Index
A
- actions
- active discovery, Using Active Vantage Data for Verification
- active domain, Data and Sensors in the Active Domain-Using Active Vantage Data for Verification
- active domain data
- Address Resolution Protocol (ARP), MAC and Hardware Addresses
- addressing, IP Addressing-IP Intelligence: Geolocation and Demographics
- DNS lookup, DNS-DNS Blackhole Lists
- identifying geolocation/demographics, IP Intelligence: Geolocation and Demographics-IP Intelligence: Geolocation and Demographics
- IPv4 format, IPv4 Format and Addresses
- IPv4 structure and function, IPv4 Addresses, Their Structure, and Significant Addresses-IPv4 Addresses, Their Structure, and Significant Addresses
- IPv6 format, IPv6 Format and Addresses
- IPv6 structure and function, IPv6 Addresses, Their Structure, and Significant Addresses
- load balancing, Load balancing
- MAC addresses, MAC Addresses
- NAT, NAT-NAT
- network layers and, Network Layers and Addressing-VPNs
- on DHCP networks, DHCP
- proxies, Proxies
- validity challenges from middlebox network data, Validity Challenges from Middlebox Network Data-VPNs
- VPNs, VPNs
- adjacency lists, Graph Attributes: What Is a Graph?
- administrative tools, as unpatchable vulnerabilities, Basic Assessment with nmap
- Akamai, Forward DNS Querying Using dig, Forward DNS Querying Using dig, Forward DNS Querying Using dig
- alarms
- alerts, analysts' capacity to process, Escalation Workflow
- All Pairs Shortest Paths (APSP), Labeling, Weight, and Paths
- analysis, text (see text analysis)
- analysts, tier classification, Escalation Workflow
- annotation data, Annotation
- annotation of visualizations, Rule five: Annotate with contextual information
- anomalies, labeling, Rule two: Label anomalies
- anomaly-based IDSs, Classifying IDSs, IDS as Classifier, Configuring Snort-Configuring Snort
- anonymization, rwrandomizeip
- Anonymous, DDoS and Routing Infrastructure
- Anscombe Quartet, Exploratory Data Analysis and Visualization
- antivirus (AV) systems, Other Data and Sensors: HIPS and AV, Application Identification by Subsidiary Site
- AOL, Packet and Frame Formats
- Apache, HTTP: CLF and ELF
- appliance-based generation, NetFlow Generation and Collection
- application banner (see banner)
- application identification, Application Identification-Web Client Banners: The User-Agent String
- Applied Security, IP Intelligence: Geolocation and Demographics
- APSP (All Pairs Shortest Paths), Labeling, Weight, and Paths
- archive data, Archive
- ArcSight, Syslog, Getting Data in One Place
- ARP (Address Resolution Protocol), MAC and Hardware Addresses
- ASCII, Unicode, UTF, and ASCII
- ASPack, Compression
- assessment, active domain data
- asymmetric traffic flow, Phase II: Examining the IP Space-Identifying asymmetric traffic
- asynchronous transfer mode (ATM), What If It’s Not Ethernet?
- attack models, An Overview of Attacker Behavior
- attacker
- attacks, threats vs., Data
- AV (antivirus) systems, Other Data and Sensors: HIPS and AV, Application Identification by Subsidiary Site
B
- backscatter, Unidirectional flow filtering-Unidirectional flow filtering
- bag tools, rwbag
- bag, defined, rwbag
- bandwidth exhaustion, DDoS, Flash Crowds, and Resource Exhaustion
- banner
- banner grabbing, Application Identification by Banner Grabbing-Application Identification by Banner Grabbing
- bar plots, Bar Plots (Not Pie Charts)
- base-rate fallacy, IDS as Classifier
- base64 encoding, Base64 encoding
- basic access authentication, HTTP Fumbling
- beaconing
- bell curve, Fit Tests: K-S and S-W
- Berkeley Packet Filter (BPF), Packet and Frame Formats-Filtering Specific Types of Packets
- betweenness (centrality metric), Labeling, Weight, and Paths
- BFS (breadth-first searches), Components and Connectivity, Using Breadth-First Searches Forensically
- BGP protocol, Finding network appliances
- binary classifiers, Data Collection via IDS
- bins, Histograms
- BitTorrent
- bivariate data, Bivariate Description-Scatterplots
- black-box systems
- blacklist services, Sendmail
- botnets, DDoS and Routing Infrastructure
- bots, as general-purpose software systems, Data
- boxplot (box-and-whiskers plot), The Five-Number Summary and the Boxplot-Generating a Boxplot
- BPF (Berkeley Packet Filter), Packet and Frame Formats-Filtering Specific Types of Packets
- breadth-first searches (BFS), Components and Connectivity, Using Breadth-First Searches Forensically
- Bro, Classifying IDSs
- broadcast address, IPv4 Addresses, Their Structure, and Significant Addresses
- buffer, rolling, Rolling Buffers
C
- cable cuts, DDoS and Routing Infrastructure, DDoS and Routing Infrastructure
- cables, monitoring, Network Layers and Vantage
- CAN (controller area network), What If It’s Not Ethernet?
- canonical name (CNAME) records, Forward DNS Querying Using dig
- Carnegie Mellon University, NetFlow v9 and IPFIX, The SiLK Suite, Provenance of threat intelligence data
- categorical variables, Variables and Visualization
- ccTLDs (country code TLDs), DNS Name Structure
- CDN (content distribution network), Forward DNS Querying Using dig, The DNS Reverse Lookup
- CEF (Common Event Format), Syslog
- Censys, Scanning Repositories, Shodan et al, Dark ports and UDP fumbling
- centrality (graph attribute)
- CERT
- CERT Network Situational Awareness (NetSA) Group, NetFlow v9 and IPFIX, The SiLK Suite
- Childs, Terry, Insider Threat Versus Other Classes of Attacks
- Christmas tree packet, Unidirectional flow filtering
- CIDR (Classless Inter-Domain Routing), IPv4 Format and Addresses
- CIDR (Classless Internet Domain Routing) block, IPv4 Addresses, Their Structure, and Significant Addresses
- Cisco Systems
- classifier, IDS as, IDS as Classifier-IDS as Classifier
- Classless Inter-Domain Routing (CIDR), IPv4 Format and Addresses
- Classless Internet Domain Routing (CIDR) block, IPv4 Addresses, Their Structure, and Significant Addresses
- CLF (Common Log Format), Proxy Logs, HTTP: CLF and ELF
- client port, Port Number
- clients, identifying, Phase IV: Identifying Clients and Servers-Identifying servers
- closeness (centrality metric), Labeling, Weight, and Paths
- clustering coefficient, Clustering Coefficient-Clustering Coefficient
- clusters, in scatterplot, Scatterplots
- CNAME (canonical name) records, Forward DNS Querying Using dig
- Code Red worm, Configuring Snort
- collision domain, Network Layers and Vantage
- columnar databases, A Brief Introduction to NoSQL Systems
- columnar logfiles, Existing Logfiles and How to Manipulate Them-Existing Logfiles and How to Manipulate Them
- Combined Log Format, HTTP: CLF and ELF, HTTP: CLF and ELF
- Common Event Format (CEF), Syslog
- Common Log Format (CLF), Proxy Logs, HTTP: CLF and ELF
- Common Platform Enumeration (CPE), Basic Assessment with nmap
- Common Vulnerability Enumeration (CVE), Basic Assessment with nmap
- component analysis, as alarm, Using Component Analysis as an Alarm-Using Component Analysis as an Alarm
- compression
- connected components (graph), Components and Connectivity
- construct validity, Validity and Action, Construct Validity
- construct, defined, Validity and Action
- content distribution network (CDN), Forward DNS Querying Using dig, The DNS Reverse Lookup
- contextual data, Rule five: Annotate with contextual information
- continuous variables, Variables and Visualization
- control sensor, Actions: What a Sensor Does with Data
- controller area network (CAN), What If It’s Not Ethernet?
- counting tools (rwuniq), rwuniq
- country code TLDs (ccTLDs), DNS Name Structure
- CPE (Common Platform Enumeration), Basic Assessment with nmap
- crawlers, HTTP Fumbling
- credential theft, Credential Theft
- CRUD (create, read, update, and delete), Log Data and the CRUD Paradigm-Log Data and the CRUD Paradigm
- cryptographic hashes, Filesystem
- cut tool, Splitting Along Delimiters
- CVE (Common Vulnerability Enumeration), Basic Assessment with nmap
D
- dark address/dark space, Discovery: ping, traceroute, netcat, and Half of nmap, Lookup Failures
- dark ports, Dark ports and UDP fumbling
- data
- data collection (SiLK tools for)
- data integrity, ensuring, Log Data and the CRUD Paradigm
- data organization, Organizing Data: Vantage, Domain, Action, and Validity-Attacker and Attack Issues
- data theft, File Transfers/Raiding-File Transfers/Raiding, Data Theft and Exfiltration
- databases
- DDoS attacks (see distributed denial of service attacks)
- defense construction, The Goal of EDA: Applying Analysis
- degree (centrality metric), Labeling, Weight, and Paths
- degree (of node), Graph Attributes: What Is a Graph?
- delimiters
- demographics, IP intelligence and, IP Intelligence: Geolocation and Demographics-IP Intelligence: Geolocation and Demographics
- depth-first search (DFS), Components and Connectivity
- destination Mac, Filtering Specific Types of Packets
- DHCP networks
- addressing on, DHCP
- and pain trinity, NAT
- dig (domain information groper)
- Digital Element, IP Intelligence: Geolocation and Demographics
- Dijkstra's algorithm, Labeling, Weight, and Paths
- directed link, Graph Attributes: What Is a Graph?
- directory services, LDAP and Directory Services, Historical Data: Commands and Logins
- discovery, Discovery: ping, traceroute, netcat, and Half of nmap-nmap Scanning for Discovery
- discrete variables, Variables and Visualization
- disruptible phenomena, Configuring Snort
- disruptions, visualization and, Rule one: Bound and partition your visualization to manage disruptions-Rule one: Bound and partition your visualization to manage disruptions
- distance metrics
- distributed denial of service (DDoS) attacks, DDoS, Flash Crowds, and Resource Exhaustion-DDoS and Routing Infrastructure
- characteristics of, DDoS and Routing Infrastructure
- false positives, DDoS and Routing Infrastructure
- force multipliers, DDoS and Routing Infrastructure
- mitigation, DDoS and Routing Infrastructure-DDoS and Routing Infrastructure
- resource exhaustion, DDoS, Flash Crowds, and Resource Exhaustion
- routing infrastructure and, DDoS and Routing Infrastructure-DDoS and Routing Infrastructure
- tactics, DDoS, Flash Crowds, and Resource Exhaustion-DDoS and Routing Infrastructure
- DNS (domain name system), DNS-DNS Blackhole Lists
- blackhole lists, DNS Blackhole Lists-DNS Blackhole Lists
- finding ownership with whois, Using whois to Find Ownership-Using whois to Find Ownership
- forward querying with dig, Forward DNS Querying Using dig-Forward DNS Querying Using dig
- header fields, Forward DNS Querying Using dig
- homoglyphs and, Homoglyphs
- name structure, DNS Name Structure
- NICs and domain name allocation, DNS Name Structure
- NICs and name allocation, DNS Name Structure
- reverse lookup, The DNS Reverse Lookup
- round robin allocation, Forward DNS Querying Using dig
- DNS blackhole lists (DNSBLs), DNS Blackhole Lists-DNS Blackhole Lists
- DNS fumbling, DNS Fumbling
- domain, Organizing Data: Vantage, Domain, Action, and Validity-Domain
- domain name system (see DNS)
- domain names, fat-fingering and, Levenshtein Distance
- dotted quad format, IPv4 Format and Addresses, IP Addressing
- dropouts, Using Active Vantage Data for Verification
- Duronio, Roger, Insider Threat Versus Other Classes of Attacks
E
- ecological validity, Validity and Action
- EDA (see exploratory data analysis)
- EDA technique, EDA Workflow
- EIGRP protocol, Finding network appliances
- ELF (Extended Log Format), HTTP: CLF and ELF
- email
- embedded devices, Preface
- embedded systems, Basic Assessment with nmap
- Emerging Threats database, Types of threat intelligence data
- encryption
- entropy
- ephemeral port, Port Number
- ERE (extended syntax), Regular Expressions
- escalation workflow
- estimation (see fitting/estimation of data)
- Ethernet
- EUI (Extended Unique Identifier), MAC and Hardware Addresses
- Euler, Leonhard, Graph Attributes: What Is a Graph?
- event sensor, Actions: What a Sensor Does with Data
- Excel, Changes Between Editions
- Exchange (see Microsoft Exchange)
- executable compressors, Compression
- exploratory data analysis (EDA), Exploratory Data Analysis and Visualization-Fit Tests: K-S and S-W
- bivariate description, Bivariate Description-Scatterplots
- defined, Exploratory Data Analysis and Visualization
- fitting and estimation, Fitting and Estimation-Fit Tests: K-S and S-W
- goal of, The Goal of EDA: Applying Analysis
- goodness of fit tests, Fit Tests: K-S and S-W-Fit Tests: K-S and S-W
- multivariate visualization, Multivariate Visualization-Rule seven: When performing long jobs, give the user some status feedback
- univariate visualization, Univariate Visualization-Generating a Boxplot
- variables and visualization, Variables and Visualization
- workflow, EDA Workflow
- Extended Log Format (ELF), HTTP: CLF and ELF
- extended syntax (ERE), Regular Expressions
- Extended Unique Identifier (EUI), MAC and Hardware Addresses
- external validity
F
- false negatives
- false positives
- fat-fingering, Levenshtein Distance, HTTP Fumbling
- Fibre Channel, What If It’s Not Ethernet?
- file transfers/raiding, File Transfers/Raiding-File Transfers/Raiding
- filesystem monitoring, Filesystem-Filesystem
- filtering
- fitting/estimation of data, Fitting and Estimation-Fit Tests: K-S and S-W
- five-number summary, The Five-Number Summary and the Boxplot-Generating a Boxplot
- flags, fumbling detection and, Unidirectional flow filtering
- flash crowds, DDoS and Routing Infrastructure, DDoS and Routing Infrastructure
- flow
- flow filtering, unidirectional, Unidirectional flow filtering-Unidirectional flow filtering
- forensic analysis
- forensic workflow, Operational Workflows, Forensic Workflow
- frequency (histogram element), Histograms
- fumbling behaviors, On Fumbling-Engineering a Network to Take Advantage of Fumbling
- alarms for, Building Fumbling Alarms
- automated systems, Automation
- defined, Fumbling: Misconfiguration, Automation, and Scanning
- detecting and analyzing, Detecting and Analyzing Fumbling-Engineering a Network to Take Advantage of Fumbling
- DNS fumbling, DNS Fumbling
- forensic analysis of, Forensic Analysis of Fumbling
- HTTP fumbling, HTTP Fumbling
- ICMP messages and, ICMP Messages and Fumbling
- identifying, Identifying Fumbling-ICMP Messages and Fumbling
- IP fumbling, IP Fumbling: Dark Addresses and Spread-IP Fumbling: Dark Addresses and Spread
- lookup failures, Lookup Failures
- network engineering to defeat, Engineering a Network to Take Advantage of Fumbling
- scanning, Scanning, TCP Fumbling: Failed Sessions
- service-level, Fumbling at the Service Level-DNS Fumbling
- SMTP fumbling, SMTP Fumbling
- TCP fumbling, TCP Fumbling: Failed Sessions-Dark ports and UDP fumbling
- web crawlers and robots.txt, HTTP Fumbling
G
- gaps, in scatterplot, Scatterplots
- gateway address, IPv4 Addresses, Their Structure, and Significant Addresses
- Gaussian distribution, Fit Tests: K-S and S-W
- Generic Routing Encapsulation (GRE), Identifying VPN traffic
- generic TLDs (gTLDs), DNS Name Structure
- GeoIP, IP Intelligence: Geolocation and Demographics
- geolocation, Annotation, IP Intelligence: Geolocation and Demographics-IP Intelligence: Geolocation and Demographics
- goodness of fit tests, Fit Tests: K-S and S-W-Fit Tests: K-S and S-W
- Google, Packet and Frame Formats, General Search Engines
- graph analysis, Analyzing Graphs-Using Centrality Analysis for Engineering
- graphs, On Graphs-Using Centrality Analysis for Engineering
- about, Graph Attributes: What Is a Graph?-Graph Attributes: What Is a Graph?
- analyzing, Analyzing Graphs-Using Centrality Analysis for Engineering
- centrality, Labeling, Weight, and Paths-Labeling, Weight, and Paths
- clustering coefficient, Clustering Coefficient-Clustering Coefficient
- components and connectivity, Components and Connectivity
- construction vs. attributes, Graph Attributes: What Is a Graph?
- defined, On Graphs
- path, Labeling, Weight, and Paths-Labeling, Weight, and Paths
- rules for converting raw data into, Graph Attributes: What Is a Graph?
- weighting, Labeling, Weight, and Paths
- GRE (Generic Routing Encapsulation), Identifying VPN traffic
- gTLDs (generic TLDs), DNS Name Structure
H
- Hamming distance, Hamming Distance
- Hanssen, Robert, On Insider Threat
- hardening workflow
- hardware, MAC addresses for, MAC and Hardware Addresses
- hash functions
- heartbeat signals, Basic Assessment with nmap
- HIDS (host-based IDSs), Classifying IDSs
- HIPS (host intrusion prevention system), Other Data and Sensors: HIPS and AV
- histograms
- history, problems of, Internal Validity
- hit list, Scanning
- Homeland Security, U.S. Department of, External Validity, Classifying IDSs, Provenance of threat intelligence data
- homoglyphs, Homoglyphs
- horizontal scan, Using nc as a Swiss Army Multitool, Scanning
- host domain, Data and Sensors in the Host Domain-Other Data and Sensors: HIPS and AV
- AV systems, Other Data and Sensors: HIPS and AV
- command history, Historical Data: Commands and Logins
- data, A Host: From the Network’s View
- defined, Domain
- filesystem, Filesystem-Filesystem
- HIPS, Other Data and Sensors: HIPS and AV
- historical data, Historical Data: Commands and Logins
- network and, A Host: From the Network’s View
- network interfaces, The Network Interfaces-The Network Interfaces
- process information, Processes-Memory, CPU, terminal, and start time
- sensors in, Data and Sensors in the Host Domain-Other Data and Sensors: HIPS and AV
- user login history, Historical Data: Commands and Logins
- UUIDs, The Host: Tracking Identity-The Host: Tracking Identity
- host intrusion prevention system (HIPS), Other Data and Sensors: HIPS and AV
- host-based IDSs (HIDS), Classifying IDSs
- HTTP fumbling, HTTP Fumbling
- HTTP log data, HTTP: CLF and ELF-HTTP: CLF and ELF
- hunting workflow, Operational Workflows, Hunting Workflow
I
- IANA (see Internet Assigned Numbers Authority)
- ICANN (Internet Corporation for Assigned Names and Numbers), IPv6 Addresses, Their Structure, and Significant Addresses, DNS Name Structure
- ICMP (Internet Control Message Protocol)
- IDMEF (Intrusion Detection Message Exchange Format), Maturity and format of threat intelligence data
- IDNs (internationalized domain names), Homoglyphs
- IDSs (see intrusion detection systems)
- IETF (Internet Engineering Task Force), Maturity and format of threat intelligence data
- ifconfig tool, The Network Interfaces
- IMPACT, External Validity
- Incident Object Description Exchange Format (IODEF), Maturity and format of threat intelligence data
- indegree (of node), Graph Attributes: What Is a Graph?
- indicators of compromise (IOCs), Types of threat intelligence data, Forensic Workflow
- information security operations center (see security operations center (SOC))
- inline tools, Getting Data in One Place
- insider threats, An Overview of Attacker Behavior, On Insider Threat-Keeping Track of User Identity
- avoiding toxicity when investigating, Avoiding Toxicity
- Terry Childs case, Insider Threat Versus Other Classes of Attacks
- compared to other classes of attacks, Insider Threat Versus Other Classes of Attacks-Insider Threat Versus Other Classes of Attacks
- credential theft, Credential Theft
- data logistics/collection, Insider Threat Data: Logistics and Collection-Keeping Track of User Identity
- data theft/exfiltration, Data Theft and Exfiltration
- Roger Duronio case, Insider Threat Versus Other Classes of Attacks
- Robert Hanssen case, On Insider Threat
- Brian Kelley case, On Insider Threat
- modes of attack, Modes of Attack
- motivations vs. risk, Avoiding Toxicity
- off-days and, The Workday and Its Impact on Network Traffic Volume
- physical data sources, Physical Data Sources
- sabotage, Sabotage
- sector-based workflow analysis, Applying Sector-Based Workflow to Insider Threat
- user identity tracking, Keeping Track of User Identity
- instrumentation
- intelligence (see threat intelligence)
- interested attacker, An Overview of Attacker Behavior
- internal validity
- internationalized domain names (IDNs), Homoglyphs
- Internet Archive, General Search Engines
- Internet Assigned Numbers Authority (IANA)
- Internet Control Message Protocol (see ICMP)
- Internet Corporation for Assigned Names and Numbers (ICANN), IPv6 Addresses, Their Structure, and Significant Addresses, DNS Name Structure
- Internet Engineering Task Force (IETF), Maturity and format of threat intelligence data
- internet exchange points (IXPs), IPv6 Addresses, Their Structure, and Significant Addresses
- Internet of Things (IoT), Preface
- internet telescopes, Unidirectional flow filtering
- interval variable, Variables and Visualization
- Intrusion Detection Message Exchange Format (IDMEF), Maturity and format of threat intelligence data
- intrusion detection systems (IDSs)
- as classifier, IDS as Classifier-IDS as Classifier
- classifying, Classifying IDSs
- Code Red and malware evasiveness, Configuring Snort
- data collection via, Data Collection via IDS-IDS as Classifier
- enhancing detection, Enhancing IDS Detection
- enhancing response, Enhancing IDS Response
- improving performance of, Improving IDS Performance-Prefetching Data
- inconsistent rulesets, Enhancing IDS Detection
- prefetching data, Prefetching Data
- Snort configuration, Configuring Snort-Configuring Snort
- intrusion prevention systems (IPSs), Data Collection via IDS
- inventory, Creating an Initial Network Inventory and Map-Identifying Sensing and Blocking Infrastructure
- asymmetric traffic identification, Phase II: Examining the IP Space-Identifying asymmetric traffic
- beacon detection and, Using Beaconing as an Alarm
- blind/confusing traffic, Phase III: Identifying Blind and Confusing Traffic-Identifying VPN traffic
- client/server identification, Phase IV: Identifying Clients and Servers-Identifying servers
- dark space identification, Identifying dark space
- data/coverage/files, Creating an Initial Network Inventory and Map-Identifying Sensing and Blocking Infrastructure
- determining what is monitored, Phase I: The First Three Questions-The default network
- forensic investigation and, The Goal of EDA: Applying Analysis
- IP space examination, Phase II: Examining the IP Space-Finding network appliances
- NAT identification, Identifying NATs
- network appliances, Finding network appliances
- proxy identification, Identifying proxies
- scan alarms and, Forensic Analysis of Fumbling
- security software already present, Identifying Sensing and Blocking Infrastructure
- sensing/blocking infrastructure, Identifying Sensing and Blocking Infrastructure
- updating and continuous audit, Updating the Inventory: Toward Continuous Audit
