Lehrstuhl für Angewandte Softwaretechnik Applied Software Engineering [ Home | People | Lectures & Praktika | FoPras & Diplomarbeiten | Projects ] [ How to find us | What's new | Send your comments ]

---

Hauptseminar in den überfachlichen Grundlagen für Informatiker

Experimental Methods in Software Engineering:
Intrusion Detection

WS 1999/2000

Überfachliches Grundlagenseminar: 2 hours (SWS 2).

Time: Wednesdays 14:15-16:00

Location: -3219 (Lehrstuhl Bruegge Linux Lab)

Preparation meeting:

Theme:

The goal of the seminar is to provide participants with knowledge of several experimental methods and their application in software engineering. Experimental methods are used to answer questions by the measurement and evaluation of empirical data, that is, data collected during controlled experiments or field observations. In contrast, analytical methods are used to answer questions by the resolution of a mathematical model. In software engineering, both types of methods are needed.

This year, the seminar focuses on anomaly detection methods and uses the detection of computer intrusions as an application domain. Intrusion detection systems are systems that aim to automatically detect a computer intrusion, that is, the unauthorized use or misuse of a computer, either by a legitimate user or an outside. Intrusion detection systems point to a possible intrusion by detecting anomalies, either by using predefined rules, patterns, or traces of past events. Intrusion detection is difficult as it is usually impossible to know all the possible ways a system can be compromised. Moreover, the behavior of authorized users on a given system can evolve over time, thus requiring the system to adapt to a changing definition of what "normal" behavior is. For these reasons, statistical and other experimental methods are used during the development and evaluation of intrusion detection systems, thus making it an ideal application domain for this seminar.

Format:

Each participant in this seminar will give a presentation on a specialized topic of intrusion detection (see list of topics) and develop, using experimental methods, an intrusion detection algorithm.

The presentation will focus on he sources of intrusions, an intrusion detection system, or an evaluation method for intrusion detection systems. The presentation will describe related work relevant to the topic as well as the participant's personal evaluation of the topic (e.g., strong points and flaws of the system/approach, questions that have yet to be answered, relevancy, etc.).

In addition to presenting a topic, each participant will develop and evaluate a detection algorithm. The participant will be given a synthesized trace representative of an anomaly free environment. The participants will then synthesize traces which contain different types of anomalies and evaluate his/her algorithm. At the end of the semester, all algorithms will be evaluated and compared against a standard set of traces. The last lecture of the seminar will focus on the presentation and the evaluation of these algorithms.

An important hypothesis behind this seminar is that participants learn through interaction. Throughout the semester, participants are strongly encouraged to interact with the instructor during the development of their presentation and their detection algorithm.

Prerequisites: Vordiplom and some system development experience (e.g., PAID Praktikum 1998/99)

Language:

• English is used for the seminar presentations and the interaction with the instructor.

List of topics and schedule: Follow this link

Literature on experimental methods:

• D.C. Hoaglin, F. Mosteller, & J.W. Tukey. Understanding Robust and Exploratory Data Analysis. Wiley, New York, 1983.
• N.E. Fenton & S.L. Pfleeger. Software Metrics: A Rigorous and Practical Approach/2e. Thomson Computer Press, New York, 1997.
• M.V. Zelkowitz & D.R. Wallace, "Experimental Models for Validating Technology," Computer, IEEE CS Press, May 1998.

Literature on intrusion detection (under construction):

• Bellovin, Steven M., ''There Be Dragons'', In UNIX Security Symposium . Baltimore, Maryland: USENIX Association, 14-16 September 1992, pp. 1-16.
• Bishop, Matt; Cheung, Steven and Wee, Chris, "The Threat from the Net," IEEE Spectrum, Vol. 34, No. 8, August 1997, pp. 56-63.
• Forrest, Stephanie; Hofmeyr, Steven A. and Somayaji, Anil, "Computer Immunology," Communications of the ACM, Vol. 40, No. 10, October 1997, pp. 88-96.

Office hours: Mondays 14:00-16:00 in room -1207 or by appointment.