1. 1 Intrusion Detection Methods “Intrusion detection is the process of identifying and responding to malicious activity targeted at computing and networking resources.”

2. 2 The Seven Fundamentals 1.What are the methods used 2.How are IDS Organized 3.What is an intrusion 4.How do we trace and how do they hide 5.How do we correlate information 6.How can we trap intruders 7.Incident response

3. 3 Intrusion correlation Refers to the interpretation, combination, and analysis of information from all available sources.

4. 4 Statistical correlation Variables Change Trends Calculations: Mean, standards deviation, z- score (distance between values/stand dev) Predictive techniques Curve-fitting

5. 5 Intrusion correlation Single and Multiple Correlation of Packets –IP Address, Port, Protocol Real Time and after-the-fact correlation of Information In-band vs. all-band correlation of available information

6. 6 Early warning using Statistical Process Controls (SPC): We parsed snort logs from the period of April 2000 through January 2001. For each of the top ten snort rules reported on, we calculated the number of times each rule was reported each day. Next, we calculated the three day moving average (3DMA) of each reported rule, and plotted on a control chart the number of reports for each rule set each day, and the 3DMA. Control limits were calculated by obtaining the standard deviation of the average over the period, and multiplying times 2 (2-sigma control limits). Any time the 3DMA were above the 2-sigma control limit, or if we noted a run (3 or more increases with no decreases), we considered this a warning.

7. 7

8. 8