Check out the new USENIX Web site.
2nd USENIX Symposium on Internet Technologies and Systems

Symposium at a Glance Social Activities Work-in-Progress Reports Birds-of-a-Feather Sessions Conference Activities Boulder Attractions Travel Information Hotel Reservations & Rates Hotel & Travel Symposium Sponsors Letter from Chair Program Committee Thursday, October 14 Wednesday, October 13 Tuesday, October 12 Keynote Address Full Technical Program Intro. to VPNs XML & Metadata for the Web Web Application Security Tutorials at a Glance ASCII PDF & Secure Web, Forms Special Offers for Students Technical Fees Tutorial Fees Registration

M3 pm
Intrusion Detection and Network Forensics

Marcus J. Ranum, Network Flight Recorder, Inc.

Who should attend: Network and system managers, security managers, and auditors. This tutorial assumes some knowledge of TCP/IP networking and client/server computing.

What can intrusion detection do for you? Intrusion-detection systems are designed to alert network managers to the presence of unusual or possibly hostile events within the network. Once you've found traces of a hacker, what should you do? What kind of tools can you deploy to determine what happened, how they got in, and how to keep them out? This tutorial provides a highly technical overview of the state of intrusion-detection software and the types of products that are available, as well as the basic principles to apply in building your own intrusion-detection alarms. Methods of recording events during an intrusion are also discussed.

Topics covered include:

  • What is IDS?
    • Principles
    • Prior art
  • Can IDS help?
    • What IDS can do for you
    • What IDS can't do for you
    • IDS and the WWW
    • IDS and firewalls
    • IDS and VPNs
  • Types and trends in IDS design
    • Anomaly detection
    • Misuse detection
    • Traps
    • Future avenues of research
  • Concepts for building your IDS
    • What you need to know first
    • Performance issues
  • Tools for building your IDS
    • Sniffers and suckers
    • Host logging tools
    • Log recorders
  • Reporting and recording
    • Managing alerts
    • What to throw away
    • What to keep
  • Network forensics
    • So you've been hacked
    • Forensic tools
    • Brief overview of evidence handling
    • Who can help you
  • Resources and References

Marcus Ranum photo Marcus J. Ranum is CEO and founder of Network Flight Recorder, Inc. He is the principal author of several major Internet firewall products, including the DEC SEAL, the TIS Gauntlet, and the TIS Internet Firewall Toolkit. Marcus has been managing UNIX systems and network security for over 14 years, including configuring and managing whitehouse.gov. Marcus is a frequent lecturer and conference speaker on computer security topics.

 

?Need help? Use our Contacts page.
Last changed: 22 Jul. 1999 jr
Conference index
Event calendar
USENIX home