Muutke küpsiste eelistusi

E-raamat: Network Security Through Data Analysis: From Data to Action

4.00/5 (16 hinnangut Goodreads-ist)
  • Formaat: 428 pages
  • Ilmumisaeg: 08-Sep-2017
  • Kirjastus: O'Reilly Media
  • Keel: eng
  • ISBN-13: 9781491962794
Teised raamatud teemal:
  • Formaat - EPUB+DRM
  • Hind: 40,37 €*
  • * hind on lõplik, st. muud allahindlused enam ei rakendu
  • Lisa ostukorvi
  • Lisa soovinimekirja
  • See e-raamat on mõeldud ainult isiklikuks kasutamiseks. E-raamatuid ei saa tagastada.
Network Security Through Data Analysis: From Data to ActionSuurem pilt
  • Formaat: 428 pages
  • Ilmumisaeg: 08-Sep-2017
  • Kirjastus: O'Reilly Media
  • Keel: eng
  • ISBN-13: 9781491962794
Teised raamatud teemal:

DRM piirangud

  • Kopeerimine (copy/paste):

    ei ole lubatud

  • Printimine:

    ei ole lubatud

  • Kasutamine:

    Digitaalõiguste kaitse (DRM)
    Kirjastus on väljastanud selle e-raamatu krüpteeritud kujul, mis tähendab, et selle lugemiseks peate installeerima spetsiaalse tarkvara. Samuti peate looma endale  Adobe ID Rohkem infot siin. E-raamatut saab lugeda 1 kasutaja ning alla laadida kuni 6'de seadmesse (kõik autoriseeritud sama Adobe ID-ga).

    Vajalik tarkvara
    Mobiilsetes seadmetes (telefon või tahvelarvuti) lugemiseks peate installeerima selle tasuta rakenduse: PocketBook Reader (iOS / Android)

    PC või Mac seadmes lugemiseks peate installima Adobe Digital Editionsi (Seeon tasuta rakendus spetsiaalselt e-raamatute lugemiseks. Seda ei tohi segamini ajada Adober Reader'iga, mis tõenäoliselt on juba teie arvutisse installeeritud )

    Seda e-raamatut ei saa lugeda Amazon Kindle's. 

Traditional intrusion detection and logfile analysis are no longer enough to protect todays complex networks. In the updated second edition of this practical guide, security researcher Michael Collins shows InfoSec personnel the latest techniques and tools for collecting and analyzing network traffic datasets. Youll understand how your network is used, and what actions are necessary to harden and defend the systems within it.

In three sections, this book examines the process of collecting and organizing data, various tools for analysis, and several different analytic scenarios and techniques. New chapters focus on active monitoring and traffic manipulation, insider threat detection, data mining, regression and machine learning, and other topics.

Youll learn how to:

