Practical Intrusion Analysis and over 2 million other books are available for Amazon Kindle . Learn more
FREE Delivery in the UK.
Only 2 left in stock (more on the way).
Dispatched from and sold by Amazon.
Gift-wrap available.
Practical Intrusion Analy... has been added to your Basket
Condition: Used: Good
Comment: Small mark / wear on the front cover. Medium cut / scratch on the back cover. Small wrinkle / bend on the spine. Medium wrinkle / bend on the pages. All purchases eligible for Amazon customer service and a 30-day return policy.
Trade in your item
Get a £0.55
Gift Card.
Have one to sell?
Flip to back Flip to front
Listen Playing... Paused   You're listening to a sample of the Audible audio edition.
Learn more
See all 2 images

Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century Paperback – 24 Jun 2009

2 customer reviews

See all 2 formats and editions Hide other formats and editions
Amazon Price New from Used from
Kindle Edition
"Please retry"
"Please retry"
£27.60 £5.84
£36.99 FREE Delivery in the UK. Only 2 left in stock (more on the way). Dispatched from and sold by Amazon. Gift-wrap available.

Special Offers and Product Promotions

  • Win a £5,000 Gift Card for your child's school by voting for their favourite book. Learn more.
  • Prepare for the summer with our pick of the best selection for children (ages 0 - 12) across

Win a £5,000 Gift Card and 30 Kindle E-readers for your child or pupil's school.
Vote for your child or pupil(s) favourite book(s) here to be in with a chance to win.

Product details

  • Paperback: 480 pages
  • Publisher: Addison Wesley; 1 edition (24 Jun. 2009)
  • Language: English
  • ISBN-10: 0321591801
  • ISBN-13: 978-0321591807
  • Product Dimensions: 17.5 x 2.8 x 22.9 cm
  • Average Customer Review: 4.0 out of 5 stars  See all reviews (2 customer reviews)
  • Amazon Bestsellers Rank: 1,218,145 in Books (See Top 100 in Books)
  • See Complete Table of Contents

More About the Author

Discover books, learn about writers, and more.

Product Description

From the Back Cover

Practical Intrusion Analysis provides a solid fundamental overview of the art and science of intrusion analysis.”

   –Nate Miller, Cofounder, Stratum Security


The Only Definitive Guide to New State-of-the-Art Techniques in Intrusion Detection and Prevention


Recently, powerful innovations in intrusion detection and prevention have evolved in response to emerging threats and changing business environments. However, security practitioners have found little reliable, usable information about these new IDS/IPS technologies. In Practical Intrusion Analysis, one of the field’s leading experts brings together these innovations for the first time and demonstrates how they can be used to analyze attacks, mitigate damage, and track attackers.


Ryan Trost reviews the fundamental techniques and business drivers of intrusion detection and prevention by analyzing today’s new vulnerabilities and attack vectors. Next, he presents complete explanations of powerful new IDS/IPS methodologies based on Network Behavioral Analysis (NBA), data visualization, geospatial analysis, and more.


Writing for security practitioners and managers at all experience levels, Trost introduces new solutions for virtually every environment. Coverage includes


  • Assessing the strengths and limitations of mainstream monitoring tools and IDS technologies
  • Using Attack Graphs to map paths of network vulnerability and becoming more proactive about preventing intrusions
  • Analyzing network behavior to immediately detect polymorphic worms, zero-day exploits, and botnet DoS attacks
  • Understanding the theory, advantages, and disadvantages of the latest Web Application Firewalls
  • Implementing IDS/IPS systems that protect wireless data traffic
  • Enhancing your intrusion detection efforts by converging with physical security defenses
  • Identifying attackers’ “geographical fingerprints” and using that information to respond more effectively
  • Visualizing data traffic to identify suspicious patterns more quickly
  • Revisiting intrusion detection ROI in light of new threats, compliance risks, and technical alternatives


Includes contributions from these leading network security experts:


Jeff Forristal, a.k.a. Rain Forest Puppy, senior security professional and creator of libwhisker

Seth Fogie, CEO, Airscanner USA; leading-edge mobile security researcher; coauthor of Security Warrior


