Intrusion detection systems. (Intrusion Detection-Systeme. Übers. aus dem Amerikan. von Enno Rey u. Michael Thumann.) (German) Zbl 1026.68005

Bonn: mitp. 528 S. (2001).
The book is intended to be a handbook for intrusion detection analysts. It is written for people with no background in the subject, but can be useful also for experienced specialists.
The book starts with an overview of the TCP/IP model. It discusses the layers of the protocol, data structures, physical and logical addresses, TCP/IP services and ports, the domain name system and routing. The next chapter describes the TCPdump tool, studies in more details the TCP protocol, and discuss risks of port scanning and TCP session hijacking. Chapter 3 discusses fragmentation, its analysis using TCPdump, and security risks resulting from the fragmentation.
The next chapter deals with the ICMP protocol. It describes expected use of the protocol as well as ways to misuse it. Finally it discusses blocking of the ICMP messages as a way to improve security and its consequences. Chapter 4 is devoted to traffic analysis in general. It describes normal traffic, malicious traffic, as well as suspicious traffic which is however not malicious. The following chapter is devoted to DNS – it describes how it works and how it can be misused.
Chapter 8 gives an example of an attack an its analysis – it deals with the well-known attack of Kevin Mitnick.
The theory of intrusion detection continues with explanation of attack signatures and traffic filters. It gives an example of several filters based on attack signatures and the message content. The next chapter deals with design of an IDS. It discusses IDS sensors, their limits and placing, push and pull architecture, human factors involved in the intrusion detection, false positive management, and host and network based IDS. Interoperability between different IDSs and correlation between different attacks are the subject of the following chapter.
Chapter 11 describes several network based IDSs – commercial products as well as open source SW and university research projects – and their characteristics. The next chapter discusses the future of intrusion detection, reasons for the increase in the number of attacks, risks of mobile code, cyber terror, threads from trusted insiders, and employment of hardware and software intrusion detection. The following three chapters deals with analysis of attack traces from different points of view. The first of them describes several attacks and scans preparing for attacks as well as how misinterpretation of traces can lead to false positives. The next one deals with the denial of service attack, and the last one shows traces and techniques used to map networks and hosts. Chapter 16 is devoted to RPCs, which represent a very important attack category. It gives many signatures as well as practical examples. The following chapter describes configuration possibilities of the TCPdump filters in order to give an overview how a complex filter can be configured.
Intention of the next two chapters is to introduce problems of forensics to the reader. It describes two real forensic cases.
The rest three chapters deals with organizational tasks of the intrusion detection. Chapter 20 gives arguments for using an IDS as a tool for risk management and as a part of the overall security system. It overviews the basic terms of risk, thread, security policy, risk analysis, and risk management. The next one describes different types of automated and manual responses to discovered intrusions. The last chapter highlights the most important arguments for management supporting the use of IDSs.


68M10 Network design and communication in computer systems
68-01 Introductory exposition (textbooks, tutorial papers, etc.) pertaining to computer science