F2   Intrusion Detection and Network Forensics
Marcus J. Ranum, Network Flight Recorder, Inc.

Who should attend: Network and system managers, security managers, and auditors. This tutorial will assume some knowledge of TCP/IP networking and client/server computing.

What can intrusion detection do for you? Intrusion detection systems are designed to alert network managers to the presence of unusual or possibly hostile events within the network. Once you've found traces of a hacker, what should you do? What kind of tools can you deploy to determine what happened, how they got in, and how to keep them out? This tutorial provides a highly technical overview of the state of intrusion detection software and the types of products that are available, as well as the basic principles to apply for building your own intrusion detection alarms. Methods of recording events during an intrusion are also covered.

Course outline:
 

	What is IDS?  Principles  Prior art
	Can IDS help?  What IDS can and can't do for you  IDS and the WWW  IDS and firewalls  IDS and VPNs
	Types and trends in IDS design  Anomaly detection  Misuse detection  Traps  Future avenues of research
	Concepts for building your IDS  What you need to know first  Performance issues
	Tools for building your IDS  Sniffers and suckers  Host logging tools  Log recorders
	Reporting and recording  Managing alerts  What to throw away  What to keep
	Network Forensics  So you've been hacked  Forensic tools  Brief overview of evidence handling  Who can help you
	Resources and References