695.642.81 - Intrusion Detection

Cybersecurity
Fall 2024

Description

This course explores the use of network, host-based intrusion detection and prevention systems (IDS/IPS) as part of an organization's overall cybersecurity posture and threat informed decision strategy. A variety of approaches, models, analysis, technologies, frameworks and algorithms along with the practical concerns of deploying IDS/IPS in an enterprise/legacy IT heterogenous and homogenous environment will be discussed, along with Operational Technology (OT), as-a-service infrastructure, and Internet of Things (IoT’s) enclaves. Topics include the products, architectures, configurations and components of IDS/IPS, host and network-based IDS/IPS, network analysis, technologies, Machine Learning, Linux Firewall IPTables, Uncomplicated Firewalls (UFW), Network Packet Analysis, Cyber Incident Response, IDS/IPS in context, graph theory and Tor Networking. The use of ROC (receiver operating characteristic/curves) to discuss false positives, false negatives, precision recall graphs, and missed detection trade - offs as well as discussions of current research topics will provide a comprehensive understanding of when and how IDS/IPS can complement host and network security. A variety of IDS tools will be used to collect and analyze potential attacks to include; OSSEC, Tripwire, Snort, Suricata, Neo4j, Zeek (new name Bro), Nmap, Keras, Wireshark, delayhost utility, and Rapid Miner. The course will use virtual machines in labs and assignments to provide hands-on experience with IDS including using test data to quantitatively compare different IDS/IPS’s.

Instructor

Default placeholder image. No profile image found for Jason Crossland.

Jason Crossland

jason.crossland@jhuapl.edu

Course Structure

The course materials are divided into modules which can be accessed by clicking Modules in the Canvas menu. A module will have several sections including the overview, content, readings, discussions, lab activities, and assignments. You are encouraged to preview all sections of the module before starting. Modules run for a period of seven (7) days (Wed. -  Tues.), any exceptions will be communicated by the Professor. I will primarily use the Announcement section, as well as your JHU EP email to communicate class particulars. You should regularly check the Announcements for any updates.

Course Topics

Course Goals

To identify and describe appropriate situations and scenarios where intrusion detection may be applied to achieve an increased level of situational awareness and information assurance, then apply the knowledge to the architecture, configuration, and analysis of specific intrusion detection systems in a real-world setting.

Course Learning Outcomes (CLOs)

Textbooks

There is no required textbook but many reference books/articles will be used throughout the course which will be provided by the Instructor. All supplementary material required to complete the lab activities and assignments will also be provided by the instructor.

Student Coursework Requirements

Students will be required to complete weekly assignments that consist of multiple technical and analytic tasks. It is expected that each class will take approximately 10 - 13 hours per week to complete. Here is an approximate breakdown: assigned reading (approximately 1 – 3 hours per week), listening to the audio annotated slide presentations (approximately 1 – 3 hours per week), participation in discussion groups and class exercises (1 – 3 hours per week), and writing homework assignments and doing lab activities (approximately 4 - 6 hours per week).

This balance will shift week to week, and in particular the assignment load will fluctuate. The final grade will be based on 4 criteria:

Item

% of Grade

Discussions

20%

Assignments

35%

Lab Activities

30%

Tabletop Exercise

15%


Each of these are described below.

Lab Activities (30% of Final Grade Calculation)

Most modules will contain an hands-on Lab activity with embedded questions to verify completion of the activity. Each lab will be available on Day 1 of the module and is due at the end of Day 7. Labs will be graded based on correctness of the responses that demonstrate completion and understanding of the Labs. Late submissions will be reduced by seven (6) points for each day late (no exceptions without prior coordination with the instructor). All labs must be submitted by Day 7, Tuesday @ 1159pm EST, of the module unless otherwise specified.

Discussions (20% of Final Grade Calculation)

Each student is responsible for carefully reading all assigned material, watching the video lectures, and being prepared for discussions with other students.

Students will be graded on their responses based on the four criteria’s listed below:

  1. Concise critical thinking/reasoning (25%)
  2. Generates learning and engagement among classmates (25%)
  3. Demonstrates knowledge of content and applicability to professional practice (25%)
  4. Timeliness and mechanics (25%)

Discussion questions for each module will be available on Wednesday (Day 1). Students must post an initial response to the question no later than Sunday (Day 5). At least one response to another student’s post is required by Monday (Day 6). Posting at least one meaningful in-depth response to another student(s) which adds value and enrichment to the discussion is required to receive full points. (i.e., Timeliness and mechanics). All discussions students wish to post must be completed by Day 7 (Tuesday @ 1159pm EST).

Assignments (35 % of Final Grade Calculation)

Most modules will contain an assignment in addition to the reading, lectures, labs, and other material. In preparing your written homework assignments, please put your name on each assignment. The question must be repeated, in full, before answering the question. The purpose of the homework is to give the students the opportunity to demonstrate and apply their understanding of the course concepts. All homework assignments are due at the end of Day 7, Tuesday @ 1159pm EST, of the module unless otherwise specified. Late submissions will be reduced by seven (6) points for each day late (no exceptions without prior coordination with the instructor).

Writing assignments are evaluated by the following grading elements:

  1. Each part of question is answered (20%)
  2. Writing quality and technical accuracy (15%) (Writing is expected to meet or exceed accepted graduate - level English and scholarship standards. That is, all homework assignments will be graded on grammar and style as well as content.)
  3. Rationale for answer is provided (35%)
  4. Examples are included to illustrate rationale (15%) (If a student does not have direct experience related to a particular question, then the student is to provide analogies versus examples.)
  5. Outside references are included (15%) Note that if outside references are quoted or substantially inserted they must be referenced or no credit will be given for that question.

