基于数据分析的网络安全-(影印版)

prefacepartⅰ.data1.sensors and detectors： an introduction  vantages： how sensor placement affects data collection  domains： determining data that can be collected  actions： what a sensor does with data  conclusion2.network sensors  network layering and its impact on instrumentation  network layers and vantage  network layers and addressing  packet data  packet and frame formats  rolling buffers  limiting the data captured from each packet  filtering specific types of packets  what iflt's not ethernet？  netflow  netflow v5 formats and fields  netflow generation and collection  further reading3.host and service sensors： logging traffic at the source  accessing and manipulating logfiles  the contents of logfiles  the characteristics of a good log message  existing logflles and how to manipulate them  representative logflle formats  http： clf and elf  smtp  microsoft exchange： message tracking logs  logfile transport： transfers，syslog，and message queues  transfer and logfrle rotation  syslog  further reading4.data storage for analysis： relational databases，big data，and other options  log data and the crud paradigm  creating a well—organized flat file system： lessons from silk  a brieflntroduction to nosql systems  what storage approach to use  storage hierarchy，query times，and agingpartⅱ.tools5.the silk suite  what is silk and how does it work？  acquiring and installing silk  the datafiles  choosing and formatting output field manipulation： rwcut  basic field manipulation： rwfrlter  ports and protocols  size  ip addresses  time  tcp options  helper options  miscellaneous filtering options and some hacks  rwfileinfo and provenance  combining information flows： rwcount  rwset and ip sets  rwuniq  rwbag  advanced silk faalities  pmaps  collecting silk data  yaf  rwptoflow  rwtuc  further reading6.an introduction to r for security analysts  installation and setup  basics of the language  the r prompt  r variables  writing functions  conditionals and iteration  using the r workspace  data frames  visualization  visualization commands  parameters to visualization  annotating a visualization  exportingvisualization  analysis： statistical hypothesis testing  hypothesis testing  testing data  further reading7.classification and event tools： ids，av，and sem  how an ids works  basic vocabulary  classifler failure rates： understanding the base—rate fallacy  applying classification  improving ids performance  enhancing ids detection  enhanang ids response  prefetching data  further reading8.reference and lookup： tools for figuring out who someone ls  mac and hardware addresses  ip addressing  ipv4 addresses，theu structure，and significant addresses  ipv6 addresses，their structure and significant addresses  checking connectivity： using ping to connect to an address  tracerouting  ip intelligence： geolocation and demographics  dns  dns name structure  forward dns querying using dig  the dns reverse lookup  using whois to find ownership  additional reference tools  dnsbls9.more tools  visualization  graphviz  communications and probing  netcat  nmap  scapy  packet inspection and reference  wireshark  geoip  the nvd，malware sites，and the c*es  search engines，mailing lists，and people  further readingpartⅲ.analytics10.exploratory data analysis and visualization  the goal of eda： applying analysis  eda workflow  variables and visualization  univariate visualization： histograms，qq plots，boxplots，and rank plots  histograms  bar plots（not pie charts）  the quantile—quantile（qq）plot  the five—number summary and the boxplot  generating a boxplot  bivariate description  scatterplots  contingency tables  multivariate visualization  operationalizing security visualization  further reading11.on fumbling  attack models  fumbling： misconfiguration，automation，and scanning  lookup failures  automation  scanning  identifying fumbling  tcp fumbling： the state machine  icmp messages and fumbling  identifying udp fumbling  fumbling at the service level  http fumbli