Chapter 1. Sensors and Detectors: An Introduction
Vantages: How Sensor Placement Affects Data Collection
Domains: Determining Data That Can Be Collected
Actions: What a Sensor Does with Data
Conclusion
Chapter 2. Network Sensors
Network Layering and Its Impact on Instrumentation
Packet Data
NetFlow
Further Reading
Chapter 3. Host and Service Sensors: Logging Traffic at the Source
Accessing and Manipulating Logfiles 36
The Contents of Logfiles
Representative Logfile Formats
Logfile Transport: Transfers, Syslog, and Message Queues
Further Reading
Chapter 4. Data Storage for Analysis: Relational Databases, Big Data, and Other Options
Log Data and the CRUD Paradigm
A Brief Introduction to NoSQL Systems
What Storage Approach to Use
Part II. Tools
Chapter 5. The SiLK Suite
What Is SiLK and How Does It Work?
Acquiring and Installing SiLK
Choosing and Formatting Output Field Manipulation: rwcut
Basic Field Manipulation: rwfilter
rwfileinfo and Provenance
Combining Information Flows: rwcount
rwset and IP Sets
rwuniq
rwbag
Advanced SiLK Facilities
Collecting SiLK Data
Further Reading
Chapter 6. An Introduction to R for Security Analysts
Installation and Setup
Basics of the Language
Using the R Workspace
Data Frames
Visualization
Analysis: Statistical Hypothesis Testing
Further Reading
Chapter 7. Classification and Event Tools: IDS, AV, and SEM
How an IDS Works
Improving IDS Performance
Further Reading
Chapter 8. Reference and Lookup: Tools for Figuring Out Who Someone Is
MAC and Hardware Addresses
IP Addressing
DNS
Additional Reference Tools
Chapter 9. More Tools
Visualization
Communications and Probing
Packet Inspection and Reference
Further Reading
Part III. Analytics
Chapter 10. Exploratory Data Analysis and Visualization
The Goal of EDA: Applying Analysis
EDA Workflow
Variables and Visualization
Univariate Visualization: Histograms, QQ Plots, Boxplots, and Rank Plots
Bivariate Description
Multivariate Visualization
Chapter 11. On Fumbling
Attack Models
Fumbling: Misconfiguration, Automation, and Scanning
Identifying Fumbling
Fumbling at the Service Level
Analyzing Fumbling
Further Reading
Chapter 12. Volume and Time Analysis
The Workday and Its Impact on Network Traffic Volume
Beaconing
File Transfers/Raiding
Locality
Applying Volume and Locality Analysis
Further Reading
Chapter 13. Graph Analysis
Graph Attributes: What Is a Graph? 261
Labeling, Weight, and Paths 265
Components and Connectivity 270
Clustering Coefficient 271
Analyzing Graphs
Further Reading
Chapter 14. Application Identification
Mechanisms for Application Identification
Application Banners: Identifying and Classifying
Further Reading
Chapter 15. Network Mapping
Creating an Initial Network Inventory and Map
Updating the Inventory: Toward Continuous Audit
Further Reading
Index