Intrusion Detection - 695.642

This course explores the use of network, host-based intrusion detection and prevention systems (IDS/IPS) as part of an organization’s overall cybersecurity posture and threat informed decision strategy. A variety of approaches, models, analysis, technologies, frameworks and algorithms along with the practical concerns of deploying IDS/IPS in an enterprise/legacy IT heterogenous and homogenous environment will be discussed, along with Operational Technology (OT), as-a-service infrastructure, and Internet of Things (IoT’s) enclaves. Topics include the products, architectures, configurations and components of IDS/IPS, host and network-based IDS/IPS, network analysis, technologies, Machine Learning, Linux Firewall IPTables, Uncomplicated Firewalls (UFW), Network Packet Analysis, Cyber Incident Response, IDS/IPS in context, graph theory and Tor Networking. The use of ROC (receiver operating characteristic/curves) to discuss false positives, false negatives, precision recall graphs, and missed detection trade – offs as well as discussions of current research topics will provide a comprehensive understanding of when and how IDS/IPS can complement host and network security. A variety of IDS tools will be used to collect and analyze potential attacks to include; OSSEC, Tripwire, Snort, Suricata, Neo4j, Zeek (new name Bro), Nmap, Keras, Wireshark, delayhost utility, and Rapid Miner. The course will use virtual machines in labs and assignments to provide hands-on experience with IDS including using test data to quantitatively compare different IDS/IPS’s.

Course Prerequisite(s)

EN.695.641 Cryptology