Use sensors to collect network, service, host, and active domain data Work with the SiLK toolset, Python, and other tools and techniques for manipulating data you collect Detect unusual phenomena through exploratory data analysis (EDA), using visualization and mathematical techniques Analyze text data, traffic behavior, and communications mistakes Identify significant structures in your network with graph analysis Examine insider threat data and acquire threat intelligence Map your network and identify significant hosts within it Work with operations to develop defenses and analysis techniques
Preface xiii
Part I. Data
1 Organizing Data: Vantage, Domain, Action, and Validity
3(16)
Domain
5(1)
Vantage
6(2)
Choosing Vantage
8(1)
Actions: What a Sensor Does with Data
9(2)
Validity and Action
11(2)
Internal Validity
13(1)
External Validity
14(1)
Construct Validity
15(1)
Statistical Validity
15(1)
Attacker and Attack Issues
16(1)
Further Reading
16(3)
2 Vantage: Understanding Sensor Placement in Networks
19(16)
The Basics of Network Layering
19(3)
Network Layers and Vantage
22(4)
Network Layers and Addressing
26(1)
MAC Addresses
27(1)
IPv4 Format and Addresses
28(1)
IPv6 Format and Addresses
28(1)
Validity Challenges from Middlebox Network Data
29(5)
Further Reading
34(1)
3 Sensors in the Network Domain
35(28)
Packet and Frame Formats
36(1)
Rolling Buffers
36(1)
Limiting the Data Captured from Each Packet
37(1)
Filtering Specific Types of Packets
37(4)
What If It's Not Ethernet?
41(1)
NetFlow
41(1)
NetFlow v5 Formats and Fields
42(2)
NetFlow Generation and Collection
44(1)
Data Collection via IDS
44(1)
Classifying IDSs
45(1)
IDS as Classifier
46(4)
Improving IDS Performance
50(1)
Enhancing IDS Detection
51(1)
Configuring Snort
52(5)
Enhancing IDS Response
57(1)
Prefetching Data
58(1)
Middlebox Logs and Their Impact
59(1)
VPN Logs
60(1)
Proxy Logs
60(1)
NAT Logs
61(1)
Further Reading
61(2)
4 . Data in the Service Domain
63(14)
What and Why
63(2)
Logfiles as the Basis for Service Data
65(1)
Accessing and Manipulating Logfiles
65(2)
The Contents of Logfiles
67(1)
The Characteristics of a Good Log Message
67(3)
Existing Logfiles and How to Manipulate Them
70(2)
Stateful Logfiles
72(3)
Further Reading
75(2)
5 Sensors in the Service Domain
77(14)
Representative Logfile Formats
78(1)
HTTP: CLF and ELF
78(4)
Simple Mail Transfer Protocol (SMTP)
82(1)
Sendmail
82(2)
Microsoft Exchange: Message Tracking Logs
84(1)
Additional Useful Logfiles
85(1)
Staged Logging
85(1)
LDAP and Directory Services
86(1)
File Transfer, Storage, and Databases
86(1)
Logfile Transport: Transfers, Syslog, and Message Queues
87(1)
Transfer and Logfile Rotation
87(1)
Syslog
87(2)
Further Reading
89(2)
6 Data and Sensors in the Host Domain
91(16)
A Host: From the Network's View
92(1)
The Network Interfaces
93(3)
The Host: Tracking Identity
96(2)
Processes
98(1)
Structure
98(3)
Filesystem
101(2)
Historical Data: Commands and Logins
103(1)
Other Data and Sensors: HIPS and AV
104(1)
Further Reading
105(2)
7 Data and Sensors in the Active Domain
107(16)
Discovery, Assessment, and Maintenance
107(1)
Discovery: ping, traceroute, netcat, and Half of nmap
108(1)
Checking Connectivity: Using ping to Connect to an Address
108(2)
Tracerouting
110(2)
Using nc as a Swiss Army Multitool
112(1)
nmap Scanning for Discovery
113(2)
Assessment: nmap, a Bunch of Clients, and a Lot of Repositories
115(1)
Basic Assessment with nmap
115(4)
Using Active Vantage Data for Verification
119(1)
Further Reading
120(3)
Part II. Tools
8 Getting Data in One Place
123(14)
High-Level Architecture
125(1)
The Sensor Network
126(1)
The Repository
127(2)
Query Processing
129(1)
Real-Time Processing
130(1)
Source Control
130(1)
Log Data and the CRUD Paradigm
131(2)
A Brief Introduction to NoSQL Systems
133(3)
Further Reading
136(1)
9 The SiLK Suite
137(36)
What Is SiLK and How Does It Work?
137(1)
Acquiring and Installing SiLK
138(1)
The Datafiles
139(1)
Choosing and Formatting Output Field Manipulation: rwcut
139(5)
Basic Field Manipulation: rwfilter
144(1)
Ports and Protocols
145(1)
Size
146(1)
IP Addresses
147(1)
Time
148(1)
TCP Options
148(2)
Helper Options
150(1)
Miscellaneous Filtering Options and Some Hacks
151(1)
rwfileinfo and Provenance
152(2)
Combining Information Flows: rwcount
154(3)
rwset and IP Sets
157(4)
rwuniq
161(1)
rwbag
162(1)
Advanced SiLK Facilities
163(1)
PMAPs
163(2)
Collecting SiLK Data
165(1)
YAF
166(2)
rwptoflow
168(1)
rwtuc
169(1)
rwrandomizeip
170(1)
Further Reading
171(2)
10 Reference and Lookup: Tools for Figuring Out Who Someone Is
173(26)
MAC and Hardware Addresses
174(2)
IP Addressing
176(1)
IPv4 Addresses, Their Structure, and Significant Addresses
176(2)
IPv6 Addresses, Their Structure, and Significant Addresses
178(2)
IP Intelligence: Geolocation and Demographics
180(1)
DNS
181(1)
DNS Name Structure
181(2)
Forward DNS Querying Using dig
183(8)
The DNS Reverse Lookup
191(1)
Using whois to Find Ownership
192(3)
DNS Blackhole Lists
195(2)
Search Engines
197(1)
General Search Engines
197(1)
Scanning Repositories, Shodan et al
198(1)
Further Reading
198(1)
Part III. Analytics An Overview of Attacker Behavior 199(188)