Dr. Sushil Jajodia, Director, Center for Secure Information Systems; founding Editor-in-Chief, Journal of Computer Security


Dr. Steven Noel, Associate Director and Senior Research Scientist, Center for Secure Information Systems, George Mason University


Alex Kirk, Member, Sourcefire Vulnerability Research Team


About the Author

Ryan Trost is the Director of Security and Data Privacy Officer at Comprehensive Health Services where he oversees all the organization’s security and privacy decisions. He teaches several Information Technology courses, including Ethical Hacking, Intrusion Detection, and Data Visualization at Northern Virginia Community College. This enables him to continue exploring his technical interests among the endless managerial meetings. In his spare time, Ryan works to cross-pollinate network security, GIS, and data visualization. He is considered a leading expert in geospatial intrusion detection techniques and has spoken at several conferences on the topic, most notably DEFCON 16. Ryan participated as a RedTeamer in the first annual Collegiate Cyber Defense Competition (CCDC) and now fields a team of students in the annual event. Ryan has been a senior security consultant for several government agencies before transitioning over to the private sector. In 2005, Ryan received his masters of science degree in computer science from George Washington University where he developed his first geospatial intrusion detection tool.

Inside This Book

(Learn More)
Browse Sample Pages
Front Cover | Copyright | Table of Contents | Excerpt | Index | Back Cover
Search inside this book:

Customer Reviews

4.0 out of 5 stars
5 star
4 star
3 star
2 star
1 star
See both customer reviews
Share your thoughts with other customers

Most Helpful Customer Reviews

Format: Paperback
Trost offers this exciting book on intrusion detection promising to `fill multiple gaps' in the technical knowledge on this area. The author, along with other security experts, covers a range of topics, some of which reflect on the state of the art in network security, including the use of attack graphs to systematically analyse network vulnerabilities (chapter 5) and geospatial intrusion detection techniques (chapter 10).

The first three chapters offer an introduction to the general area of intrusion detection. This is useful for those who are new to the area; however, some of this could easily have been done away with (particularly sections on TCP/IP in chapter 1). Chapter 4 follows the cycle of dealing with a vulnerability from inception to end. I find the section on capturing the tracer of exploit packets very useful. This is followed by writing a signature and then tuning it for performance. Chapter 5 presents the attack graph approach to IDS sensor placement and attack prediction.

Chapters 6 to 9 look at network flow data, web application firewalls, wireless IDS and physical security aspects. While a lot of this is covered in many other books, some of the readers may find topics on wireless security (chapter 8) of interest.

Chapter 10 is the hidden gem in this book: it focuses on the use of geographical information systems (GIS) for the purposes of network security. The chapter is a thorough introduction to the topic and covers a huge number of relevant GIS concepts in detail. The chapter ends in a case study where the readers are offered a step-by-step approach at how a professional attack can be detected. Chapter 11 covers the visualisation techniques to help with reporting and detection for IDS. I found these two chapters to be of most interest.
Read more ›
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again
By TheFlyingman on 25 Mar. 2012
Format: Paperback Verified Purchase
I am currently writing thesis on IDS/IPS systems and this book showed me some new topics I have not heard of before and some new information for me(geolocation in IDS/IPS, wireless IDS/IPS). It is also written so everyone can understand quite easily, no speacial skills are needed to understand the contents.
Comment Was this review helpful to you? Yes No Sending feedback...
Thank you for your feedback. If this review is inappropriate, please let us know.
Sorry, we failed to record your vote. Please try again

Most Helpful Customer Reviews on (beta) 14 reviews
21 of 22 people found the following review helpful
Disjointed collection of chapters that doesn't practically analyze any intrusions 11 July 2009
By Richard Bejtlich - Published on
Format: Paperback
I must start this review by stating the lead author lists me in the Acknowledgments and elsewhere in the book, which I appreciate. I also did consulting work years ago for the lead author's company, and I know the lead author to be a good guy with a unique eye for applying geography to network security data. Addison-Wesley provided me a review copy.

