Outline for June 6, 2000
- Greetings and felicitations!
- Implementation
- Object naming
- Process environment
- Process interaction
- Error and exception handling
- Object naming
- Trojan horses
- Race conditions (TOCTTOU)
- Process environment
- Privileges
- Environment variables
- System constraints (root directory, etc.)
- Process interaction
- IPC and pipes
- Use of the network
- Multithreading and synchronization (locking)
- Error and exception handling
- Assumptions
- Signals and race conditions
- Auditing
-
Goals: reconstruction or deduction?
-
Relationship to security policy
-
Application logs
-
System logs
- Example analysis technique
-
GOAL methodology
-
Do it on local file accesses
- Problems
-
Log size
-
Impact on system services
-
Correllation of disparate logs
- Intrusion detection
-
Anomaly detection
-
Misuse detection
-
Specification detection
- Anomaly detection
-
Dorothy Denning's model and IDES
-
Useful characteristics (examples)
-
Cautions and problems
-
Defeating it
- Misuse detection
-
TIM (from DEC)
-
Rule-based analysis and attack recognition
-
Cautions and problems
-
Defeating it
- Specification Detection
-
Property-Based Testing (introduce specifications here)
-
Example
-
Cautions and problems
-
Defeating it
- Toss in a network
-
NSM
-
DIDS
-
GrIDS
Send email to
[email protected].
Department of Computer Science
University of California at Davis
Davis, CA 95616-8562
Page last modified on 6/8/2000