Tutorial M2 – State of the Practice: Intrusion Detection

Dr. Michael Collins, RedJack, LLC
Dr. John McHugh, RedJack, LLC

Monday, December 6th, Half Day

This half day tutorial is intended to provide an overview of the state of practice in intrusion detection. It is intended to provide an understanding of the problems and potential pitfalls for researchers intending to undertake research efforts in the field, especially those who approach it from the viewpoint of other disciplines such as machine learning. The intended audience includes graduate students seeking PhD or MS topics, network security analysts who want deeper insights into the reasons why intrusion detection systems manifest relatively poor performance, and individuals desiring to evaluate intrusion detection products.

At the completion of the tutorial, the student should be conversant with the vocabulary of intrusion detection and have developed an appreciation for the difficulty of the problem area. The tutorial will cover the major classes of intrusion detection including host and network based classifications and signature and anomaly based classifications. Each of these approaches presents its own advantages and problems and each presents specific kinds of problems that need to be addressed by the research and operational communities. While there is a large body of published research in the area, relatively few of the academically developed approaches make any practical impact on the field and a unifying theme of the tutorial will be discussion of why this is the case. Specific topics of interest include the role of intrusion detection in system defense, sensing approaches, detection issues, and intrusion detection system evaluation.


  1. Introduction. Intrusion detection systems   history. Basic IDS technology: HIDS, NIDS, Signature-Based, Anomaly-Based. Major IDS families. Related technologies. Fallacies in IDS - false positives, false negatives, base-rate.
  2. General problems in IDS. Data collection. Inferential fallacies - false positives, false negatives, base-rate, prosecutor's fallacy. IDS evasion. Problems with IDS on the floor: polymorphism, packers and signature evasion, zero-days, and chair-swiveling.
  3. Signature Based IDS: State of the practice. Standard Signature Based IDS: Snort, Commercial systems. Signature management. Mechanisms for comparing and evaluating signatures. Current problems in signature based IDS: malware, signature management, deceptive signatures
  4. Anomaly Based IDS: State of the Practice. Historical anomaly detection   timeshares. Modern anomaly detection systems. Successful anomaly detection. Current problems in anomaly based IDS: noise, training assumptions.
  5. IDS Evaluation. Data available for evaluation. ROC curves and other evaluation mechanisms. Problems in 'normalcy'.
  6. Similar Systems. IPS vs. IDS vs. Sensor. SIM/SEM. AV. DDoS Detection.



About the Instructors

Dr. Michael Collins is Chief Scientist for RedJack and a former scientist for the CERT/Network Situational Awareness Team at Carnegie Mellon University. In this capacity, Dr. Collins was one of the lead designers of CENTAUR and the SiLK toolkit. Dr. Collins is an expert on traffic analysis, and has developed novel methods for tracking peer-to-peer applications and applying social network analysis to network traffic. His work is used by several federal agencies for traffic analysis and network defense. He is currently working on social network analysis of web usage.

Dr. John McHugh is the Senior Principal at RedJack LLC, a network data analysis and security consulting company and holds a visiting faculty position at UNC. Before joining RedJack, he was a Canada Research Chair in Privacy and Security at Dalhousie University in Halifax, NS, and, earlier, senior member of the technical staff with the CERT Situational Awareness Team, where he did research in survivability, network security, and intrusion detection. Recently, he has been involved in the analysis of large scale network flow data using visual analytic techniques and has developed tools for characterizing host and network behavior. Dr. McHugh received his PhD degree in computer science from the University of Texas at Austin. He has a MS degree in computer science from the University of Maryland, and a BS degree in physics from Duke University.