Network Intrusion Detection : An Analyst's Handbook

Network Intrusion Detection : An Analyst's Handbook

by Stephen Northcutt, Judy Novak, Donald McLachlan

View All Available Formats & Editions

Intrusion detection is one of the hottest growing areas of network security. As the number of corporate, government, and educational networks grow and as they become more and more interconnected through the Internet, there is a correlating increase in the types and numbers of attacks to penetrate those networks. Intrusion Detection, Second Edition is a training aid…  See more details below


Intrusion detection is one of the hottest growing areas of network security. As the number of corporate, government, and educational networks grow and as they become more and more interconnected through the Internet, there is a correlating increase in the types and numbers of attacks to penetrate those networks. Intrusion Detection, Second Edition is a training aid and reference for intrusion detection analysts. This book is meant to be practical. The authors are literally the most recognized names in this specialized field, with unparalleled experience in defending our country's government and military computer networks. People travel from all over the world to hear them speak, and this book will be a distillation of that experience. The book's approach is to introduce and ground topics through actual traffic patterns. The authors have been through the trenches and give you access to unusual and unique data.

Editorial Reviews
The Barnes & Noble Review
We admired the first edition of Network Intrusion Detection for its extraordinary insight into the realities of network intrusions and countermeasures. Author Stephen Northcutt knows this stuff: He was Chief of Information Warfare for the U.S. Ballistic Missile Defense Organization. Well, the ink barely dried on that book before new attacks and new tools arrived -- and hot on their heels, a new edition that's even better than the original.

Joined by co-author Judy Novak, Northcutt has updated nearly everything, adding extensive new coverage. For example, there's updated coverage of denial of service attacks (including "elegant" one-packet kills that take advantage of flaws in the IP stack's capability to deal with illegal conditions). There's a full chapter on attacks utilizing remote procedure calls, which (together with DNS), now account for the majority of compromised UNIX systems.

You'll find a full chapter dissecting one of Kevin Mitnick's legendary attacks (which may be old, but still illustrates crucial issues in intrusion detection). To complement it, there's a new chapter chronicling the fascinating hunt for the Timex intruder, tracked as far as London and Zagreb, Croatia (so far, that is). You'll also find a full chapter on separating real attacks from false positives and up-to-date guidance on choosing network intrusion detection tools (including a hard-eyed look at their significant limitations). If you have any interest at all in the technical aspects of computer security, you'll find this book to be utterly compelling. (Bill Camarda)

Bill Camarda is a consultant and writer with nearly 20 years' experience in helping technology companies deploy and market advanced software, computing, and networking products and services. His 15 books include Special Edition Using Word 2000 and Upgrading & Fixing Networks For Dummies®, Second Edition.

Written as a training aid and technical reference for intrusion detection analysis, this book covers areas such as detect evaluation, analysis, and situation handling, explains theories related to hackers, intelligence gathering, and coordinated attacks, and describes preventive and aggressive security measures. Northcutt is lead incident handler for the Global Incident Analysis Center at the SANS Institute. Novak is a security analyst at the Johns Hopkins Applied Physics Laboratories. Annotation c. Book News, Inc., Portland, OR (

Read More

Product Details

Pearson Education
Publication date:
Landmark Series
Edition description:
Older Edition
Product dimensions:
7.02(w) x 8.98(h) x 1.01(d)

Read an Excerpt

Chapter 1: IP Concepts

As You Read This Chapter, it will become apparent that you belong in one of two categories: the beginner category or that of the seasoned veteran.The Internet Protocol (IP) is a large and potentially intimidating topic that requires a gentle introduction for uninitiated beginners so as not to overwhelm their with foreign acronyms, details, and concepts. Therefore, the purpose of this first chapter is to expose newcomers to terms, concepts, and the ever-present acronyms of IP The suite of protocols covered here is snore commonly known as Transmission Control Protocol/Internet Protocol (TCP/IP).These protocols are required to communicate between hosts oil the Internet-the worldwide infrastructure of networked hosts. Indeed, communication protocols other than TCP/IP exist (for instance, AppleTalk for Apple computers). These protocols are typically found on intranets, where associated hosts talk oil a private network. Most Internet communications require TCP/IP which is the standard for global communications between hosts and networks. Those seasoned veteran readers who dabble in TCP/IP daily might want to skip this chapter. Even so, you should give it a quick skim. If you ever need to explain a concept about IP (perhaps to the individual who signs off on your pay raise or bonus, for example), you may find this chapter's approach useful. Those of you who are getting your feet wet in this area will almost certainly benefit from this introduction.

This is an around-the-world introduction to TCP/IP presented in a single chapter. Many of the topics discussed in this introductory chapter are covered in much greater detail and complexity in upcoming chapters; those chapters contain the core content, but you need to be able to peel away the theoretical skin to understand them. Specifically, this chapter covers the following topics:

  • The TCP/IP Internet model. This section examines the foundations of cominunications over the Internet, specifically communications made possible by using a common model known as the TCP/IP Internet model.
  • Packaging of data on the Internet. This section reviews the encapsulation of data to be sent through different legs of a journey to its destination.
  • Physical and logical addresses. This section highlights the different ways to identify a computer or host on the Internet.
  • TCP/IP services and ports. This section explores how hosts communicate with each other for different purposes and through different applications.
  • Domain Name System. This section focuses on the importance of host names and IP number translations.
  • Routing. This section explains how data is directed from the sending to the receiving computer.

The TCP/IP Internet Model

Computer users often want to communicate with another computer on the Internet for some purpose or another (to view a Web page on a remote Web server, for instance). A response from a Web server can seem almost instantaneous, but a lot of processes and infrastructures actually support this seemingly trivial act behind the scenes.


Figure 1.1 shows a logical roadmap of some of the processes involved in host-to-host communications. You begin the process of downloading a Web page in the box labeled Web Browser. Before your request to see a Web page can get to the Web server, your computer must package the request and send it through various processes and layers. Each layer represents a logical leg in the journey from the sending computer to the receiving computer. After the sending computer packages the data through the different layers, it is delivered to the receiving computer over the Internet.The receiving computer unwraps the package and delivers it to processes and layers. Your request eventually arrives at the box labeled Web Server, and the Web server replies to the request...

Read More

Meet the Author

Stephen Northcutt is a graduate of May Washington College. Before entering the field of computer security, he worked as a cook, a U.S. Navy helicopter search and rescue crewman, a martial arts instructor, and a network designer. He is the author of Incident Handling: Step-by-Step and Intrusion Detection: Shadow Style, both published by the SANS Institute. He was the original developer of the Shadow intrusion detection system and served as the leader of the Department of Defense's Shadow Intrusion Detection Team for two years. Formerly the Director of the U.S. Navy's Information System Security Office at the Naval Security Warfare Center, he is currently the Chief Information Warfare Office for the U.S. Ballistic Missile Defense Organization. Stephen is a featured lecturer and co-chair of the first Intrusion Detection Conference.

Customer Reviews

Average Review:

Write a Review

and post it to your social network


Most Helpful Customer Reviews

See all customer reviews >