[techbooks] REVIEW: "Intrusion Detection", Edward G. Amoroso
- BKINTDET.RVW 990423
"Intrusion Detection", Edward G. Amoroso, 1999, 0-9666700-7-8, U$49.95
%A Edward G. Amoroso eamoroso@...
%C P. O. Box 78, Sparta, NJ 07871
%I Intrusion.Net Books
%O U$49.95 973-448-1866 fax: 973-448-1868 order@...
%P 218 p.
%T "Intrusion Detection"
This is not (very much not) to be confused with the identically named,
and almost equally recent, book by Escamilla (cf. BKINTRDT.RVW).
Where Escamilla's is basically a large brochure for various commercial
systems, Amoroso has specifically chosen to avoid products,
concentrating on concepts, and not a few technical details. The text
is based on material for an advanced course in intrusion detection,
but is intended for administrators and system designers with a
security job to do.
Chapter one, after demonstrating that the term means different things
to different people, gives us an excellent, practical, real world
definition of intrusion detection. This is used as the basis for an
examination of essential components and issues to be dealt with as the
book proceeds. Five different processes for detecting intrusions are
discussed in chapter two. Each method spawns a number of "case
studies," which, for Amoroso, means looking at how specific tools can
be used. (This style is far more useful than the normal business case
studies that are long on who did what and very short on how.)
Intrusion detection architecture is reviewed in chapter three,
enlarging the conceptual model to produce an overall system. Chapter
four defines intrusions in a way that may seem strange, until you
realize that it is a very functional description for building
detection rules. The problem of determining identity on a TCP/IP
internetwork is discussed in chapter five, but while the topic is
relevant to intrusion detection, few answers are presented.
Correlating events is examined in chapter six. Chapter seven looks at
setting traps, primarily from and information gathering perspective.
The book ends with a look at response in chapter eight.
The bibliography is, for once, annotated. While I do not always agree
with Amoroso's assessments; I think he tends to give the benefit of
the doubt to some who primarily deliver sensation; the materials are
generally high quality resources from the field. Books and online
texts are included, although the emphasis is on journal articles and
The content is readable and, although it seems odd to use the word in
relation to a security work, even fun. I suppose, though, that I must
point out that your humble "worst copy editor in the entire world"
reviewer found a significant number of typographic errors. (And some
that can't be put down to typos: I think you'll find that it's
"berferd" rather than "berford.")
This book works on a great many levels. It provides an overall
framework for thinking about security. It thoroughly explains the
concepts behind intrusion detection. And it gives you some very
practical and useful advice for system protection for a variety of
operating systems and using a number of tools. I can recommend this
to anyone interested in security, with the only proviso being that you
are going to get the most out of it if you are, indeed, responsible
for designing network protection.
copyright Robert M. Slade, 1999 BKINTDET.RVW 990423
====================== (quote inserted randomly by Pegasus Mailer)
rslade@... rslade@... slade@... p1@...
On the other hand, you have different fingers.
http://victoria.tc.ca/techrev or http://sun.soci.niu.edu/~rslade
eGroups.com home: http://www.egroups.com/group/techbooks
http://www.egroups.com - Simplifying group communications