Title:
Network intrusion detection and prevention : concepts and techniques
Personal Author:
Series:
Advances in information security
Publication Information:
New York, NY : Springer, 2010
Physical Description:
xviii, 212 p. : ill. ; 24 cm.
ISBN:
9780387887708
Available:*
Library | Item Barcode | Call Number | Material Type | Item Category 1 | Status |
|---|---|---|---|---|---|
Searching... | 30000010205839 | TK5105.59 A43 2010 | Open Access Book | Book | Searching... |
On Order
Summary
Summary
Network Intrusion Detection and Prevention: Concepts and Techniques provides detailed and concise information on different types of attacks, theoretical foundation of attack detection approaches, implementation, data collection, evaluation, and intrusion response. Additionally, it provides an overview of some of the commercially/publicly available intrusion detection and response systems. On the topic of intrusion detection system it is impossible to include everything there is to say on all subjects. However, we have tried to cover the most important and common ones.
Network Intrusion Detection and Prevention: Concepts and Techniques is designed for researchers and practitioners in industry. This book is suitable for advanced-level students in computer science as a reference book as well.
Table of Contents
| 1 Network Attacks | p. 1 |
| 1.1 Attack Taxonomies | p. 2 |
| 1.2 Probes | p. 4 |
| 1.2.1 EPSweep and PortSweep | p. 5 |
| 1.2.2 NMap | p. 5 |
| 1.2.3 MScan | p. 5 |
| 1.2.4 SAINT | p. 5 |
| 1.2.5 Satan | p. 6 |
| 1.3 Privilege Escalation Attacks | p. 6 |
| 1.3.1 Buffer Overflow Attacks | p. 7 |
| 1.3.2 Misconfiguration Attacks | p. 7 |
| 1.3.3 Race-condition Attacks | p. 8 |
| 1.3.4 Man-in-the-Middle Attacks | p. 9 |
| 1.3.5 Social Engineering Attacks | p. 10 |
| 1.4 Denial of Service (DoS) and Distributed Denial of Service (DDoS) Attacks | p. 11 |
| 1.4.1 Detection Approaches for DoS and DDoS Attacks | p. 11 |
| 1.4.2 Prevention and Response for DoS and DDoS Attacks | p. 13 |
| 1.4.3 Examples of DoS and DDoS Attacks | p. 14 |
| 1.5 Worms Attacks | p. 16 |
| 1.5.1 Modeling and Analysis of Worm Behaviors | p. 16 |
| 1.5.2 Detection and Monitoring of Worm Attacks | p. 17 |
| 1.5.3 Worms Containment | p. 18 |
| 1.5.4 Examples of Well Known Worm Attacks | p. 19 |
| 1.6 Routing Attacks | p. 19 |
| 1.6.1 OSPF Attacks | p. 20 |
| 1.6.2 BGP Attacks | p. 21 |
| References | p. 22 |
| 2 Detection Approaches | p. 27 |
| 2.1 Misuse Detection | p. 27 |
| 2.1.1 Pattern Matching | p. 28 |
| 2.1.2 Rule-based Techniques | p. 29 |
| 2.1.3 State-based Techniques | p. 31 |
| 2.1.4 Techniques based on Data Mining | p. 34 |
| 2.2 Anomaly Detection | p. 34 |
| 2.2.1 Advanced Statistical Models | p. 36 |
| 2.2.2 Rule based Techniques | p. 37 |
| 2.2.3 Biological Models | p. 39 |
| 2.2.4 Learning Models | p. 40 |
| 2.3 Specification-based Detection | p. 45 |
| 2.4 Hybrid Detection | p. 46 |
| References | p. 49 |
| 3 Data Collection | p. 55 |
| 3.1 Data Collection for Host-Based IDSs | p. 55 |
| 3.1.1 Audit Logs | p. 56 |
| 3.1.2 System Call Sequences | p. 58 |
| 3.2 Data Collection for Network-Based IDSs | p. 61 |
| 3.2.1 SNMP | p. 61 |
| 3.2.2 Packets | p. 62 |
| 3.2.3 Limitations of Network-Based IDSs | p. 66 |
| 3.3 Data Collection for Application-Based IDSs | p. 67 |
| 3.4 Data Collection for Application-Integrated IDSs | p. 68 |
| 3.5 Hybrid Data Collection | p. 69 |
| References | p. 69 |
| 4 Theoretical Foundation of Detection | p. 73 |
| 4.1 Taxonomy of Anomaly Detection Systems | p. 73 |
| 4.2 Fuzzy Logic | p. 75 |
| 4.2.1 Fuzzy Logic in Anomaly Detection | p. 77 |
| 4.3 Bayes Theory | p. 77 |
| 4.3.1 Naive Bayes Classifier | p. 78 |
| 4.3.2 Bayes Theory in Anomaly Detection | p. 78 |