- VPN traffic identification, Identifying VPN traffic
- IOCs (indicators of compromise), Types of threat intelligence data, Forensic Workflow
- IODEF (Incident Object Description Exchange Format), Maturity and format of threat intelligence data
- IP address
- as foundation of inventory, Phase I: The First Three Questions
- filtering in BPF, Filtering Specific Types of Packets
- filtering with rwfilter, IP Addresses
- frame and packet formats, Filtering Specific Types of Packets
- identifying geolocation/demographics, IP Intelligence: Geolocation and Demographics-IP Intelligence: Geolocation and Demographics
- IP set creation rwset tool, rwset and IP Sets-rwset and IP Sets
- IPv4, IPv4 Format and Addresses
- IPv6, IPv6 Addresses, Their Structure, and Significant Addresses
- NATing (see NAT)
- network inventory, Phase II: Examining the IP Space-Finding network appliances
- reverse lookup and, The DNS Reverse Lookup
- RIRs and, IPv6 Addresses, Their Structure, and Significant Addresses
- RIRs and IP address allocation, IPv6 Addresses, Their Structure, and Significant Addresses
- rwrandomizeip tool, rwrandomizeip
- IP addressing, IP Addressing-IP Intelligence: Geolocation and Demographics
- IP fumbling, IP Fumbling: Dark Addresses and Spread-IP Fumbling: Dark Addresses and Spread
- IP headers, fields in, Filtering Specific Types of Packets
- IP packets, Network Layers and Vantage-Network Layers and Vantage, Tracerouting
- IP sets
- IPFIX, NetFlow v9 and IPFIX
- IPsec, Identifying VPN traffic
- IPSs (intrusion prevention systems), Data Collection via IDS
- IPv4, IPv4 Format and Addresses, IPv4 Addresses, Their Structure, and Significant Addresses-IPv4 Addresses, Their Structure, and Significant Addresses
- IPv6, IPv6 Format and Addresses, IP Addresses, IPv6 Addresses, Their Structure, and Significant Addresses
- IronPort, DNS Blackhole Lists
- IXPs (internet exchange points), IPv6 Addresses, Their Structure, and Significant Addresses
L
- Lawrence Berkeley National Labs (LBNL-05) dataset, Acquiring and Installing SiLK
- layers (see network layers)
- LDAP, LDAP and Directory Services
- leaky bucket algorithm, Building Fumbling Alarms
- leetspeak, Informal encoding/obfuscation
- Levenshtein distance, Levenshtein Distance
- linear relationships, Scatterplots
- links (graph element), Graph Attributes: What Is a Graph?
- Linux
- lit addresses, Discovery: ping, traceroute, netcat, and Half of nmap
- load balancing, Load balancing
- load scheme, Combining Information Flows: rwcount
- local identification address, IPv4 Addresses, Their Structure, and Significant Addresses
- locality, Locality-DDoS and Routing Infrastructure
- log data
- log messages
- logarithmic scaling, Rule one: Bound and partition your visualization to manage disruptions
- logfiles, LDAP and Directory Services
- as basis for service data, Logfiles as the Basis for Service Data
- (see also service-specific logfiles)
- creating, HTTP: CLF and ELF
- databases, File Transfer, Storage, and Databases
- directory services, LDAP and Directory Services
- file transfer/storage, File Transfer, Storage, and Databases
- HTTP, HTTP: CLF and ELF-HTTP: CLF and ELF
- LDAP, LDAP and Directory Services
- representative formats, Representative Logfile Formats-HTTP: CLF and ELF
- rotation, Transfer and Logfile Rotation
- staged logging, Staged Logging
- syslog, Syslog-Syslog
- transport, Logfile Transport: Transfers, Syslog, and Message Queues-Syslog
- logging shim, The Characteristics of a Good Log Message, Stateful Logfiles
- LOIC (Low Orbit Ion Cannon), DDoS and Routing Infrastructure
- looking-glass servers, Tracerouting
- lookup failures, Lookup Failures
- lookup tools (see reference/lookup tools)
- loopback address, IPv4 Addresses, Their Structure, and Significant Addresses
- Low Orbit Ion Cannon (LOIC), DDoS and Routing Infrastructure
M
- MAC (media access control) addresses, MAC Addresses, MAC and Hardware Addresses
- MAC-48 format, MAC format and access
- mail exchange (MX) record, Forward DNS Querying Using dig
