Muutke küpsiste eelistusi

Data-Driven Network Analysis: A Higher Stage of Computer Security [Pehme köide]

3.88/5 (85 hinnangut Goodreads-ist)
  • Formaat: Paperback / softback, 400 pages
  • Ilmumisaeg: 25-Mar-2014
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1449357903
  • ISBN-13: 9781449357900
Teised raamatud teemal:
  • Pehme köide
  • Hind: 63,99 €*
  • * saadame teile pakkumise kasutatud raamatule, mille hind võib erineda kodulehel olevast hinnast
  • See raamat on trükist otsas, kuid me saadame teile pakkumise kasutatud raamatule.
  • Kogus:
  • Lisa ostukorvi
  • Tasuta tarne
  • Lisa soovinimekirja
Data-Driven Network Analysis: A Higher Stage of Computer SecuritySuurem pilt
  • Formaat: Paperback / softback, 400 pages
  • Ilmumisaeg: 25-Mar-2014
  • Kirjastus: O'Reilly Media
  • ISBN-10: 1449357903
  • ISBN-13: 9781449357900
Teised raamatud teemal:
Püsilink: https://www.kriso.ee/db/9781449357900.html
Märksõnad:
Covers what data to capture on your systems; data fusion; structures and storage systems for data; using R, SiLK and Python for analysis; visualization and exploratory data analysis; graph analysis; network mapping; handling malware; and more. Original.

Traditional intrusion detection and logfile analysis are no longer enough to protect today’s complex networks. In this practical guide, security researcher Michael Collins shows you several techniques and tools for collecting and analyzing network traffic datasets. You’ll understand how your network is used, and what actions are necessary to protect and improve it.

Divided into three sections, this book examines the process of collecting and organizing data, various tools for analysis, and several different analytic scenarios and techniques. It’s ideal for network administrators and operational security analysts familiar with scripting.

  • Explore network, host, and service sensors for capturing security data
  • Store data traffic with relational databases, graph databases, Redis, and Hadoop
  • Use SiLK, the R language, and other tools for analysis and visualization
  • Detect unusual phenomena through Exploratory Data Analysis (EDA)
  • Identify significant structures in networks with graph analysis
  • Determine the traffic that’s crossing service ports in a network
  • Examine traffic volume and behavior to spot DDoS and database raids
  • Get a step-by-step process for network mapping and inventory
Preface ix
Part I Data
1 Sensors and Detectors: An Introduction
3(12)
Vantages: How Sensor Placement Affects Data Collection
4(3)
Domains: Determining Data That Can Be Collected
7(3)
Actions: What a Sensor Does with Data
10(3)
Conclusion
13(2)
2 Network Sensors
15(20)
Network Layering and Its Impact on Instrumentation
16(8)
Network Layers and Vantage
18(5)
Network Layers and Addressing
23(1)
Packet Data
24(6)
Packet and Frame Formats
24(1)
Rolling Buffers
25(1)
Limiting the Data Captured from Each Packet
25(1)
Filtering Specific Types of Packets
25(4)
What If It's Not Ethernet?
29(1)
NetFlow
30(3)
NetFlow v5 Formats and Fields
30(2)
NetFlow Generation and Collection
32(1)
Further Reading
33(2)
3 Host and Service Sensors: Logging Traffic at the Source
35(20)
Accessing and Manipulating Logfiles
36(2)
The Contents of Logfiles
38(5)
The Characteristics of a Good Log Message
38(3)
Existing Logfiles and How to Manipulate Them
41(2)
Representative Logfile Formats
43(7)
HTTP: CLF and ELF
43(4)
SMTP
47(2)
Microsoft Exchange: Message Tracking Logs
49(1)
Logfile Transport: Transfers, Syslog, and Message Queues
50(3)
Transfer and Logfile Rotation
51(1)
Syslog
51(2)
Further Reading
53(2)
4 Data Storage for Analysis: Relational Databases, Big Data, and Other Options
55(14)
Log Data and the CRUD Paradigm
56(3)
Creating a Well-Organized Flat File System: Lessons from SiLK
57(2)
A Brief Introduction to NoSQL Systems
59(3)
What Storage Approach to Use
62(7)
Storage Hierarchy, Query Times, and Aging
64(5)
Part II Tools
5 The SiLK Suite
69(32)
What Is SiLK and How Does It Work?
69(1)
Acquiring and Installing SiLK
70(1)
The Datafiles
70(1)
Choosing and Formatting Output Field Manipulation: rwcut
71(5)
Basic Field Manipulation: rwfilter
76(7)
Ports and Protocols
77(1)
Size
78(1)
IP Addresses
78(2)
Time
80(1)
TCP Options
80(2)
Helper Options
82(1)
Miscellaneous Filtering Options and Some Hacks
82(1)
Rwfileinfo and Provenance
83(3)
Combining Information Flows: rwcount
86(2)
Rwset and IP Sets
88(3)
rwuniq
91(2)
rwbag
93(1)
Advanced SiLK Facilities
93(2)
pmaps
93(2)
Collecting SiLK Data
95(5)
YAF
96(2)
rwptoflow
98(1)
rwtuc
98(2)
Further Reading
100(1)
6 An Introduction to R for Security Analysts
101(28)
Installation and Setup
102(1)
Basics of the Language
102(11)
The R Prompt
102(2)
R Variables
104(5)
Writing Functions
109(2)
Conditionals and Iteration
111(2)
Using the R Workspace
113(1)
Data Frames
114(3)
Visualization
117(4)
Visualization Commands
117(1)
Parameters to Visualization
118(2)
Annotating a Visualization
120(1)
Exporting Visualization
121(1)
Analysis: Statistical Hypothesis Testing
121(6)
Hypothesis Testing
122(2)
Testing Data
124(3)
Further Reading
127(2)
7 Classification and Event Tools: IDS, AV, and SEM
129(18)
How an IDS Works
130(8)
Basic Vocabulary
130(4)
Classifier Failure Rates: Understanding the Base-Rate Fallacy
134(2)
Applying Classification
136(2)
Improving IDS Performance
138(7)
Enhancing IDS Detection
138(5)
Enhancing IDS Response
143(1)
Prefetching Data
144(1)
Further Reading
145(2)
8 Reference and Lookup: Tools for Figuring Out Who Someone Is
147(28)
MAC and Hardware Addresses
147(3)
IP Addressing
150(8)
IPv4 Addresses, Their Structure, and Significant Addresses
150(2)
IPv6 Addresses, Their Structure and Significant Addresses
152(1)
Checking Connectivity: Using ping to Connect to an Address
153(2)
Tracerouting
155(2)
IP Intelligence: Geolocation and Demographics
157(1)
DNS
158(13)
DNS Name Structure
158(1)
Forward DNS Querying Using dig
159(8)
The DNS Reverse Lookup
167(1)
Using who is to Find Ownership
168(3)
Additional Reference Tools
171(4)
DNSBLs
171(4)
9 More Tools
175(16)
Visualization
175(3)
Graphviz
175(3)
Communications and Probing
178(6)
netcat
179(1)
nmap
180(1)
Scapy
181(3)
Packet Inspection and Reference
184(4)
Wireshark
184(1)
GeoIP
185(1)
The NVD, Malware Sites, and the C*Es
186(1)
Search Engines, Mailing Lists, and People
187(1)
Further Reading
188(3)
Part III Analytics
10 Exploratory Data Analysis and Visualization
191(30)
The Goal of EDA: Applying Analysis
193(1)
EDA Workflow
194(2)
Variables and Visualization
196(1)
Univariate Visualization: Histograms, QQ Plots, Boxplots, and Rank Plots
197(10)
Histograms
198(2)
Bar Plots (Not Pie Charts)
200(1)
The Quantile-Quantile (QQ) Plot
201(2)
The Five-Number Summary and the Boxplot
203(1)
Generating a Boxplot
204(3)
Bivariate Description
207(4)
Scatterplots
207(3)
Contingency Tables
210(1)
Multivariate Visualization
211(9)
Operationalizing Security Visualization
213(7)
Further Reading
220(1)
11 On Fumbling
221(16)
Attack Models
221(3)
Fumbling: Misconfiguration, Automation, and Scanning
224(2)
Lookup Failures
224(1)
Automation
225(1)
Scanning
225(1)
Identifying Fumbling
226(5)
TCP Fumbling: The State Machine
226(3)
ICMP Messages and Fumbling
229(2)
Identifying UDP Fumbling
231(1)
Fumbling at the Service Level
231(2)
HTTP Fumbling
231(2)
SMTP Fumbling
233(1)
Analyzing Fumbling
233(3)
Building Fumbling Alarms
234(1)
Forensic Analysis of Fumbling
235(1)
Engineering a Network to Take Advantage of Fumbling
236(1)
Further Reading
236(1)
12 Volume and Time Analysis
237(24)
The Workday and Its Impact on Network Traffic Volume
237(3)
Beaconing
240(3)
File Transfers/Raiding
243(3)
Locality
246(10)
DDoS, Flash Crowds, and Resource Exhaustion
249(1)
DDoS and Routing Infrastructure
250(6)
Applying Volume and Locality Analysis
256(4)
Data Selection
256(2)
Using Volume as an Alarm
258(1)
Using Beaconing as an Alarm
259(1)
Using Locality as an Alarm
259(1)
Engineering Solutions
260(1)
Further Reading
260(1)
13 Graph Analysis
261(18)
Graph Attributes: What Is a Graph?
261(4)
Labeling, Weight, and Paths
265(5)
Components and Connectivity
270(1)
Clustering Coefficient
271(2)
Analyzing Graphs
273(4)
Using Component Analysis as an Alarm
273(2)
Using Centrality Analysis for Forensics
275(1)
Using Breadth-First Searches Forensically
275(2)
Using Centrality Analysis for Engineering
277(1)
Further Reading
277(2)
14 Application Identification
279(16)
Mechanisms for Application Identification
279(12)
Port Number
280(3)
Application Identification by Banner Grabbing
283(3)
Application Identification by Behavior
286(4)
Application Identification by Subsidiary Site
290(1)
Application Banners: Identifying and Classifying
291(3)
Non-Web Banners
291(1)
Web Client Banners: The User-Agent String
292(2)
Further Reading
294(1)
15 Network Mapping
295(18)
Creating an Initial Network Inventory and Map
295(16)
Creating an Inventory: Data, Coverage, and Files
296(1)
Phase I The First Three Questions
297(3)
Phase II Examining the IP Space
300(5)
Phase III Identifying Blind and Confusing Traffic
305(4)
Phase IV Identifying Clients and Servers
309(2)
Identifying Sensing and Blocking Infrastructure
311(1)
Updating the Inventory: Toward Continuous Audit
311(1)
Further Reading
312(1)
Index 313
Michael Collins is the chief scientist for RedJack, LLC., a Network Security and Data Analysis company located in the Washington D.C. area. Prior to his work at RedJack, Dr. Collins was a member of the technical staff at the CERT/Network Situational Awareness group atCarnegie Mellon University. His primary focus is on network instrumentation and traffic analysis, in particular on the analysis of large traffic datasets. Dr. Collins graduated with a PhD in Electrical Engineering from Carnegie Mellon University in 2008, he holds Master's and Bachelor's Degrees from the same institution.