Interpreting Network Traffic: A Network Intrusion Detector's Look at Suspicious Events
暂无分享,去创建一个
The purpose of this paper is to discuss interpretations of selected network traffic events from the viewpoint of a network intrusion detection analyst. (I define an "event" as any TCP/IP-based network traffic which prompts an analyst to investigate further. Generally, a suspicion that traffic has an abnormal or malicious character should prompt a closer look.) I assume the analyst has no knowledge of the source of the event outside of the data collected by his network-based intrusion detection system (NIDS) or firewall logs. I do not concentrate on the method by which these events are collected, but I assume it is possible to obtain data in TCPDump format. Using this standard allows a consistent presentation and interpretation of network traffic.
[1] Thomas Henry Ptacek,et al. Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection , 1998 .
[2] Isij Monitor,et al. Network Intrusion Detection: An Analyst’s Handbook , 2000 .
[3] W. Richard Stevens,et al. TCP/IP Illustrated, Volume 1: The Protocols , 1994 .