I did not participate in the writing process for Practical Intrusion Analysis (PIA), but after reading it I think I know how it unfolded. The lead author had enough material to write his two main sections: ch 10, Geospatial Intrusion Detection, and ch 11, Visual Data Communications. He realized he couldn't publish a 115-page book, so he enlisted five contributing authors who wrote chapters on loosely related security topics. Finally the lead author wrote two introductory sections: ch 1, Network Overview, and ch 2, Infrastructure Monitoring. This publication-by-amalgamation method seldom yields coherent or helpful material, despite the superior production efforts of a company like Addison-Wesley. To put a point on PIA's trouble, there's only a single intrusion analyzed in the book, and it's in the lead author's core section. The end result is a book you can skip, although it would be good for chapters 4 and 10 to be published separately as digital "Short Cuts" on InformIT.

Chapters 1 and 2 are not needed. Anyone who needs to learn about networking can read a basic book already published. Ch 2 does mention that 802.1AE (if ever implemented) will hamper network traffic inspection, but you could read that online.

Ch 3 is odd because it begins by mentioning well-worn methods to evade network detection, followed by a discussion of the merits of Snort vs Bro. Someone who had to read the material in chapters 1 and 2 is not going to understand the Snort discussion, especially when it mentions byte_test, depth, regex, http_inspect, uricontent, Structured Exception Handlers, and 16 line Snort signatures. I liked seeing Bro mentioned, but the people who are going to be able to follow the sample Bro policy scripts on pages 75-78 are not the ones reading this book.

Ch 4 outlines several examples of writing signatures for Snort. This section is actually interesting, but you have to know Snort and certain advanced topics pretty well to get value from this section. Readers need to compensate for the far-too-small screenshots and lack of supporting details while reading the examples. Readers also need to figure out what the author is doing, such as when he sets up a client-side exploit against FlashGet by starting a malicious FTP server with By the second example he's dropping warnings like "Had Core's advisory told you from where the size of the call to memcpy was coming, you might have to refine the signature to check for the appropriate behavior; unfortunately, the disassembly left out that argument:" [cue the ASM]. The bottom line with this chapter is this: know your audience, and write for them -- not your buddies. People who can follow contributions like this "at line speed" aren't going to read this book.

By ch 5 the "practical" aspect of this book has been left behind, with a discussion of "proactive intrusion prevention and response via attack graphs, which is really an academically-derived discussion of "topological vulnerability analysis." No one does this in the operational world, and no one will. Pages 143-144 talk about IDMEF, even though that specification died years ago. (There is still an independently-maintained -- as of Feb 09 -- Snort-IDMEF plugin. I don't know anyone in industry using it.)

Ch 6 is a generic overview of using network flows. The only new material is less than a page on IPFIX, which is just a table comparing that newer format with NetFlow. Ch 7 is called "Web Application Firewalls," but it's just an overview. Read Ivan Ristic's Apache Security or Ryan Barnett's Preventing Web Attacks with Apache if you want to know this topic. Ch 7 is titled "Wireless IDS/IPS," which is an even shallower overview than the previous topic. In none of these chapters do we have anything practical nor any intrusions analyzed. Ch 9 discusses physical security, but I didn't think it fit with the intended theme for the book.

I thought chapter 10 was interesting. Geospatial and visualization techniques do have a role in many operations, and ch 10 had the only example of an intrusion analysis. Unfortunately I don't think readers could take ch 10 and implement their own operational system. Ch 11 seemed irrelevant in light of the excellent visualization books by Raffy Marty and Greg Conti.

The book finishes with ch 12, Return on Investment: Business Justification. It was totally unnecessary: cite some regulations, list some breach costs, then compare ROI, NPV, and IRR. Talk a little about MSSPs and cyber liability insurance, then end. If you really want the best discussion of security costs, read Managing Cybersecurity Resources by Gordon and Loeb.

The subtitle for PIA is "Prevention and Detection for the Twenty-First Century." Readers will not find that in PIA. The lead author started with a kernel of a good idea, but the end result does not deliver enough real value to to readers. The lead author's material, and the chapter on Snort signature writing, could have been published as digital Short Cuts, or including in a compendium of chapters in a "survey" book. If you want to read a book intrusion analysis, you're more likely to be satisfied reading a book on intrusion forensics.
4 of 4 people found the following review helpful
Some good ideas, no consistency 1 Oct. 2009
By Dr Anton Chuvakin - Published on
Format: Paperback
This book is not really a book: it is a collection of papers about security and intrusion detection. The book bears unfortunate, but noticeable signs of being written by multiple people who didn't talk to each other much.

I just finished reading the book and I can say I enjoyed it. It does have interesting ideas peppered in some places. Overall presentation consistency, however, is not lacking - it is absent. Also, the book is not terribly practical if you define practice as "protection of systems and networks from attacks." Many chapters are shallow and make the impression of being added to get the book to 450 pages threshold.

So, some chapters are fun and insightful ("Geospatial ID", "Physical IDS", the sections on signature tuning), some are funny (example: one chapter talks about SIEM, SIM and SEM, but errs about what "M" in those stands for... seriously!) and some are sad (example: the one that mentions IDMEF), while others are very shallow ("Wireless IDS/IPS"). The chapter on ROI made me fall under my desk; I experience an actual literal ROFL.

Here are some of the highlights. Ch3 has a lot of useful Bro NIDS tips; if you have never used Bro in production, give it a try. In Ch4, I liked vulnerability-based signature definition worklfow, which takes into account sig performance tuning. Ch5 was written by an academic, who doesn't get out much; if works great if you want to really know what the word "befuddled" means (it also mentioned IDMEF for extra punch :-)) Ch6 is fine if you never dealt with network flows; not a bad intro. Ch7 is a very shallow intro to web application firewalls, while ch8 is the same for wireless IDS/IPS. Ch9 deals with physical security and I loved; such information rarely shows in IT books and it was great to learn it. Ch10 that deals with geospatial intrusion detection is another good one; the approach looks a bit weird (example: all events with the sources address close to a company facility are considered "false positives"...). Ch 11 on visualization mentions all the right books on the subject, but then chooses to makes itself a bad comparison to them.

Now, ch12 ("Return on Investment: Business Justification") is pure freakshow; I have not laughed that hard for a few months a least. After I had a chance to think about, I realized that maybe it was intended for humorous relief since it is the last chapter. In any case, the work computes the precise ROI for any IDS system like this: ALE = SBE x ARO = $517,580...

Overall, if you want a moderately interesting security read with some good ideas, get it. If you are looking for information on practical intrusion analysis in whatever century, skip it.

Finally, Addison-Wesley provided me with a review copy.
2 of 2 people found the following review helpful
A great book on a growing subject! 19 Aug. 2009
By C. Irvin - Published on
Format: Paperback
When I first began reading Practical Intrusion Analysis by Ryan Trost, I was a little put-off. He begins the book with an overview of IP Addressing, subnetting, and packets. This is a touchy way to begin any book as you will either lose your audience if they are new to this subject, or annoy them if they are already familiar. Ryan was able to expand on this subject without going too far in to the weeds, and provide a backbone that makes the next chapters easier to understand.

The following chapters are the real meat of the book and I really got a lot out of them. Ryan covers the entire area of intrusion detection and prevention solutions from the end-point to geographic-based. I'd recommend this book to any IT Professional who deals with network security, as it helps simplify a fairly complicated subject.
1 of 1 people found the following review helpful
Modern Intrusion Analysis 4 Sept. 2009
By Jeyaprakash Kopula - Published on
Format: Paperback
My search for one book that gives me a bird's eye view of enterprise Intrusion detection and preventions systems process ends with this book. Any one who climbs up the ladder from different back ground in Information Security can easily understand the `ABCD' of Intrusion Prevention/Detection Analysis by reading this book. The author explained everything from the ground up. For e.g. when he writes about Network Intrusion Analysis, he started to explain from basic OSI reference model and TCP/IP model and goes on explaining how to capture data at various levels of the network.

This book starts with explaining how Enterprise IT infrastructure looks like and explained in brief what each technology mean for the reader. Another good outcome of reading this book is to understand the management aspect of handling Intrusion detection/ Prevention systems and process.