Further Reading
202(1)
11 Exploratory Data Analysis and Visualization
203(32)
The Goal of EDA: Applying Analysis
205(2)
EDA Workflow
207(1)
Variables and Visualization
208(1)
Univariate Visualization
209(1)
Histograms
210(2)
Bar Plots (Not Pie Charts)
212(1)
The Five-Number Summary and the Boxplot
212(2)
Generating a Boxplot
214(1)
Bivariate Description
215(1)
Scatterplots
215(2)
Multivariate Visualization
217(1)
Other Visualizations and Their Role
218(4)
Operationalizing Security Visualization
222(6)
Fitting and Estimation
228(1)
Is It Normal?
228(1)
Simply Visualizing: Projected Values and QQ Plots
228(3)
Fit Tests: K-S and S-W
231(2)
Further Reading
233(2)
12 On Analyzing Text
235(18)
Text Encoding
235(3)
Unicode, UTF, and ASCII
238(1)
Encoding for Attackers
239(3)
Basic Skills
242(1)
Finding a String
242(1)
Manipulating Delimiters
243(1)
Splitting Along Delimiters
243(1)
Regular Expressions
244(3)
Techniques for Text Analysis
247(1)
N-Gram Analysis
247(1)
Jaccard Distance
247(1)
Hamming Distance
248(1)
Levenshtein Distance
248(2)
Entropy and Compressibility
250(1)
Homoglyphs
251(1)
Further Reading
252(1)
13 On Fumbling
253(20)
Fumbling: Misconfiguration, Automation, and Scanning
253(1)
Lookup Failures
254(1)
Automation
254(1)
Scanning
255(1)
Identifying Fumbling
255(2)
IP Fumbling: Dark Addresses and Spread
257(2)
TCP Fumbling: Failed Sessions
259(5)
ICMP Messages and Fumbling
264(1)
Fumbling at the Service Level
265(1)
HTTP Fumbling
265(2)
SMTP Fumbling
267(1)
DNS Fumbling
267(1)
Detecting and Analyzing Fumbling
268(1)
Building Fumbling Alarms
268(2)
Forensic Analysis of Fumbling
270(1)
Engineering a Network to Take Advantage of Fumbling
271(2)
14 On Volume and Time
273(26)
The Workday and Its Impact on Network Traffic Volume
273(3)
Beaconing
276(3)
File Transfers/Raiding
279(3)
Locality
282(3)
DDoS, Flash Crowds, and Resource Exhaustion
285(1)
DDoS and Routing Infrastructure
286(6)
Applying Volume and Locality Analysis
292(1)
Data Selection
292(3)
Using Volume as an Alarm
295(1)
Using Beaconing as an Alarm
295(1)
Using Locality as an Alarm
295(1)
Engineering Solutions
296(1)
Further Reading
296(3)
15 On Graphs
299(18)
Graph Attributes: What Is a Graph?
299(4)
Labeling, Weight, and Paths
303(5)
Components and Connectivity
308(1)
Clustering Coefficient
309(2)
Analyzing Graphs
311(1)
Using Component Analysis as an Alarm
311(1)
Using Centrality Analysis for Forensics
312(1)
Using Breadth-First Searches Forensically
313(2)
Using Centrality Analysis for Engineering
315(1)
Further Reading
315(2)
16 On Insider Threat
317(12)
Insider Threat Versus Other Classes of Attacks
318(3)
Avoiding Toxicity
321(1)
Modes of Attack
322(1)
Data Theft and Exfiltration
322(1)
Credential Theft
323(1)
Sabotage
323(1)
Insider Threat Data: Logistics and Collection
324(1)
Applying Sector-Based Workflow to Insider Threat
324(2)
Physical Data Sources
326(1)
Keeping Track of User Identity
326(1)
Further Reading
327(2)
17 On Threat Intelligence
329(10)
Defining Threat Intelligence
329(1)
Data Types
330(3)
Creating a Threat Intelligence Program
333(1)
Identifying Goals
333(2)
Starting with Free Sources
335(1)
Determining Data Output
335(1)
Purchasing Sources
335(2)
Brief Remarks on Creating Threat Intelligence
337(1)
Further Reading
337(2)
18 Application Identification
339(16)
Mechanisms for Application Identification
339(1)
Port Number
340(4)
Application Identification by Banner Grabbing
344(3)
Application Identification by Behavior
347(4)
Application Identification by Subsidiary Site
351(1)
Application Banners: Identifying and Classifying
351(1)
Non-Web Banners
351(1)
Web Client Banners: The User-Agent String
352(2)
Further Reading
354(1)
19 On Network Mapping
355(18)
Creating an Initial Network Inventory and Map
355(1)
Creating an Inventory: Data, Coverage, and Files
356(2)
Phase I: The First Three Questions
358(2)
Phase II: Examining the IP Space
360(5)
Phase III: Identifying Blind and Confusing Traffic
365(3)
Phase IV: Identifying Clients and Servers
368(3)
Identifying Sensing and Blocking Infrastructure
371(1)
Updating the Inventory: Toward Continuous Audit
371(1)
Further Reading
372(1)
20 On Working with Ops
373(12)
Ops Environments: An Overview
373(1)
Operational Workflows
374(1)
Escalation Workflow
375(2)
Sector Workflow
377(2)
Hunting Workflow
379(1)
Hardening Workflow
380(2)
Forensic Workflow
382(1)
Switching Workflows
383(1)
Further Readings
384(1)
21 Conclusions
385(2)
Index 387
Michael Collins is the chief scientist for RedJack, LLC., a NetworkSecurity and Data Analysis company located in the WashingtonD.C. area. Prior to his work at RedJack, Dr. Collins was a member ofthe technical staff at the CERT/Network Situational Awareness group at Carnegie Mellon University. His primary focus is on networkinstrumentation and traffic analysis, in particular on the analysis oflarge traffic datasets.Dr. Collins graduated with a PhD in Electrical Engineering fromCarnegie Mellon University in 2008, he holds Master's and Bachelor'sDegrees from the same institution.
Lisainfo e-raamatute kohta Lisainfo e-raamatute kohta
Püsilink: https://www.kriso.ee/db/97814919627946e.html
Märksõnad: