Practical Intrusion Analysis and over one million other books are available for Amazon Kindle. Learn more
  • List Price: $59.99
  • Save: $42.00 (70%)
Rented from Amazon Warehouse Deals
To Rent, select Shipping State from options above
Due Date: Dec 21, 2014
FREE return shipping at the end of the semester. Access codes and supplements are not guaranteed with rentals.
Used: Like New | Details
Condition: Used: Like New
Comment: OVERNIGHT and 2-DAY SHIPPING AVAILABLE.....Like New condition. The item is in Amazon's warehouse and shipped to you by Amazon. You have the assurance that you will get your item in a timely manner. In the unlikely event something should go wrong with the shipping, you can contact Amazon to assist with the customer service, tracking or hassle-free return. We are very proud to be in this program as it allows us to offer the best customer experience possible.
Access codes and supplements are not guaranteed with used items.
Add to Cart
  • List Price: $59.99
  • Save: $18.33 (31%)
Only 16 left in stock (more on the way).
Ships from and sold by
Gift-wrap available.
Add to Cart
Trade in your item
Get a $11.00
Gift Card.
Have one to sell? Sell on Amazon
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See this image

Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century Paperback – July 4, 2009

ISBN-13: 978-0321591807 ISBN-10: 0321591801 Edition: 1st

Buy New
Price: $41.66
Price: $17.99
21 New from $35.95 19 Used from $23.88
Rent from Amazon Price New from Used from
"Please retry"
"Please retry"
$35.95 $23.88

Frequently Bought Together

Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century + Snort IDS and IPS Toolkit (Jay Beale's Open Source Security) + Information Security Intelligence: Cryptographic Principles & Applications
Price for all three: $148.85

Buy the selected items together

Customers Who Bought This Item Also Bought


Save up to 90% on Textbooks
Rent textbooks, buy textbooks, or get up to 80% back when you sell us your books. Shop Now

Product Details

  • Paperback: 480 pages
  • Publisher: Addison-Wesley Professional; 1 edition (July 4, 2009)
  • Language: English
  • ISBN-10: 0321591801
  • ISBN-13: 978-0321591807
  • Product Dimensions: 9.1 x 7.1 x 1.2 inches
  • Shipping Weight: 1.7 pounds (View shipping rates and policies)
  • Average Customer Review: 4.1 out of 5 stars  See all reviews (13 customer reviews)
  • Amazon Best Sellers Rank: #272,949 in Books (See Top 100 in Books)

Editorial Reviews

About the Author

Ryan Trost is the Director of Security and Data Privacy Officer at Comprehensive Health Services where he oversees all the organization’s security and privacy decisions. He teaches several Information Technology courses, including Ethical Hacking, Intrusion Detection, and Data Visualization at Northern Virginia Community College. This enables him to continue exploring his technical interests among the endless managerial meetings. In his spare time, Ryan works to cross-pollinate network security, GIS, and data visualization. He is considered a leading expert in geospatial intrusion detection techniques and has spoken at several conferences on the topic, most notably DEFCON 16. Ryan participated as a RedTeamer in the first annual Collegiate Cyber Defense Competition (CCDC) and now fields a team of students in the annual event. Ryan has been a senior security consultant for several government agencies before transitioning over to the private sector. In 2005, Ryan received his masters of science degree in computer science from George Washington University where he developed his first geospatial intrusion detection tool.

Excerpt. © Reprinted by permission. All rights reserved.

Practical Intrusion Analysis


This book was developed to help fill multiple gaps in practical intrusion detection within a single cover-to-cover publication. Traditionally, intrusion detection books concentrate on narrow subject matter that focuses on vendor-specific information, like Snort or Cisco MARS, Intrusion Detection System (IDS) installation, and sensor placement or signature writing. This book incorporates the essential core knowledge to understand the IDS, but it also expands the subject matter to other relevant areas of intrusion interest, such as NetFlow, wireless IDS/Intrusion Prevention System (IPS), physical security, and geospatial intrusion detection. Don’t get me wrongelthe previously mentioned books are the foundation of my security knowledge, but as the industry matures to include various facets of incursion, its books should incorporate those facets into a single publication so security aficionados don’t have to fracture their attention across so many titles.

Who Should Read This Book

This book’s audience is any and all security practitioners; whether you’re an entry-level security analyst, a chief security officer, or even a prospective college student researching a career in network security. Every chapter might not provide a silver-bullet solution that protects your company from every well-versed attacker. But, as you peel the onion layers, you find a combination of included security defenses that help ensure your company’s security posture and out-endure even the most motivated attacker(s).

How to Read This Book

Although, at first glance, the chapters might seem independent, a structure guides you from the first few chapters that provide a fundamental foundation, including Chapter 1 “Network Overview,” and Chapter 2, “Infrastructure Monitoring,” to more advanced chapters. You are introduced to new intrusion detection strategies consisting of wireless IDS/IPS, network behavioral analysis (NBA), converging of physical and logical security, and geospatial intrusion detection. Several traditional chapters explore new approaches, including ones that cover IDSs, vulnerability signature dissection, and Web application firewalls.

