Home‎ > ‎CIS 75‎ > ‎

Project 3: Intrusion Detection


Intrusion Detection and Prevention Systems (IDPS) are essential to keeping a network secure. Just like a burglar or car alarm the IDPS is there to warn you if the controls you put in place to keep attackers out have been bypassed. Unlike a burglar, however, network attacks are invisible. Without something to notify you of problematic behavior on your network you will simply never see it until it's too late. In this project you will look through the IDPS logs of the Palo Alto Firewall appliance (pictured below) in the CIS datacenter. The firewall makes daily logs of threats to the network and you will search those logs for anomalies and try to understand what's going on. 

You may work alone or with your group.

Part 1: Gather a Baseline

Our Palo Alto Firewall emails me daily reports. The daily reports from this semester are attached to the page. The reports are in PDF format. The last page of the report is a summary. There are about two months of reports can be downloaded from the URL below: 

Pick seven consecutive reports (there's a skipped day or two because of downtime) that you will be reporting on. For those seven days examine the summary page of each report. For the first part you will make a summary of the summaries. Write a report that tells me: 
  1. What seven days did you chose to examine? 
  2. What was the total network bandwidth for each of the seven days? 
  3. Was the risk trend up, down or stable? 

Part 2: Dig into Threats

There will be different threats reported on different days. Some threats may be false positives. Start this part by:
  1. Listing all threat types found in the seven days.
  2. Listing all attackers and victims in the seven days.
Analyze the list of threats and attackers you created. Where there any victims or threats that appeared on only one or two days? Where there any threats or victims that appear on every day? Research each threat that was found. For each threat:
  1. Describe the threat (do research online)
  2. Do you think this attack has been (or could be) successful? Why or why not? 
  3. Do you think it's a false positive? Why or why not?

Turn In 

You should answer your questions in a document (use Word, Google Docs, LibreOffice, etc) and submit your document as a PDF. Your document should have the names of all of your group members (if you worked in a group). It should look professional, as if you were submitting it to your client or your boss. Your grade will be based on the completeness of the information you submit and it's appearance. Use complete sentences. 

When your document is prepared submit it on Canvas.