Intrusion Detection

An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response

Edward Amoroso

Publisher: Intrusion.Net Books, 1999, 218 pages

ISBN: 0-9666700-7-8

Keywords: IT Security

Last modified: July 18, 2021, 2:33 p.m.

Synopsis

The proliferation of cracking activity on the internet has led to astounding developments in intrusion detection technology. This book will lead you through the details and methodologies associated with this important type of security protection. System administrators, programmers, system and software engineers, and managers of technology will find this book invaluable. And anyone associated with information assurance for critical infrastructures will learn how intrusion detection can be applied to their unique security needs.

With this book, you will learn about intrusion detection topics including:

  • Commercial tools ofr intrusion detection
  • Strategies for processing security audit trails
  • Correlation techniques and algorithms
  • Intruder trace back techniques
  • Deception-based honey pots and traps
  • Incident response and disaster recovery

Table of Contents

  • Preface
    • How Did This Book Come About?
    • Who is This Book Written For?
    • On Responsible and Ethical Surveillance
    • Outline of the Book
    • Acknowledgments
  1. Introduction to Intrusion Detection
    • What is Intrusion Detection?
    • What Analogies are Useful for Understanding Intrusion Detection Systems
    • What is the Basic Concepts in Intrusion Detection?
    • Seven Fundamental Issues in Intrusion Detection
    • Issue 1: What Methods are Used by Intrusion Detection Systems?
    • Issue 2: How are Intrusion Detection Systems Organised?
    • Issue 3: What is an Intrusion?
    • Issue 4: How do Intruders Hide on the Internet (and How Can Their Origin Be Traced)?
    • Issue 5: How Do Intrusion Detection Systems Correlate Information?
    • Issue 6: How Can Intruders Be Trapped?
    • Issue 7: What Methods are Available for Incident Response?
    • What Intrusion Detection Procedures and Systems Exists?
    • Bibliographic Notes
  2. Intrusion Detection Methods
    • What Methods are Used for Intrusion Detection?
    • How Does the Audit Trail Processing Method Work?
    • How Do Government Standards Address Audit
    • Case Study: Finding Intrusions in a Hypothetical Audit
    • What Problems Must be Considered in the Use of Audit Trails?
    • Case Study: UNIX Syslog Audit Processing
    • Case Study: Swatch Audit Processing
    • Case Study: SecureView Firewall-1 Audit Processing
    • Case Study: Computer Misuse Detection System (CMDS)
    • How Does On-the-Fly Processing Work?
    • Case Study: SNMP Remote Monitoring (RMON)
    • Case Study: Network Flight Recorder Processing
    • How is Traffic Extracted from the Network for processing?
    • Case Study: BorderGuard Firewall Extraction for NetRanger Processing
    • How Does the Normal Behavior Profile Method Work?
    • Case Study: IDES Model
    • Can Toll Fraud Intrusions Be Detected?
    • Case Study; XIOX Hacker Prevention Tols
    • How Does the Abnormal Behavior Signature Method Work?
    • Case Study: Firewall Intrusion Detection Rules
    • Case Study: String Matching in NetRanger NSX Sensor
    • How Does the Parameter Pattern Matching Method Work?
    • Case Study: HP OpenView Network Management
    • A Recent Criticism of Intrusion Detection Methods
    • Bibliographic Notes
  3. Intrusion Detection Architectures
    • An Intrusion Detection System Architectural Schema
    • What Are The Functional Components of Intrusion Detection Systems?
    • Target Systems for Intrusion Detection
    • Can Intrusion Detection be Performed in non-TCP/IP Settings?
    • Information Feeds for Intrusion Detection Systems
    • Case Study: Network Flight Recorder Packet Suckers
    • Processing in Intrusion Detection
    • What Algorithms Do Intrusion Detection Processing Elements Implement?
    • Intrusion Detection System Knowledge Bases
    • Storage Techniques for Intrusion Detection
    • Case Study: UNIX Syslog Actions
    • Intrusion Detection System GUI Technology
    • Intrusion Detection Communications Infrastructure
    • Case Study: Emerald Architecture
    • Case Study: Common Intrusion Detection Framework
    • Bibliographic Notes
  4. Models of Intrusion
    • What is an Intrusion?
    • A Temporal Model of Intrusions as Action Sequences
    • Case Study: Taxonomies of Intrusion
    • How Are Intrusions Indicated?
    • Repetition as an Intrusion Indicator
    • case Study: SYN Flood Attack
    • Mistyped Commands or Responses as an Intrusion Indicator
    • Case Study: Berford Attack at AT&T
    • Exploitation of Known Vulnerabilities as an Intrusion Indicator
    • Directional Inconsistencies as an Intrusion Indicator
    • Unexpected Attributes as an Intrusion Indicator
    • Case Study: Toll Fraud
    • Case Study: ODS SecureSwitch
    • Unexplained Problems as an Intrusion Indicator
    • Case Study: Stoll finds an Accounting Error
    • Out of Band Knowledge as an Intrusion Indicator
    • Suspicious Traffic Content as an Intrusion Indicator
    • Bibliographic Notes
  5. Internet Identity and Anonymity
    • What is an Internet Identity?
    • Who Needs to Know Internet identities?
    • A Primer on Internet Naming and Addressing for Intrusion Detection
    • Why is Hiding on the Internet So Easy?
    • Case Study: Anonymizing Internet Sites
    • Case Study: Blind Signature-Based Electronic Cash
    • Internet Identity: Trace-Back
    • Techniques for Tracing Identity
    • Case Study: UNIX Finger Program
    • Case Study: Internet Cookies
    • Case Study: Caller Identification
    • Bibliographic Notes
  6. Intrusion Correlation
    • What is Meant by Intrusion Correlation?
    • A Primer on Statistical Correlation
    • What Types of Intrusion Correlation Exists?
    • Correlation Philosophy: Small Heuristic Approaches
    • Intrusion Correlation Withing Single Sessions
    • Packet Heuristics for Single Session Processing
    • Case Study: System Call Trace Correlation
    • Case Study: NIDES/Stats Statistical Component
    • Real-Time Versus After-the-Fact Correlation
    • Correlating In-Band and Out-of-Band Information
    • Case Study: All-Band Air Force Information Warfare Center (AFIWC) Intrusion Detection Processing
    • Case Study: Correlation Decisions in a Hypothetical Intrusion Detection Infrastructure
    • Bibliographic Notes
  7. Internet Traps
    • Warning for Readers on Internet Traps
    • What is an Internet Trap?
    • Packet Diversion View of Internet Traps
    • Four Types of Internet Traps
    • Case Study: Multilevel Secure Unix Intruder Trap
    • Design Tips for Internet Traps
    • Case Study: Web Spoofing Traps
    • Case Study: Internet Lightning Rod
    • Case Study: Cable Company Traps for Service Thieves
    • Case Study: Berford Incidents
    • Bibliographic Notes
  8. Incident Response
    • What is Incident Response?
    • Incident Response Process
    • How Do Various factors Influence Incident Response?
    • Passive Factors Influencing Incident Response
    • Active Factors Influencing Incident Response
    • Case Study: RealSecure and Firewall-1 Response
    • Taxonomy of Incident response Approaches
    • Scenarios Resulting from the Proposed Taxonomy
    • Methodological Applications of the Response Taxonomy
    • Case Study: CERT-CC Response Recommendations
    • Bibliographic Notes

Reviews

Intrusion Detection

Reviewed by Roland Buresund

Decent ****** (6 out of 10)

Last modified: May 21, 2007, 3:06 a.m.

Opinion

A good introduction of the areas best author.

Comments

There are currently no comments

New Comment

required

required (not published)

optional

required

captcha

required