main-content

In the fall of 1999, I was asked to teach a course on computer intrusion detection for the Department of Mathematical Sciences of The Johns Hopkins University. That course was the genesis of this book. I had been working in the field for several years at the Naval Surface Warfare Center, in Dahlgren, Virginia, under the auspices of the SHADOW program, with some funding by the Office of Naval Research. In designing the class, I was concerned both with giving an overview of the basic problems in computer security, and with providing information that was of interest to a department of mathematicians. Thus, the focus of the course was to be more on methods for modeling and detecting intrusions rather than one on how to secure one's computer against intrusions. The first task was to find a book from which to teach. I was familiar with several books on the subject, but they were all at either a high level, focusing more on the political and policy aspects of the problem, or were written for security analysts, with little to interest a mathematician. I wanted to cover material that would appeal to the faculty members of the department, some of whom ended up sitting in on the course, as well as providing some interesting problems for students. None of the books on the market at the time had an adequate discussion of mathematical issues related to intrusion detection.

1. TCP/IP Networking

Abstract
This chapter is intended to provide an overview of networking and the protocols that are most often used for attacks. This should provide the background needed to understand network data and the various attacks described in the following chapters.
David J. Marchette

2. Network Statistics

Abstract
This chapter looks at some issues related to collecting, measuring, and analyzing network traffic. This will be a brief introduction aimed at introducing some of the issues involved, with a focus on applications of statistical methods to the problems. Some suggestions for further reading are provided at the end.
David J. Marchette

3. Evaluation

Abstract
Statistics involves the fitting of models to data and making inferences from these models. One is often interested in the models themselves because of what they may tell us about the underlying physical process that generated the data. Thus, much of statistics concerns itself with goodness of fit tests, confidence regions, and other tools for determining whether one’s model appropriately and accurately describes the data, and for making inferences from the estimated model.
David J. Marchette

4. Network Monitoring

Abstract
Network monitoring involves attempting to detect attacks on a network, or on hosts on the network, by monitoring the network traffic. This is usually done at the firewall or filtering router, so that all traffic coming into the network can be analyzed.
David J. Marchette

5. Host Monitoring

Abstract
Host monitoring refers to gathering and analyzing information related to the security of a single computer. This usually involves looking at the security log files, monitoring processes, disk usage, file access, and other information related to the proper functioning of the computer. It can also refer to monitoring users on a computer, in an attempt to detect unauthorized users.
David J. Marchette

6. Computer Viruses and Worms

Abstract
Computer viruses are programs that copy themselves onto other programs. When the host program is run, the virus also runs, and as a consequence of its execution it makes further copies of itself. Most viruses also have other effects, such as erasing or damaging files, displaying rude words or pictures, or even damaging the computer or monitor itself.
David J. Marchette

7. Trojan Programs and Covert Channels

Abstract
We are all familiar with the story of the Trojan Horse. The Greeks built a large wooden horse (or rabbit, according to Monty Python), rolled the horse up to the gates of Troy, and left. The Trojans, thinking this was a gift, brought the horse inside the gates. Unbeknownst to them, the horse contained Greek warriors, who sneaked out under cloak of darkness and opened the gates, letting in the rest of the Greek army, resulting in the sacking of Troy.
David J. Marchette