Tabletop Exercise (15% of Final Grade Calculation)

Traditionally, Module 10 is a different format from the other modules of the course and contains an interactive, team-based exercise to use IDS information in an operational setting to determine an adversary attack objective.

A separate rubric is used and consists of 3 criteria’s:

  1. Timeliness 20%
  2. Team contribution 40%
  3. Critical thinking/Analysis (10% of Final Grade Calculation)

The tabletop exercise is normally ran during the Fall and Spring sessions of this course and sometimes not conducted in the Summer due to a compressed semester/schedule. If the table top exercise is not part of the course outline, another enriching and interesting IDS topic will be covered still providing a very engaging topic area. In this case, the 10% listed as part of the overall grade breakdown will be added to the Discussion portion making it 30% of the overall grade.

Grading Policy

We generally do not directly grade spelling and grammar. However, egregious violations of the rules of the English language will be noted without comment. Consistently poor performance in either spelling or grammar is taken as an indication of poor written communication ability that may detract from your grade.

A grade of A indicates achievement of consistent excellence and distinction throughout the course—that is, conspicuous excellence in all aspects of assignments, lab activities, and discussion in every week.

A grade of B indicates work that meets all course requirements on a level appropriate for graduate academic work. These criteria apply to both undergraduates and graduate students taking the course.

EP uses a +/- grading  system (see “Grading System”, Graduate Programs catalog, p. 10). You should contact your Program Chair for guidance on the breakdown used by your program.

Score RangeLetter Grade
100-98= A+
97-94= A
93-90= A−
89-87= B+
86-83= B
82-80= B−
79-77= C+
76-73= C
72-70= C−
69-67= D+
66-63= D

Academic Policies

Deadlines for Adding, Dropping and Withdrawing from Courses

Students may add a course up to one week after the start of the term for that particular course. Students may drop courses according to the drop deadlines outlined in the EP academic calendar (https://ep.jhu.edu/student-services/academic-calendar/). Between the 6th week of the class and prior to the final withdrawal deadline, a student may withdraw from a course with a W on their academic record. A record of the course will remain on the academic record with a W appearing in the grade column to indicate that the student registered and withdrew from the course.

Academic Misconduct Policy

All students are required to read, know, and comply with the Johns Hopkins University Krieger School of Arts and Sciences (KSAS) / Whiting School of Engineering (WSE) Procedures for Handling Allegations of Misconduct by Full-Time and Part-Time Graduate Students.

This policy prohibits academic misconduct, including but not limited to the following: cheating or facilitating cheating; plagiarism; reuse of assignments; unauthorized collaboration; alteration of graded assignments; and unfair competition. Course materials (old assignments, texts, or examinations, etc.) should not be shared unless authorized by the course instructor. Any questions related to this policy should be directed to EP’s academic integrity officer at ep-academic-integrity@jhu.edu.

Students with Disabilities - Accommodations and Accessibility

Johns Hopkins University values diversity and inclusion. We are committed to providing welcoming, equitable, and accessible educational experiences for all students. Students with disabilities (including those with psychological conditions, medical conditions and temporary disabilities) can request accommodations for this course by providing an Accommodation Letter issued by Student Disability Services (SDS). Please request accommodations for this course as early as possible to provide time for effective communication and arrangements.

For further information or to start the process of requesting accommodations, please contact Student Disability Services at Engineering for Professionals, ep-disability-svcs@jhu.edu.

Student Conduct Code

The fundamental purpose of the JHU regulation of student conduct is to promote and to protect the health, safety, welfare, property, and rights of all members of the University community as well as to promote the orderly operation of the University and to safeguard its property and facilities. As members of the University community, students accept certain responsibilities which support the educational mission and create an environment in which all students are afforded the same opportunity to succeed academically. 

For a full description of the code please visit the following website: https://studentaffairs.jhu.edu/policies-guidelines/student-code/

Classroom Climate

JHU is committed to creating a classroom environment that values the diversity of experiences and perspectives that all students bring. Everyone has the right to be treated with dignity and respect. Fostering an inclusive climate is important. Research and experience show that students who interact with peers who are different from themselves learn new things and experience tangible educational outcomes. At no time in this learning process should someone be singled out or treated unequally on the basis of any seen or unseen part of their identity. 
 
If you have concerns in this course about harassment, discrimination, or any unequal treatment, or if you seek accommodations or resources, please reach out to the course instructor directly. Reporting will never impact your course grade. You may also share concerns with your program chair, the Assistant Dean for Diversity and Inclusion, or the Office of Institutional Equity. In handling reports, people will protect your privacy as much as possible, but faculty and staff are required to officially report information for some cases (e.g. sexual harassment).

Course Auditing

When a student enrolls in an EP course with “audit” status, the student must reach an understanding with the instructor as to what is required to earn the “audit.” If the student does not meet those expectations, the instructor must notify the EP Registration Team [EP-Registration@exchange.johnshopkins.edu] in order for the student to be retroactively dropped or withdrawn from the course (depending on when the "audit" was requested and in accordance with EP registration deadlines). All lecture content will remain accessible to auditing students, but access to all other course material is left to the discretion of the instructor.