Lecture 18: Intrusion Detection

Network Intrusion Detection (NIDS)

What is an advantage of using a NIDS?

NIDS Evasion Attacks

Suppose we install a NIDS that alerts for a path traversal attack whenever it sees .. or its hex encoding in a packet. What evasion attack(s) could an attacker try on this scheme?

NIDS Issues

What is a disadvantage of using a NIDS?

Host-Based Intrusion Detection (HIDS)

What are some tradeoffs between HIDS and NIDS?


What are some advantages and disadvantages of logging?

System Call Monitoring

Which intrusion detection method would be most appropriate for detecting a DoS attack?

Note: This is one of the longer lectures of the semester. If you want to watch it in two sittings, this is a good halfway point to take a study break.

False Positives and False Negatives

Detection Tradeoffs, Base Rate Fallacy

System A has a false positive rate of 0.05% and a false negative rate of 1%. System B has a false positive rate of 1% and a false negative rate of 0.05%. The cost of a false positive is $100, and the cost of a false negative is $10000. Which system is better?

Signature-Based Detection

Does signature-based detection use a blacklist (default allow) or a whitelist (default deny)?

Vulnerability Signatures

Anomaly-Based Detection

Specification-Based Detection

Behavioral Detection

Which detection scheme is least useful for detecting never-before-seen attacks? A: Anomaly-based B: Signature-based C: Specification-based D: Behavioral-based

Summary of Evasion Issues


Intrusion Detection Conclusion