| 4.4 Artificial Neural Networks | p. 79 |
| 4.4.1 Processing Elements | p. 79 |
| 4.4.2 Connections | p. 82 |
| 4.4.3 Network Architectures | p. 83 |
| 4.4.4 Learning Process | p. 84 |
| 4.4.5 Artificial Neural Networks in Anomaly Detection | p. 85 |
| 4.5 Support Vector Machine (SVM) | p. 86 |
| 4.5.1 Support Vector Machine in Anomaly Detection | p. 89 |
| 4.6 Evolutionary Computation | p. 89 |
| 4.6.1 Evolutionary Computation in Anomaly Detection | p. 91 |
| 4.7 Association Rules | p. 92 |
| 4.7.1 The Apriori Algorithm | p. 93 |
| 4.7.2 Association Rules in Anomaly Detection | p. 93 |
| 4.8 Clustering | p. 94 |
| 4.8.1 Taxonomy of Clustering Algorithms | p. 95 |
| 4.8.2 K-Means Clustering | p. 96 |
| 4.8.3 Y-Means Clustering | p. 97 |
| 4.8.4 Maximum-Likelihood Estimates | p. 98 |
| 4.8.5 Unsupervised Learning of Gaussian Data | p. 100 |
| 4.8.6 Clustering Based on Density Distribution Functions | p. 101 |
| 4.8.7 Clustering in Anomaly Detection | p. 102 |
| 4.9 Signal Processing Techniques Based Models | p. 104 |
| 4.10 Comparative Study of Anomaly Detection Techniques | p. 109 |
| References | p. 110 |
| 5 Architecture and Implementation | p. 115 |
| 5.1 Centralized | p. n5 |
| 5.2 Distributed | p. 115 |
| 5.2.1 Intelligent Agents | p. 116 |
| 5.2.2 Mobile Agents | p. 123 |
| 5.3 Cooperative Intrusion Detection | p. 125 |
| References | p. 126 |
| 6 Alert Management and Correlation | p. 129 |
| 6.1 Data Fusion | p. 129 |
| 6.2 Alert Correlation | p. 131 |
| 6.2.1 Preprocess | p. 132 |
| 6.2.2 Correlation Techniques | p. 139 |
| 6.2.3 Postprocess | p. 145 |
| 6.2.4 Alert Correlation Architectures | p. 150 |
| 6.2.5 Validation of Alert Correlation Systems | p. 152 |
| 6.3 Cooperative Intrusion Detection | p. 153 |
| 6.3.1 Basic Principles of Information Sharing | p. 153 |
| 6.3.2 Cooperation Based on Goal-tree Representation of Attack Strategies | p. 154 |
| 6.3.3 Cooperative Discovery of Intrusion Chain | p. 154 |
| 6.3.4 Abstraction-Based Intrusion Detection | p. 155 |
| 6.3.5 Interest-Biased Communication and Cooperation | p. 155 |
| 6.3.6 Agent-Based Cooperation | p. 156 |
| 6.3.7 Secure Communication Using Public-key Encryption | p. 157 |
| References | p. 157 |
| 7 Evaluation Criteria | p. 161 |
| 7.1 Accuracy | p. 161 |
| 7.1.1 False Positive and Negative | p. 162 |
| 7.1.2 Confusion Matrix | p. 163 |
| 7.1.3 Precision, Recall, and F-Measure | p. 164 |
| 7.1.4 ROC Curves | p. 166 |
| 7.1.5 The Base-Rate Fallacy | p. 168 |
| 7.2 Performance | p. 171 |
| 7.3 Completeness | p. 172 |
| 7.4 Timely Response | p. 172 |
| 7.5 Adaptation and Cost-Sensitivity | p. 175 |
| 7.6 Intrusion Tolerance and Attack Resistance | p. 177 |
| 7.6.1 Redundant and Fault Tolerance Design | p. 177 |
| 7.6.2 Obstructing Methods | p. 179 |
| 7.7 Test, Evaluation and Data Sets | p. 180 |
| References | p. 182 |
| 8 Intrusion Response | p. 185 |
| 8.1 Response Type | p. 185 |
| 8.1.1 Passive Alerting and Manual Response | p. 185 |
| 8.1.2 Active Response | p. 186 |
| 8.2 Response Approach | p. 186 |
| 8.2.1 Decision Analysis | p. 186 |
| 8.2.2 Control Theory | p. 189 |
| 8.2.3 Game theory | p. 189 |
| 8.2.4 Fuzzy theory | p. 190 |
| 8.3 Survivability and Intrusion Tolerance | p. 194 |
| References | p. 197 |
| A Examples of Commercial and Open Source IDSs | p. 199 |
| A.l Bro Intrusion Detection System | p. 199 |
| A.2 Prelude Intrusion Detection System | p. 199 |
| A.3 Snort Intrusion Detection System | p. 200 |
| A.4 Ethereal Application - Network Protocol Analyzer | p. 200 |
| A.5 Multi Router Traffic Grapher (MRTG) | p. 201 |
| A.6 Tamandua Network Intrusion Detection System | p. 202 |
| A.7 Other Commercial IDSs | p. 202 |
| Index | p. 209 |
