Intrusion Detection

This is one of at least three books you will need for academic research on intrusion detection. This book is appropriate for undergraduate students, but it also contains theory and references. For a graduate level presentation with theory and references, see Intrusion Detection: An Introduction to Internet Surveillance, Correlation, Trace Back, Traps, and Response. The third book is Network Intrusion Detection (3rd Edition) (Voices (New Riders)) and contains practical advice on how intrusion detection is actually done. If you are non-academic and do not need theory and references, you probably only need the third book.

Three years ago, as a captain in the Air Force CERT, I didn't think I had time to read books on theory and definitions like Rebecca Bace's "Intrusion Detection." If a book didn't show packet captures, I didn't need it! Fast forward to 2003, as I research intrusion detection history and re-discover Bace's contribution to the field. Now, I consider her book so important that I consider most of it mandatory preparation for my own book. If you've got the time for "high level" monitoring concerns, check out "Intrusion Detection."As a researcher, my favorite aspect of the book is Bace's readiness to "lay down the law" and provide numerous definitions for intrusion detection concepts. Most of them are so clear as to be considered definitive in my eyes. Like Paul Proctor's 2001 title "The Practical Intrusion Detection Handbook," I get the sense that Bace "gets it." She doesn't show packet traces, but what she says makes sense. The best aspect of the book, for my purposes, is its historical nature. Bace covers several decades of intrusion detection concepts and products. She cites the players and their papers, and the themes prevalent as IDS moved from the lab to the front lines. I also found the legal issues chapter extremely valuable. IDS operators should know their products implement wiretaps or trap and trace/pen registers, for which legal cover should be sought. The legal chapter also featured two great case studies on capturing Kevin Mitnick and responding to the 1994 Rome Labs intrusion. On the negative side, I offer a few disagreements and suggestions. First, vulnerability assessment products are not "a special case of intrusion detection" (ch. 6). This association clouds the issue and confuses the layman. Vulnerability assessment products identify vulnerabilities. Intrusion detection products identify threats. VA can work with IDS in an overall risk management strategy, or to provide context to improve IDS detection methods (e.g. Sourcefire RNA or Tenable NeVO), but VA is not IDS. I also disagree the a primary goal of IDS is real-time response. While this is a goal for science fiction writers, I still don't trust the removal of the human operator. Minor points include a lack of discussing Snort (created in 1998, popular by 1999) and an incorrect claim regarding "NSM" on p. 19 -- the acronym means "Network Security Monitor."If you're looking for background on the history and purpose of IDS, I strongly recommend reading "Intrusion Detection." It's as relevant today as it was three years ago. I'm fortunate I didn't miss out by waiting so long!

Many companies subscribe to the Little Richard school of network security: "You keep a knockin' but you can't come in." But what if they do get in? In that case, intrusion detection systems become an important component of a company's computer and network security package. Simply put, an intrusion detection system (IDS) is a type of network security management system that gathers and analyzes information to identify possible security breaches, which include both intrusions (attacks from outside the organization) and misuse (attacks from within the organization). IDSs, which were developed in response to an increasing number of attacks on such major sites as the White House and Microsoft, use vulnerability assessment and scanning technologies to determine the security of a network. Rebecca Bace's book is an excellent introduction to IDSs. Many people who buy such systems become distressed that one can't just buy an off-the-shelf IDS and turn it on. Effective use of an IDS requires significant planning and design, which Bace's book conveys. Bace's book also offers a good history of IDSs and explains the lifecycle of an IDS installation, from the initial requirements to deployment and configuration. Bace further details how to respond to specific types of intrusions and how to tie all of this back to an effective security infrastructure. Bace's book is a good choice for anyone considering use of an IDS or who wants to make sense of an existing IDS....

This is a well-researched and well-written text. It is an excellent complement to Northcutt's book, which is more concrete and oriented to the hands-on practitioner. Those hoping to just buy an off-the-shelf IDS and turn it on may find Bace's book somewhat abstract. Although it reads well, it has a very strong academic flavor (this is probably inevitable in any book that uses the word 'etiology' twice in the first chapter). If Amoroso's book is a graduate-level text, then this is an appropriate book for undergrads.Every specialized text on security seems to succumb to the temptation to flesh out the book with elementary security topics, and this one is no exception. Whether they are absolutely appropriate in a book like this or not, Bace does offer some very wise and useful advice and understandings on information security in general--some of which I was able to apply immediately by sharing with a client.The author provides a comprehensive history of intrusion detection that is effective in creating an understanding of the reasons that specific techniques are used and what their shortcomings and strong points are--15 years worth of non-commercial intrusion detection systems are described and analyzed. While academic and government sponsored IDS initiatives are well-covered, those who are shopping for a commercial solution will probably be disappointed by the almost total lack of mention of currently available products. Discussion of commercial products consists of generalizations such as "Many products" or "some products" or "be aware of vendors that".The chapter on legal issues is excellent and up-to-date, and it should be read by anyone implementing any form of monitoring system. The chapter 'For Strategists' is just a rehash of basic risk management concepts. It isn't particularly applicable to IDS and I disagree with the author on the prominence of ROI calculations in the security product implementation decision process. The bibliography is complete and very current. Although it lacks annotations, many of the sources are referenced within the book itself, so the reader interested in further research has plenty of guidance.The weaknesses in this book are probably due to a lack of audience focus. It is aimed at Chief Security Officers, network and OS admins, college compsci students, and security systems designers. Consultants and decision-makers should read this text, as should network engineers who want to expand their awareness of the tools they are purchasing and using. Given that this serves well as a reference book, the sturdy hard binding is appreciated, and the pages withstand highlighting without bleed through. It isn't a lot of verbiage for the price, but the quality is high.

With the number of intrusion and hacking incidents around the world on the rise, the importance of having dependable intrusion detection systems in place is greater than ever. Intrusion Detection offers both a developmental and technical perspective on this crucial element of network security. You'll find practical considerations for selecting and implementing intrusion detection systems as well as methods for handling the results of analysis, and the options for responses to detected problems. More than just an overview of the technology, Intrusion Detection presents real analysis schemes and responses, as well as a detailed discussion of the vulnerabilities inherent in many systems, and approaches to testing systems for these problems. Ideal for the network architect who has to make decisions on what intrusion detection system to implement and how to do it. 350 pages