Network Security Through Data Analysis: Building Situational Awareness

by Michael S. Collins

System and network administrators have traditionally monitored their systems through general tools such as intrusion detection and logfile analysis. But modern, complex networks, suffering from more and more sophisticated attacks, deserve more analytical tools. Michael Collins, a leading researcher in security, introduces the techniques needed in this book and highlights some of the computing tools that will help catch problems.

The book is divided into three large sections: data collection, analysis, and taking action. These can be iterative, as each discovery alerts the administrator to data that should be collected. Several forms of analysis and visualization are covered. Topics include:


What data to capture on your systems
Data fusion
Structures and storage systems for data
Using R, SiLK, and Python for analysis
Visualization and exploratory data analysis
Graph analysis
Network mapping
Address forensics: determining where traffic originates
Handling malware

Genres: Reference, Computer Science, Technical

345 pages, Paperback

First published September 22, 2013

Reviews

[M · Rating 3 out of 5]

Somewhat helpful. Won't read again.

[Nqachri · Rating 5 out of 5]

Dr. Michael S Collins is the Chief Scientist for RedJack LLC. The company aims at protecting networks against attacks with the help of data analysis. The latest statement is the starting point of the book: " How the data generated by the network usages can help us to detect intrusions or corrupted processes? ". The book presents a global approach to answer to this big question. The answer is divided into three main steps: capture, store/refine and process.

This data is implicitly generated when our computers are connected and communicate. Revealing the data means installing sensors that will capture the events, and the big picture of the network activity at different levels (network or hosts sensors, for instance). The first part of the book presents various tools to achieve the installation of sensors (such as tcpdump).

Once the data are captured, where can we store them or even centralize them if the sensors are installed in various parts of the network? How to process them? With which tools? The second part of the book presents the different possible storage and how to design the data space to optimize the future analysis. Among the proposed tools, SiLK and R are covered. But what if you are not familiar with the tools? no problem! This book will guide you to learn them and the further reading provided gives you a path to mastery. Many other tools are also covered and they will refine the raw data to prepare it to the last step.

The third part is dedicated to exploratory data analysis to reveal the hidden informations out of raw data. This part is really interesting and the core of the data analysis helps the network security engineer to develop its skills in recognition of misbehaviors. The visuals and the examples are well chosen and the explanations well structured and balanced.

Finally, I found the book really interesting and opens interesting possibilities if a closer look is given at the recent developments in the world of networking and mobility (VPN, etc). Since the number of flows increases everyday, I have found the approach really helpful to extract security informations out of the noise.

Since this is one of the first book to cover this area of skills, the book is really introductive and the pedagogical quality helps the reader to learn and acquire them through different techniques and tools. Some professionals could find some of the topics not enough deeply covered, but something will be found in the book for everyone interested in the subject.

[Jean-François · Rating 5 out of 5]

If you are a network or security analyst, if you look at implementing a security analysis program, or simply you are interested in discovering how to leverage data analysis techniques to uncover potential bad actors in your network, this is the book to read.

Michael Collins goes through the basis of networking and network captures, R and exploratory data analysis, and data visualization. He gives a very good starter on the SiLK tools and uses them throughout the book in various scenarios.

For the people wanting some more immediate results, Collins provides a number of Python scripts that can be used to detect potential anomalies and attacks.

[Takedown · Rating 2 out of 5]

I'm disappointed. I was expecting way more from this book. There is actually a very little information about data analysis and even less related to security. More than half of the book is spent on basics like tools, theory and networking concepts rather than hands on data analysis. No mention of of ELK stack left me wondering... I was also puzzled by choice of R(which is barely used anyway) and no mention of powerful data analysis python stack such as pandas, ipython-notebooks and scikit-learn.

[Jon · Rating 4 out of 5]

Exactly what it says on the tin: for those concerned with the effective security-oriented monitoring of a network, not just a host or two. Goes well beyond the usual recommended software, describing tools and techniques for building a monitoring system tuned to the needs of a network and organization. Highly recommended if you're in that situation; for those responsible for a handful of hosts or without the FTEs to spend on proactive security, this is probably well out of scope.

[Fuat · Rating 2 out of 5]

The book tells many things an you learn many concepts; however you just learn some details but not the way to do.

[Herman Slatman · Rating 4 out of 5]

Great book that explains much of what can be going on on networks. You still have to implement stuff yourself though, as network security is really dependent of your own setup.

[sashank · Rating 4 out of 5]

Good read with practical examples