12

    http://www.ietf.org/internet-drafts/draft-ietf-idwg-idmef-xml-12.txt

 3. The Intrusion Detection Exchange Protocol (IDXP) draft-ietf-idwg-beep-idxp-07

     http://www.ietf.org/internet-drafts/draft-ietf-idwg-beep-idxp-07.txt

 4. The TUNNEL Profile (RFC 3620)

     http://www.ietf.org/rfc/rfc3620.txt

 5. SANS NIDS FAQ

    www.sans.org/newlook/resources/IDFAQ/ID_FAQ.htm

 6. NIST Special Publication  800-31 “Intrusion Detection Systems”      

http://csrc.nist.gov/publications

 7. Proxy-Annotated Control Flow Graphs: Deterministic Context-Sensitive Monitoring  

    for Intrusion Detection, ICDCIT 2004 (Samik Basu and Prem Uppuluri,)

   http://www.sce.umkc.edu/~uppulurip/research/icdcit.pdf

 8. Improving Feature Selection in Anomaly Intrusion Detection Using Specifications,  

    Workshop on Data Mining with Applications to Security, ICDCIT 2004 (Yanxin Wang,

    Johnny Wong, Andrew Miner and Prem Uppuluri)

    (Paper not yet located)

 9. Prem Uppuluri, Intrusion Detection/Prevention Using Behavior Specification, Ph.D Dissertation, SUNY Stony Brook, August 2003

http://www.sce.umkc.edu/~uppulurip/research/dissertation.ps

 10. Experiences with Specification Based Intrusion Detection System, Recent Advances in Intrusion Detection (RAID)  October 2001 (Prem Uppuluri and R. Sekar)

http://www.sce.umkc.edu/~uppulurip/research/raid01.ps

 11. Building Survivable Systems: An Integrated Approach based on Intrusion Detection and Damage Containment, , IEEE DISCEX 2000, Hilton Head Island, SC (T. Bowen, M. Segal, R. Sekar, T. Shanbhag and Prem Uppuluri)

http://www.sce.umkc.edu/~uppulurip/research/discex01.ps

 12. Pattern Based Intrusion Detection Systems, P. Uppuluri & R. Sekar, TR 99-02, Iowa State University, Ames, IA, 1999

http://www.seclab.cs.sunysb.edu/~prem/tr99.ps

 13. Synthesizing Fast Intrusion Prevention/Detection Systems from High-Level Specifications, (with R. Sekar), USENIX Security Symposium 1999, Washington D.C.

http://www.seclab.cs.sunysb.edu/~prem/usenix99.ps

 14. “An Introduction to Intrusion Detection Assessment for System and Network Security Management”

http://www.icsa.net/services/consortia/intrusion/intrusion.pdf.

 15. Intrusion Detection System Product Survey

http://lib-www.lanl.gov/lapubs/00416750.pdf

 16. Optimizing Pattern Matching for Intrusion Detection

http://www.sourcefire.com/products/downloads/secured/sf_OPMforID.pdf                                                                                                       

17. A New Approach to Vulnerability Management and Intrusion Detection - by Sourcefire and IBM

http://www.sourcefire.com/products/downloads/secured/IBM-SF_white_paper.pdf 

18. HTTP IDS Evasions Revisited

http://www.sourcefire.com/products/downloads/secured/sf_HTTP_IDS_evasions.pdf 

19. Real-time Network Awareness

http://www.sourcefire.com/products/downloads/secured/sf_RNA.pdf

 20. Moving Beyond Detection - Solving the data management problem

http://www.sourcefire.com/products/downloads/secured/sf_beyond_detection.pdf

 21. Intelligent Threat Mitigation & Response

http://www.sourcefire.com/products/downloads/secured/SF_threat_mitigation.pdf

 22. Snort 2.0 - Detection Revisited

http://www.sourcefire.com/products/downloads/secured/sf_snort20_detection_rvstd.pdf

 23. Rules definition for anomaly based intrusion detection

http://www.packetstormsecurity.com/papers/IDS/anomaly_rules_def.pdf

 24. The Science of Intrusion Detection System Attack Identification

http://cisco.com/en/US/products/sw/secursw/ps2113/products_white_paper09186a0080092334.shtml

 25. Network Security Policy: Best Practices White Paper

http://cisco.com/en/US/tech/tk869/tk769/technologies_white_paper09186a008014f945.shtml

 26. State of the Practice of Intrusion Detection Technologies

http://www.cert.org/archive/pdf/99tr028.pdf

 27. Intrusion Detection and Prevention: Protecting Your Network From Attacks

http://www.juniper.net/solutions/literature/white_papers/wp_idp.pdf

 28. Intrusion Prevention Systems(Mike Barkett, CISSP, NFR® Security, Inc.)

http://www.nfr.com/resource/downloads/SentivistIPS-WP.pdf

 29. Left open (to be added as the reading proceeds)

 30. Left open (to be added as the reading proceeds)

 

 

Copyright: Himanshu Gupta 2003-2004.