Homework #4 - Network Intrusion Detection Systems - Due Wed Sep 7, 11PM

<-- But definitely have *something* on Snort, as subsequent lectures draw upon familiarity with it. -->
Turn in this assignment via email (vern@berkeley.edu, plain text) by the due date, with the term Homework in the Subject.

Read the paper Bro: A System for Detecting Network Intruders in Real-Time, Vern Paxson, Computer Networks, 31(23-24), pp. 2435-2463, 14 Dec. 1999. (It's fine to skip the appendix.)

Briefly write up your views of:

  1. What are the main contributions of this paper?
  2. What parts of the paper do you find unclear? (optional)
  3. What parts of the paper are questionable? (That is, you think a conclusion may be wrong, an approach or evaluation technically flawed, or data ill-presented.)
  4. A popular freeware NIDS today is Snort. What can you determine about its overall architecture and its model of how to detect attacks? What do you see as its strength and weaknesses?
  5. Do one of the following:
    1. Investigate (say a half hour's worth) a modern commercial intrusion detection/prevention system. (It's fine if it's host-based rather than network-based.) What you can determine about its technical underpinnings? How does its approach compare to those of Bro and Snort? Provide URL(s) to the information you used in your assessment.

    2. Familiarize yourself with the current state of Bro has discussed at the Bro web site. What changes/enhancements to the system strike you as the most significant compared to what's described in the original paper? What changes/enhancements did you expect to find (in terms of being important) that you didn't? Why do you think those are lacking?