Let me briefly describe how this book is structured in terms of chapters and technology implementations. First the author went ahead and described two open source IDS/IPS platforms namely Snort and Bro. He then analyzed and compared (Apple to Orange) both tools to give us an idea which one is best. Obviously snort came out as winner. The reason quoted is that Bro is not a simple solution to implement. You have to define what is normal so that you can trigger abnormal if some intrusion happens. Second, Vulnerability lifecycle which describes how vulnerability goes through a cycle from detection to patching the systems. Other Chapters are arranged in this order to provide a holistic approach to Intrusion Analysis. Prevention techniques, Anomaly detection using NetFlows, Web APP Firewall techniques, Wireless IDS/IPS, Physical Intrusion Detection for IT, Geospatial Intrusion detection and finally ROI factors for business justification.

To the best of my knowledge the Snort/Bro type of implementations are merely secondary types in any enterprise security. Big IT organization today needs some one to take responsibility of the security vulnerability exposures. Hiring such a professional is costlier than paying support cost for maintaining Vendor products. But if you are really looking for crash course on IPS/IDS, I certainly recommend this book.

Advanced Examples given in Chapte 4, "Life Cycle of vulnerability" opens up a new horizon for Infosec professionals who are starting their career in network security. Author took diversified examples to attract all sorts of industry audience. For example SCADA is mostly used in process industries, Bitmap vulnerability targets PC users and DNS vulnerability targets Internet Industry. Author also provides some helpful tools and websites for your reference.

Analytical approach to proactive intrusion prevention and response is another favorite subject of mine. Author explains how an IT security analyst can use attack graphs to prevent any unforeseen incidents. Anomaly detection techniques using Network Flows are described in Chapter 6. Author weighed Multi-Vendor products which support Netflow technology is"must know" information.

Some of the important Chapter I liked was Web Application Firewall. Author goes on explaining various security models that one can apply according to their need and environment. Author also emphasizes on Physical intrusion detection that are mostly ignored in enterprise security. In analyzing ROI, author describes importance of cost/ benefit analysis and goes on explaining various mandatory compliance obligations to be taken in to consideration. He also introduced MSSP model and analysis the Pro's and Con's of outsourcing security operations. Finally, various insurance options are discussed in order to mitigate huge liability in case of any security breach.

Overall, the author covered the whole nine yards of Intrusion Prevention techniques. I highly recommend this book for all Security Analysts and anyone who oversees security operations. This book can also be a very good reference point for CISSP and CISM certifications. At the end, as network security professional, I would like to have this as one of the companion in my INFOSEC library.
1 of 1 people found the following review helpful
A Pleasure to Read!!! 14 July 2009
By Tom Haskins - Published on
Format: Paperback
The author undertook a sizable endeavor as each of those chapter topics could arguably have entire books written about them. A primary reason why I enjoyed the book is it introduced me to subject matter material I wouldn't have previously read (physical security and visualization!) I did, however, skip the first 3 chapters as I've been working in InfoSec for a lifetime and if I read another thing about Snort I'll start pwning my own servers -- but I do understand that IT books need to cater to the masses and are forced to include some level of elementary material.

The chapters bring to light many of the security industry's "popular" topics and provides an accurate fundamental understanding of the topic and some of the latest approaches. But if you're a SME on a certain topic, after reading that topic's chapter, it's likely you'll learn a couple new things but it's not going to provide a new life changing vantage point.

I picked up the book for the Geospatial chapter and the NetFlow chapter. The NetFlow chapter gave me a better understanding of the technology and answered why I've been hearing so much about "NetFlow is going to soon replace signature IDS". I can see the advantages of NetFlow but until a NetFlow product is as mainstream as the S word [Snort], I don't anticipate that will happen for a very long long time!

The Geospatial chapter is simply a refreshing new approach to a mature (worn) topic. Truthfully, I'm not 100% sold on the geolocation of alerts but I was swayed enough that I've since reached out to a friend at NGA to discuss further.

Overall, I really enjoyed the book!
Were these reviews helpful? Let us know

Look for similar items by category