I was lucky enough to have several knowledgeable friends that, with some begging and pleading, agreed to include their extensive security insight, experience, and opinions. I avoid duplicating materials presented in other books because I want to fill the gaps of current security initiatives and/or explore the arena of new concepts and strategies.

How This Book Is Organized

This book follows a compartmentalized organization because each chapter focuses on specific technologies. The beginning of this book introduces basic networking terminology, and it transitions into overviewing intrusion detection, which caters to the InfoSec newbies and finally dives into more sophisticated and advanced intrusion defenses. Here is a brief description of each chapter:

  • Chapter 1, “Network Overview,” focuses on basic network structure and briefly explains the anatomy of TCP/IP and OSI. Most IT-related books must include some introductory chapter to either define the foundation of the technology or refresh readers that might not deal with it in their daily lives; this book is no different. It is not meant to be an in-depth analysis, but it eases you into the more sophisticated work to come.
  • Chapter 2, “Infrastructure Monitoring,” explores some common network security practices, including vulnerability assessments, packet sniffing, IDS, file integrity checking, password auditing, wireless toolkits, exploitation toolkits, and network reconnaissance tools. Network security heavily relies on the tools used to “see” the traffic. However, as the chapter title indicates, a majority of this chapter concentrates on mainstream monitoring capabilities and the never-ending battle between using a tap or SPAN for monitoring purposes.
  • Chapter 3, “Intrusion Detection Systems,” provides you with insight into the IDS industry by introducing fundamental concepts and then progressively jumping into more complex topics, including evasion techniques, signature dissection, and a look into the Snort and BRO IDSs, while simultaneously providing as little duplication of previous material as possible. Most IDS books written in the past focus solely on Snort, snort.conf (Snort’s configuration file), and the signature syntax. However, few publications truly clarify the distinction between writing a signature looking for an exploit versus writing a signature identifying a system’s vulnerability. Finally, the chapter ends with an assessment of two open source systems, Snort and Bro, which take different approaches to intrusion detection.
  • Chapter 4, “Lifecycle of a Vulnerability,” steps you through the natural evolution of a vulnerability, from discovering the vulnerability, to capturing the packet stream, to analyzing the malicious content within the packet, and writing an efficient Snort signature to alert on it. It does all this, while simultaneously exposing you to a small subset of necessary tools to help you in your quest. The examples escalate in complexity and are specifically chosen to reflect relatively recent events, because they were all released within the past few months. For newcomers, the analysis of a packet might appear overwhelming and tedious, but if you segment it and step through the packet capture packet-by-packet, the process starts to fall into place. For the already skilled signature writers, the advanced examples, which use flowbits, PCRE, and newly shared object rules, shed some light on the thought process and technique that the Sourcefire VRT team uses.
  • Chapter 5, “Proactive Intrusion Prevention and Response via Attack Graphs,” examines proactive methods of attack risk reduction and response through attack graphs. Administrators and security analysts are overwhelmed by constant outside threats, complexity of security measures, and network growth. Today’s status quo for network defense is often reduced to mere triage and post-mortem remediation. The attack graphs map potential paths of vulnerability through a network, showing exactly how attackers might penetrate a network. Attack graph analysis identifies critical vulnerabilities and provides strategies for protecting critical network assets. But, because of operational realities, vulnerability paths often remain. In such cases, attack graphs provide an ideal methodology for planning appropriate attack responses. This includes optimal placement of intrusion detection sensors, correlating intrusion alarms, accounting for missed detections, prioritizing alarms, and predicting the next possible attack steps.
  • Chapter 6, “Network Flows and Anomaly Detection,” explores the topic of network flow data: its collection for network security analysis and, specifically, an emerging field called Network Behavior Analysis (NBA). First, this chapter explores flow technology and analyzes the different flow formats: their characteristics, respective datasets, and key fields. It discusses how network flow deployments affect device performance and statistical sampling and then introduces possible data flow collection strategies. Although traditional IDS/IPS technologies are still an environment staple, they are blind to specific attacks, whereas NBA fills those gaps and perfectly complements because it excels at immediately detecting polymorphic worms, zero-day exploits, and botnet denial of service (DoS) attacks. Whereas IDS and packet sniffing software are microanalytical tools that examine packet contents, data flow is a macroanalytical mechanism that characterizes large volumes of traffic in real time.
  • Chapter 7, “Web Application Firewalls,” exposes you to the terms, theories, advantages, and disadvantages of the Web Application Firewall (WAF), which is quickly becoming a solution of choice for companies who operate mission-critical Web sites. With the explosion of the Internet, an entire new family of attack vectors has been created that redefine the traditional concept of a threat. Whether it is the database server, Web server or even the visitors of the targeted site, these threats are often embedded in seemingly innocent traffic that many IDSs do not have the power or capability to detect.
  • Chapter 8, “Wireless IDS/IPS.” For the most part, intrusion detection focuses on the data passing from point A to point B. However, this is a limited view of data transmission, because it fails to consider the physical properties of the transmission process. Thanks to wireless networking, data no longer has to exist as electronic pulses on a wire, but can now live as radio waves in the air. Unfortunately, this means traditional IDS solutions are no longer qualified to fully protect this information, if only because they cannot interpret RF energy. In this chapter, you gain an understanding of the issues related to wireless security, the shortcomings of the network-based IDS, and the options available to those who want to keep a close eye on their wireless traffic.
  • Chapter 9, “Physical Intrusion Detection for IT,” gets IT security staffs thinking about how intrusion detection efforts can be bolstered by converging with the physical security team. This chapter includes an overview of physical security technologies to help IT security personnel understan...

