CS4675 Intrusion Detection and Response

This is an introduction to methods of intrusion detection in computer systems and networks and the possible methods of automatic responses to those events. It will cover types of intrusion detection, inference of suspicion, implementation, and management, and will examine at least one specific product. A special focus in response management will be the use of deliberate deception in defense of systems, including the psychology and ethics of deception in general.



Lecture Hours


Lab Hours


Course Learning Outcomes

Upon completion of this course the student is expected to:

  • Understand the cyber-attack threat, attacker types, and attack types.
  • Be able to describe standard methods of detection:
    • Rule-based systems and signatures.
    • Statistical modeling and detection of anomalie.s
  • Understand key issues in intrusion detection:
    • Network-based intrusion detection methods versus host-based intrusion detection methods.
    • Distributed versus centralized intrusion detection, and antibody models.
    • Software versus hardware solutions.
    • Response methods including logging, dynamic configuration changes, counterattacks, and deception.
    • Theory of deception: Deception in warfare; psychology of deception; difficulty of detection of deception.
    • Simple deceptive tactics for software: delays, false error messages, fake files and directories.
    • Honeypots and honeynet technology: Setting up dummy sites, collecting data on attackers, protecting the site from exploitation.
    • Software wrapper technology for protecting software; counterplanning for known attack methods.
  • Be able to identify key managerial issues in intrusion detection:
    • Requirements definition.
    • Policies for information-security staff.
    • Methods for data mining of intrusion data.
    • Acquisition, installation, and maintenance of detection software.
  • Ethics and legal issues in intrusion defense.