Intrusion Detection

• Detecting attempts to penetrate our systems – Used for post-mortem activities – Related problem of extrusion (info leaking out) • In pre-network days (centralized mainframes)... – Primary concern is abuse and insider information access/theft – Reliance on logging and audit trails • But, highly labor intensive to analyze logs – What is abnormal activity? – Ex: IRS employees snooping records – Ex: Moonlighting police officers September 14, 2005 CS161 Fall 2005 Joseph/Tygar/Vazirani/Wagner 4 Network-based Host Compromises