基于数据分析的网络安全

PrefacePartⅠ.Data1.Sensors and Detectors： An IntroductionVantages： How Sensor Placement Affects Data CollectionDomains： Determining Data That Can Be CollectedActions： What a Sensor Does with DataConclusion2.Network SensorsNetwork Layering and Its Impact on InstrumentationNetwork Layers and VantageNetwork Layers and AddressingPacket DataPacket and Frame FormatsRolling BuffersLimiting the Data Captured from Each PacketFiltering SpeciFic Types of PacketsWhat Iflt's Not Ethernet？NetFlowNetFlow v5 Formats and FieldsNetFlow Generation and CollectionFurther Reading3.Host and Service Sensors： Logging Traffic at the SourceAccessing and Manipulating LogFilesThe Contents of LogfilesThe Characteristics of a Good Log MessageExisting Logflles and How to Manipulate ThemRepresentative Logflle FormatsHTTP： CLF and ELFSMTPMicrosoft Exchange： Message Tracking LogsLogfile Transport： Transfers，Syslog，and Message QueuesTransfer and Logfrle RotationSyslogFurther Reading4.Data Storage for Analysis： Relational Databases，Big Data，and Other OptionsLog Data and the CRUD ParadigmCreating a Well—Organized Flat File System： Lessons from SiLKA Brieflntroduction to NoSQL SystemsWhat Storage Approach to UseStorage Hierarchy，Query Times，and AgingPartⅡ.Tools5.The SiLK SuiteWhat Is SiLK and How Does It Work？Acquiring and Installing SiLKThe DataFilesChoosing and Formatting Output Field Manipulation： rwcutBasic Field Manipulation： rwfrlterPorts and ProtocolsSizeIP AddressesTimeTCP OptionsHelper OptionsMiscellaneous Filtering Options and Some Hacksrwfileinfo and ProvenanceCombining Information Flows： rwcountrwset and IP SetsrwuniqrwbagAdvanced SiLK FaalitiespmapsCollecting SiLK DataYAFrwptoflowrwtucFurther Reading6.An Introduction to R for Security AnalystsInstallation and SetupBasics of the LanguageThe R PromptR VariablesWriting FunctionsConditionals and IterationUsing the R WorkspaceData FramesVisualizationVisualization CommandsParameters to VisualizationAnnotating a VisualizationExportingVisualizationAnalysis： Statistical Hypothesis TestingHypothesis TestingTesting DataFurther Reading7.Classification and Event Tools： IDS，AV，and SEMHow an IDS WorksBasic VocabularyClassifler Failure Rates： Understanding the Base—Rate FallacyApplying ClassiFicationImproving IDS PerformanceEnhancing IDS DetectionEnhanang IDS ResponsePrefetching DataFurther Reading8.Reference and Lookup： Tools for Figuring Out Who Someone lsMAC and Hardware AddressesIP AddressingIPv4 Addresses，Theu Structure，and Significant AddressesIPv6 Addresses，Their Structure and Significant AddressesChecking Connectivity： Using ping to Connect to an AddressTraceroutingIP Intelligence： Geolocation and DemographicsDNSDNS Name StructureForward DNS Querying Using digThe DNS Reverse LookupUsing whois to Find OwnershipAdditional Reference ToolsDNSBLs9.More ToolsVisualizationGraphvizCommunications and ProbingnetcatnmapScapyPacket Inspection and ReferenceWiresharkGeoIPThe NVD，Malware Sites，and the C*EsSearch Engines，Mailing Lists，and PeopleFurther ReadingPartⅢ.Analytics10.Exploratory Data Analysis and VisualizationThe Goal of EDA： Applying AnalysisEDA WorkflowVariables and VisualizationUnivariate Visualization： Histograms，QQ Plots，Boxplots，and Rank PlotsHistogramsBar Plots（Not Pie Charts）The Quantile—Quantile（QQ）PlotThe Five—Number Summary and the BoxplotGenerating a BoxplotBivariate DescriptionScatterplotsContingency TablesMultivariate VisualizationOperationalizing Security VisualizationFurther Reading11.On FumblingAttack ModelsFumbling： Misconfiguration，Automation，and ScanningLookup FailuresAutomationScanningIdentifying FumblingTCP Fumbling： The State MachineICMP Messages and FumblingIdentifying UDP FumblingFumbling at the Service LevelHTTP FumblingSMTP FumblingAnalyzing FumblingBuilding Fumbling AlarmsForensic Analysis of FumblingEngineering a Network to Take Advantage of FumblingFurther Reading12.Volume and Time AnalysisThe Workday and Its Impact on Network Traffic VolumeBeaconingFile Transfers／RaidingLocalityDDoS，Flash Crowds，and Resource ExhaustionDDoS and Routing InfrastructureApplying Volume and Locality AnalysisData SelectionUsing Volume as an AlarmUsing Beaconing as an AlarmUsing Locality as an AlarmEngineering SolutionsFurther Reading13.Graph AnalysisGraph Attributes： What Is a Graph？Labeling，Weight，and PathsComponents and ConnectivityClustering CoeffiaentAnalyzing GraphsUsing Component Analysis as an AlarmUsing Centrality Analysis for ForensicsUsing Breadth—First Searches ForensicallyUsing Centrality Analysis for EngineeringFurther Reading14.Application IdentificationMechanisms for Application IdentificationPort NumberApplication Identiflcation by Banner GrabbingApplication Identification by BehaviorApplication Identification by Subsidiary SiteApplication Banners： Identifying and ClassifyingNon—Web BannersWeb Client Banners： The User—Agent StringFurther Reading15.Network MappingCreating an Initial Network Inventory and MapCreating an Inventory： Data，Coverage，and FilesPhase Ⅰ： The First Three QuestionsPhase Ⅱ： Examining the IP SpacePhase Ⅲ： Identifying Blind and Confusing TrafficPhase Ⅳ： Identifying Clients and ServersIdentifying Sensing and Blocking InfrastructureUpdating the Inventory： Toward Continuous AuditFurther ReadingIndex