ISS 6750: Intrusion Detection
Spring Term 2007
Arab Academy for Banking and Financial
- Class room is: Room 15
- Meeting time: SAT 11:00-2:00 pm
- The articles/presentations are posted on the web.
There will be NO class this Saturday (31/3/2007).
There will be a make up class this Monday form 4:15-6:00 pm in room 37.
The final exam will be on 25/6/2007 from 6:00-8:00 pm.
- The reading assignments will be distributed in the class/by email
- The final exam will be a take home exam.
this course we will study the most common methods used in computer and network
hacking with the intention of learning how better to protect systems from such
intrusions. These methods include reconnaissance techniques, system scanning,
and gaining system access by network and application level attacks, and denial
of service attacks. Traffic analysis methods and tools will be studied in this
course. Also, we will present techniques for traffic filtering and monitoring,
and intrusion detection.
This course is open to all graduate students
The most common
methods used by intruders to gain control computers are discussed in the
class, and include:
- Trojan horse programs
Presentation Trojan horse programs are a common way for intruders to trick you (sometimes
referred to as "social engineering") into installing "back door" programs.
These can allow intruders easy access to your computer without your knowledge,
change your system configurations, or infect your computer with a computer
- Back door and remote administration programs
Presentation. On Windows computers, three tools commonly used by intruders to gain remote
access to your computer are BackOrifice, Netbus, and SubSeven. These back door
or remote administration programs, once installed, allow other people to
access and control your computer.
TOOL: BacK Office 2K
- Denial of Service
Another form of attack is called a denial-of-service (DoS) attack. This type
of attack causes your computer to crash or to become so busy processing data
that you are unable to use it. It is important to note that in addition to
being the target of a DoS attack, it is possible for your computer to be used
as a participant in a denial-of-service attack on another system.
- Being an intermediary for another attack
Presentation Intruders will frequently use compromised computers as
launching pads for attacking other systems. An example of this is how
distributed denial-of-service (DDoS) tools are used. The intruders install an
"agent" (frequently through a Trojan horse program) that runs on the
compromised computer awaiting further instructions. Then, when a number of
agents are running on different computers, a single "handler" can instruct all
of them to launch a denial-of-service attack on another system. Thus, the end
target of the attack is not your own computer, but someone else’s -- your
computer is just a convenient tool in a larger attack.
- Unprotected Windows shares
Presentation Unprotected Windows networking shares can be exploited by intruders in an
automated way to place tools on large numbers of Windows-based computers
attached to the Internet. Because site security on the Internet is
interdependent, a compromised computer not only creates problems for the
computer's owner, but it is also a threat to other sites on the Internet. The
greater immediate risk to the Internet community is the potentially large
number of computers attached to the Internet with unprotected Windows
networking shares combined with distributed attack tools.
Another threat includes malicious and destructive code, such as viruses or
worms, which leverage unprotected Windows networking shares to propagate.
There is great potential for the emergence of other intruder tools that
leverage unprotected Windows networking shares on a widespread basis.
and ActiveX). These are programming languages that let web developers write
code that is executed by your web browser. Although the code is generally
useful, it can be used by intruders to gather information (such as which web
sites you visit) or to run malicious code on your computer. It is possible to
- Cross-site scripting
Presentation A malicious web developer may attach a script to something sent to a web site,
such as a URL, an element in a form, or a database inquiry. Later, when the
web site responds to you, the malicious script is transferred to your browser.
You can potentially expose your web browser to malicious scripts by
following links in web pages, email messages, or newsgroup postings without
knowing what they link to
using interactive forms on an untrustworthy site
viewing online discussion groups, forums, or other dynamically generated pages
where users can post text containing HTML tags
- Packet sniffing and spoofing
Presentation Packet sniffer is a program that captures data from information packets as
they travel over the network. That data may include user names, passwords, and
proprietary information that travels over the network in clear text. With
perhaps hundreds or thousands of passwords captured by the packet sniffer,
intruders can launch widespread attacks on systems. Installing a packet
sniffer does not necessarily require administrator-level access.
Relative to DSL and traditional dial-up users, cable modem users have a higher
risk of exposure to packet sniffers since entire neighborhoods of cable modem
users are effectively part of the same LAN. A packet sniffer installed on any
cable modem user's computer in a neighborhood may be able to capture data
transmitted by any other cable modem in the same neighborhood.
Intrusion Detection/Prevention Tools and Techniques: There are many
techniques used to prevent/detect intrusion, these include:
Intrusion Detection/Prevention System
- "Cryptography and Network Security” by William
Stallings. Prentice Hall, 4th edition.
- "Tao of Network Security Monitoring, The: Beyond Intrusion Detection". By
Richard Bejtlich. ISBN: 0321246772; Published: Jul 12, 2004.
- "Intruder Alarms".
- Assignments and Presentations : 25 %
- Midterm: 25 %
- Final: 50 %
Dr. Lo'ai A. Tawalbeh