TKK |
Tietoverkkolaboratorio
| Opetus
S-38.4030 Postgraduate Course on Networking Technology
(5-15 ECTS)
P
V
Course Topic Spring 2007: Anomaly Detection in the Internet
Latest news:
- 29.1.2007: Schedule available, still waiting topic entries.
- 8.1.2007: The first meeting will be held on 26.1.2007 at
16.00 in D302.
- 5.1.2007: Back in business. Topics assigned on January 26th at 16-18 in D302. Sign up via wwwtopi.
- 30.08.2006: Seminar moved to Spring 2007.
- 6.7.2006: Initial materials are gathered. Course begins to have shape. Expect more updates in August.
- 13.6.2006: Topic decided and course webpages brought up. Everything still very much under construction.
Introduction
Network operators meet on daily basis different types of unusual network events. Not all of them are deliberately aimed to be malicious. Operators want to detect and classify these anomalies and rectify them quickly and without causing unnecessary network service outages. The main challenge in the detection & classification processes is the diversity of the anomaly nature. Anomalies include (but are definately not limited to) DoS attacks, virus & worm infections and problems related to routing. Equipment failures, unusual traffic patterns and application profiles may also appear as anomalies in the network.
Network behavior may be analysed for anomaly detection. At least three different ways to analyse it exist:
- Protocol analysis aims to detect packets that are too short, have ambiguous options or violate specific application layer protocols. This technique is most useful for detecting host-level attacks.
- Traffic Rate- analysis tries to detect floods in traffic using a normal traffic and volume data as a reference point. This type of analysis is most useful for detecting denial-of-service attacks.
- Analysing the behavior of host and application traffic seeks to detect changes in how individual or groups of applications and hosts interact with one another on a network. For example, a normally quiet host that starts connecting to hundreds of hosts per second on the SQL port indicates a worm. This type of analysis is useful for a variety of threats, from worms and malware to insider misuse.
By applying anomaly algorithms best suited to the attacks they are designed to detect, anomaly detection can proactively identify zero-day worms, malware, acceptable-use policy violations and insider misuse. Because anomaly detection looks for substantial changes in network behavior, it is less prone to false positives, and requires less configuration and ongoing maintenance than many other security methods.
Study information
This instance of the course will produce 5-8 ECTS. The course can be included in post-graduate studies on Networking Technology (major or minor in S38). The credits can also be included in
graduate studies on Networking Technology.
Course personnel contact information
Registration
Please register to the course via wwwtopi. Note that
the number of participants will be limited.
Course goals
The goal of this course is to introduce the students to the state of the art, existing research and latest developments in the area of anomaly detection. The learning goal of an individual student over the course topic is to
- In-depth knowledge on student's assigned topic: On the particular subjects of study the individual student needs to be able to fluently present and evaluate existing solutions and ongoing research. Furthermore, the student must be able to apply his/her knowledge and suggest improvements to the existing research.
- Detailed general knowledge on the whole course topic. This means being to able to discuss the other students contributions in the seminar.
To excel in this course and aiming for higher grades the student has to be able to present initial results of the suggested improvements.
Course arrangements
The course main events will be arranged as an interactive seminar. Seminar language will be English. The topics are found here.
Check also the course requirements.
If an adequate amount of high-standard papers and presentations emerge they will be
published in the Networking Laboratory Series. This may require
additional work on the paper!
As always, your comments and suggestions towards improving the seminar are also
welcome.
Schedule
The first introduction meeting will be held on 26.1.2007 at
16.00 in D302.
Seminar day for presentations will be announced later. We will aim for some convenient date in May. Check the detailed schedule for more information.
Tietoverkkolaboratorio on nyt osa Tietoliikenne- ja tietoverkkotekniikan
laitosta. Tällä sivulla oleva tieto voi olla
vanhentunutta.
Kurssien ajantasainen tieto on MyCourses-palvelussa.