Section 18.4. Recommended Reading and Web Sites

[Page 591 (continued)]

18.4. Recommended Reading and Web Sites

Two thorough treatments of intrusion detection are [BACE00] and [PROC01]. A more concise but very worthwhile treatment is [BACE01]. Two short but useful survey articles on the subject are [KENT00] and [MCHU00]. [NING04] surveys recent advances in intrusion detection techniques. [HONE01] is the definitive account on honeypots and provides a detailed analysis of the tools and methods of hackers.

BACE00 Bace, R. Intrusion Detection. Indianapolis, IN: Macmillan Technical Publishing, 2000.

BACE01 Bace, R., and Mell, P. Intrusion Detection Systems. NIST Special Publication SP 800-31, November 2000.

HONE01 The Honeynet Project. Know Your Enemy: Revealing the Security Tools, Tactics, and Motives of the Blackhat Community. Reading, MA: Addison-Wesley, 2001.

KENT00 Kent, S. "On the Trail of Intrusions into Information Systems." IEEE Spectrum, December 2000.

MCHU00 McHugh, J.; Christie, A.; and Allen, J. "The Role of Intrusion Detection Systems." IEEE Software, September/October 2000.

NING04 Ning, P., et al. "Techniques and Tools for Analyzing Intrusion Alerts." ACM Transactions on Information and System Security, May 2004.

PROC01 Proctor, P., The Practical Intrusion Detection Handbook. Upper Saddle River, NJ: Prentice Hall, 2001.

[Page 592]

Recommended Web Sites

  • CERT Coordination Center: The organization that grew from the computer emergency response team formed by the Defense Advanced Research Projects Agency. Site provides good information on Internet security threats, vulnerabilities, and attack statistics.

  • Honeynet Project: A research project studying the techniques of predatory hackers and developing honeypot products.

  • Honeypots: A good collection of research papers and technical articles.

  • Intrusion Detection Working Group: Includes all of the documents generated by this group.

[Page 592 (continued)]

18.5. Key Terms, Review Questions, and Problems

Key Terms

audit record

Bayes' Theorem

base-rate fallacy



intrusion detection

intrusion detection exchange format


rule-based intrusion detection


statistical anomaly detection

Review Questions


List and briefly define three classes of intruders.


What are two common techniques used to protect a password file?


What are three benefits that can be provided by an intrusion detection system?


What is the difference between statistical anomaly detection and rule-based intrusion detection?


What metrics are useful for profile-based intrusion detection?


What is the difference between rule-based anomaly detection and rule-based penetration identification?


What is a honeypot?


What is a salt in the context of UNIX password management?


List and briefly define four techniques used to avoid guessable passwords.



A taxicab was involved in a fatal hit-and-run accident at night. Two cab companies, the Green and the Blue, operate in the city. You are told that

  • 85% of the cabs in the city are Green and 15% are Blue.

  • A witness identified the cab as Blue.

[Page 593]

The court tested the reliability of the witness under the same circumstances that existed on the night of the accident and concluded that the witness was correct in identifying the color of the cab 80% of the time. What is the probability that the cab involved in the incident was Blue rather than Green?


Assume that passwords are selected from four-character combinations of 26 alphabetic characters. Assume that an adversary is able to attempt passwords at a rate of one per second.

  1. Assuming no feedback to the adversary until each attempt has been completed, what is the expected time to discover the correct password?

  2. Assuming feedback to the adversary flagging an error as each incorrect character is entered, what is the expected time to discover the correct password?


Assume that source elements of length k is mapped in some uniform fashion into a target elements of length p. If each digit can take on one of r values, then the number of source elements is rk and the number of target elements is the smaller number rp A particular source element xi is mapped to a particular target element yj.

  1. What is the probability that the correct source element can be selected by an adversary on one try?

  2. What is the probability that a different source element xk(xi k) that results in the same target element, yj, could be produced by an adversary?

  3. What is the probability that the correct target element can be produced by an adversary on one try?


A phonetic password generator picks two segments randomly for each six-letter password. The form of each segment is CVC (consonant, vowel, consonant), where V = <a, e, i, o, u> and

  1. What is the total password population?

  2. What is the probability of an adversary guessing a password correctly?


Assume that passwords are limited to the use of the 95 printable ASCII characters and that all passwords are 10 characters in length. Assume a password cracker with an encryption rate of 6.4 million encryptions per second. How long will it take to test exhaustively all possible passwords on a UNIX system?


Because of the known risks of the UNIX password system, the SunOS-4.0 documentation recommends that the password file be removed and replaced with a publicly readable file called /etc/publickey. An entry in the file for user A consists of a user's identifier IDA, the user's public key, PUa, and the corresponding private key PRa. This private key is encrypted using DES with a key derived from the user's login password Pa. When A logs in, the system decrypts E[Pa,PRa] to obtain PRa.

  1. The system then verifies that Pa was correctly supplied. How?

  2. How can an opponent attack this system?


The encryption scheme used for UNIX passwords is one way; it is not possible to reverse it. Therefore, would it be accurate to say that this is, in fact, a hash code rather than an encryption of the password?


It was stated that the inclusion of the salt in the UNIX password scheme increases the difficulty of guessing by a factor of 4096. But the salt is stored in plaintext in the same entry as the corresponding ciphertext password. Therefore, those two characters are known to the attacker and need not be guessed. Why is it asserted that the salt increases security?


Assuming that you have successfully answered the preceding problem and understand the significance of the salt, here is another question. Wouldn't it be possible to thwart completely all password crackers by dramatically increasing the salt size to, say, 24 or 48 bits?


Consider the Bloom filter discussed in Section 18.3. Define k = number of hash functions; N = number of bits in hash table; and D = number of words in dictionary.

    [Page 594]
  1. Show that the expected number of bits in the hash table that are equal to zero is expressed as

  2. Show that the probability that an input word, not in the dictionary, will be falsely accepted as being in the dictionary is

    P = (1-f)k

  3. Show that the preceding expression can be approximated as

    P (1 - e-N)k


Design a file access system to allow certain users read and write access to a file, depending on authorization set up by the system. The instructions should be of the format

READ (F, User A): attempt by User A to read file F

WRITE (F, User A): attempt by User A to store a possibly modified copy of F

Each file has a header record, which contains authorization privileges; that is, a list of users who can read and write. The file is to be encrypted by a key that is not shared by the users but known only to the system.