Intrusion Detection and Malware Analysis

Lecturer Pavel Laskov, Ph.D.
Class meetings Wed, 10 c.t. - 12.00
Location Sand, kleiner Hörsaal, F122
Credit points, Diplom 2 SWS (lectures) + 1 SWS exercizes
Credit points, Master 4 LP (lectures + exercizes)
Office hours by appointment
Examination area Practical informatics

Course description:
The course provides an overview of methods for detection of security violations in computer systems. Such techniques allow a swift response to security incidents and complement traditional preventive security mechanisms. The specific topics to be covered include:

  • Main classes of attacks against computer systems
  • Taxonomy and architecture of intrusion detection systems
  • Network traffic analysis and feature extraction algorithms
  • Signature and anomaly based detection algorithms
  • Malicious software and its main operating principles
  • Detection, monitoring and analysis of malicious software

Examination and grades:
Diploma students can request an examination on this course in a usual manner and in any reasonable combination with another course. The amount of work covered by this course constitute 2 SWS for lectures and 1 SWS for graded exercises. An exercise certificate will be issued at the end of the semester. The grade for master students will be composed of the results of the written final exam (70%) and exercise grades (30%).

The first two assignments will involve manual analysis of certain attack patterns and must be solved individually. The next three assignments constitute a mini-project in which work will be carried in groups of 3-4 students. The last assignment is a live contest in which the systems developed by teams will be tested on previously unseen data. All assignments will be weighted equally. Up-to-date information can be found at the exercise page.


  • Final exam will be held on Wed. 08.02 at 10-12 in F122

Lecture Schedule

Date Location Topic Slides
Wed, 12.10 F122 Course introduction, security threats [ ]
Wed, 19.10 F122 Attack overview / Network-based Attacks [ ]
Wed, 26.10 F122 Host based attacks against computer systems [ ]
Wed, 02.11 F122 IDS taxonomy and architecture []
Wed, 09.11 F122 Signature-based IDS []
Wed, 16.11 F122 Anomaly-based IDS [ ]
Wed, 23.11 F122 Network IDS sensors: traffic capture and reassembly [ ]
Wed, 30.11 F122 IDS feature extraction [ ]
Wed, 07.12 F122 No class
Wed, 14.12 F122 IDS feature extraction (ctd.) [ ]
Wed, 21.12 F122 Signature matching algorithms [ ]
Wed, 11.01 F122 Automatic signature generation [ ]
Wed, 18.01 F122 Introduction to malware [ ]
Wed, 25.01 F122 Malware collection and analysis [ ]
Wed, 01.02 F122 Live IDS contest
Wed, 08.02 F122 Final exam (Master students only)

Recommended Reading

[1] Edward Amoroso. Intrusion Detection. B&T, 1999.
[2] John Aycock. Computer Viruses and Malware. Springer Verlag, 2006.
[3] Carl Endorf, Eugene Schultz, and Jim Mellander. Intrusion Detection & Prevention McGraw-Hill, 2003.
[4] Stephen Northcutt and Judy Novak. Network Intrusion Detection New Riders, 2002.
[5] Peter Szor. The Art of Computer Virus Research and Defense. Symantec Press, 2005

These books would be helpful in understanding the key material of the course. However they do not cover the full content, as some material represents recent state-of-the-art results. Appropriate references to the literature will be provided.

Last changes:19.03.2018, 18:46 CET . RA-Webmaster. Impressum
© 2001-2008 University of Tübingen