More About the Author

Discover books, learn about writers, read author blogs, and more.

Customer Reviews

4.1 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See all 13 customer reviews
I highly recommend this book for all Security Analysts and anyone who oversees security operations.
Jeyaprakash Kopula
The author undertook a sizable endeavor as each of those chapter topics could arguably have entire books written about them.
Tom Haskins
This book is not really a book: it is a collection of papers about security and intrusion detection.
Dr Anton Chuvakin

Most Helpful Customer Reviews

19 of 20 people found the following review helpful By Richard Bejtlich on July 11, 2009
Format: Paperback
I must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.

I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.

Chapters 1 and 2 are not needed. Anyone who needs to learn about networking can read a basic book already published. Ch 2 does mention that 802.1AE (if ever implemented) will hamper network traffic inspection, but you could read that online.

Ch 3 is odd because it begins by mentioning well-worn methods to evade network detection, followed by a discussion of the merits of Snort vs Bro.
Read more ›
1 Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
4 of 4 people found the following review helpful By Dr Anton Chuvakin on September 30, 2009
Format: Paperback
This book is not really a book: it is a collection of papers about security and intrusion detection. The book bears unfortunate, but noticeable signs of being written by multiple people who didn't talk to each other much.

I just finished reading the book and I can say I enjoyed it. It does have interesting ideas peppered in some places. Overall presentation consistency, however, is not lacking - it is absent. Also, the book is not terribly practical if you define practice as "protection of systems and networks from attacks." Many chapters are shallow and make the impression of being added to get the book to 450 pages threshold.

So, some chapters are fun and insightful ("Geospatial ID", "Physical IDS", the sections on signature tuning), some are funny (example: one chapter talks about SIEM, SIM and SEM, but errs about what "M" in those stands for... seriously!) and some are sad (example: the one that mentions IDMEF), while others are very shallow ("Wireless IDS/IPS"). The chapter on ROI made me fall under my desk; I experience an actual literal ROFL.

Here are some of the highlights. Ch3 has a lot of useful Bro NIDS tips; if you have never used Bro in production, give it a try. In Ch4, I liked vulnerability-based signature definition worklfow, which takes into account sig performance tuning. Ch5 was written by an academic, who doesn't get out much; if works great if you want to really know what the word "befuddled" means (it also mentioned IDMEF for extra punch :-)) Ch6 is fine if you never dealt with network flows; not a bad intro. Ch7 is a very shallow intro to web application firewalls, while ch8 is the same for wireless IDS/IPS. Ch9 deals with physical security and I loved; such information rarely shows in IT books and it was great to learn it.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
3 of 3 people found the following review helpful By saiello on October 1, 2011
Format: Paperback Verified Purchase
So I've read the other reviews, and the complaints people have cited when only giving the book a 3 of 5 star review.

To give you a background I have been a network admin for over a decade, and understand both networking and server side operations. I am also a graduate student studying Info. Sec, so while I'm by no means a security expert I'm not a slouch when it comes to IT. That being said...

I didn't find the book fragmented in any way, in fact the opening chapters about the OSI & TCP/IP model I feel was a welcome addition as most server admins don't have a strong grasp on these topics. I appreciate the information about the structure of IP packets as this is a very important concept when you start to seriously dig into exploitation. How can you properly fragment your packets to avoid IDS systems if you don't know the proper structure of an IP packet to begin with?

Beyond this, the section on IDS's was EXACTLY what I was looking for! Many people have heard of or use Snort, but I like how the book explained how to deconstruct Snort rules. If you understand what rules are looking for as a pen-tester then you can craft your packets to slip right by these rules. The Examples of URI encoding and why it is hard to properly write Snort rules was eye opening, and I was instantly able to make the connection why PROPER web application security via SQL injection is a science on it's own.

Chapter 4 covers the life cycle of a vulnerability and how to deconstruct exploits so that you can see exactly what they are doing is something that many security engineers are expected to do in today's work environment.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Customer Images

Most Recent Customer Reviews