04-625   Intrusion Detection Systems

Location: Africa

Units: 12

Semester Offered: Spring

Course concentration


Course description

Intrusion detection systems (IDSs) constitute an essential component of any network security solution package. Underlying IDSs is a great deal of fascinating mathematics mostly taken from various fields such as Probability Theory, Statistic, and Detection Theory. A good understanding of this mathematical background will enable Security Officers to better appreciate the benefits and limitations of IDSs and prepare them to become better practitioners.

Learning objectives

The goal of this course is two-fold. First, it will provide students with hands-on exposure to the mathematical principles and techniques used in intrusion detection. Second, students will experiment with the real-life process of going from a theoretical intrusion detection solution to its implementation. The course will proceed by introducing mathematical concepts on an "as needed" basis, motivated by their direct applications to intrusion detection.


The class consists of lectures, homework assignments, labs, and a class project. Topics covered include an overview of intrusion detection (host and network-based IDSs, techniques of intrusion detection—anomaly and signature-based), a brief review of the mathematical background of IDSs, and case studies of mathematical solutions for IDSs and the issues related to their applications in the real world.

At the end of the course, students will have a good understanding of the techniques used in designing IDS. They will also acquire the practical skills needed to implement IDS in a work environment.

Content details

Theoretic Part

  • Historic of IDS
  • Understanding Intrusions
  • IDS Definition
  • Role of IDS
  • General Architecture of Modern IDS
  • Types of IDS (Host-based, Network-based, Kernel-Based, Hybrid)
  • Data sources for IDS
  • Detection Techniques
    • Basic Probability and Statistics
    • Error Types
      • False Positive/Negative
      • True Positive/Negative
      • Tradeoff and the: « Receiver Operating Curve (ROC) »
    • Signature-Based Detection Techniques
      • Architecture
      • Pro/Cons
      • Example of Technique: Pattern Matching
    • Anomaly-Based Detection Techniques
      • Architecture
      • Pro/Cons
      • Example of Technique: Machine Learning
    • Performance of IDS (precision, completeness, efficiency, resiliency)
    • Evasion Techniques
    • Current Implementation: IDS/IPS
    • Some IDS/IPS Systems
      • Students to do research and present/demo IDS of their choice
      • Example: Snort, Bro, Suricata, Security Onion, etc.


Tips: Install Security Onion (comes with bro, snort, suricata, etc.)

  • Introduction to « Scapy »
    • Intro
    • Install Scapy
    • IPTABLES Configuration
    • Manually generate packets
  • Network Monitoring Tools
    • Wireshark
  • Case Study 1: SNORT
    • Introduction
    • Installation and test
    • Writing Snort Rules
    • Test/Visualization of Rules and Effects
      • Snort Engine
      • Scapy to craft packets that would trigger rule
      • Wireshark to visualize
  • Case Study 2 (if time permits): Building a Spam Filter (anomaly-based)
    • Theoretical Background
      • Bayesian Detection
      • Neural Network
    • Implementation
      • Generating Synthetic Data
      • Detection Engine
      • Tests 


None, but a background in Networking, Programming, and Basic Probability would help.


Assane Gueye