- maintenance, defined, Discovery, Assessment, and Maintenance
- malware intelligence sharing platform (MISP), Maturity and format of threat intelligence data
- MapReduce, A Brief Introduction to NoSQL Systems
- maturation, internal validity and, Internal Validity
- maximum transmission unit (MTI), The Basics of Network Layering, Application Identification by Behavior
- MaxMind, IP Intelligence: Geolocation and Demographics
- MD5 hash function, Filesystem
- media access control (see MAC)
- Message Tracking Log (MTL), Microsoft Exchange: Message Tracking Logs
- metadata, rwfileinfo and Provenance-rwfileinfo and Provenance
- MICE (Money, Ideology, Compromise, and Ego), Avoiding Toxicity
- Microsoft Excel, Changes Between Editions
- Microsoft Exchange
- middlebox data
- misaddressing, Lookup Failures
- MISP (malware intelligence sharing platform), Maturity and format of threat intelligence data
- MITRE standards, Basic Assessment with nmap
- mode (histogram element), Histograms
- Moloch, Packet and Frame Formats
- MRI machines, Preface
- MTI (maximum transmission unit), The Basics of Network Layering, Application Identification by Behavior
- MTL (Message Tracking Log), Microsoft Exchange: Message Tracking Logs
- multicast address, IPv4 Addresses, Their Structure, and Significant Addresses
- multivariate visualization, Multivariate Visualization-Rule seven: When performing long jobs, give the user some status feedback
- MX (mail exchange) record, Forward DNS Querying Using dig
N
- n-gram analysis, N-Gram Analysis
- nameserver (NS) records, Forward DNS Querying Using dig
- NAT (network address translation), NAT-NAT
- NATing, NAT-NAT
- National Center for Supercomputing Applications (NCSA), HTTP: CLF and ELF
- National Vulnerability Database (NVD), Basic Assessment with nmap
- natural experiments, Internal Validity
- nc (netcat), Using nc as a Swiss Army Multitool
- NCRs (numeric character references), Base64 encoding
- NCSA (National Center for Supercomputing Applications), HTTP: CLF and ELF
- netcat (nc), Using nc as a Swiss Army Multitool
- NetFlow, NetFlow-NetFlow Generation and Collection
- NetSA (Network Situational Awareness) Group, NetFlow v9 and IPFIX, The SiLK Suite
- netstat tool, The Network Interfaces
- network address translation (see NAT)
- network appliances, Finding network appliances
- network domain, Domain, Sensors in the Network Domain-NAT Logs
- network engineering, to defeat fumbling behaviors, Engineering a Network to Take Advantage of Fumbling
- network information centers (NICs), DNS Name Structure
- network interface controllers (NICs), The Basics of Network Layering
- network interfaces (NIs), The Network Interfaces-The Network Interfaces
- network inventory (see inventory)
- network layers
- network mapping, On Network Mapping-Updating the Inventory: Toward Continuous Audit
- asymmetric traffic identification, Phase II: Examining the IP Space-Identifying asymmetric traffic
- blind/confusing traffic, Phase III: Identifying Blind and Confusing Traffic-Identifying VPN traffic
- client/server identification, Phase IV: Identifying Clients and Servers-Identifying servers
- dark space identification, Identifying dark space
- data/coverage/files, Creating an Initial Network Inventory and Map-Identifying Sensing and Blocking Infrastructure
- determining what is monitored, Phase I: The First Three Questions-The default network
- initial inventory/mapping, Creating an Initial Network Inventory and Map-Identifying Sensing and Blocking Infrastructure
- IP fumbling detection, IP Fumbling: Dark Addresses and Spread
- IP space examination, Phase II: Examining the IP Space-Finding network appliances
- NAT identification, Identifying NATs
- network appliances, Finding network appliances
- proxy identification, Identifying proxies
- security software already present, Identifying Sensing and Blocking Infrastructure
- sensing/blocking infrastructure, Identifying Sensing and Blocking Infrastructure
- updating and continuous audit, Updating the Inventory: Toward Continuous Audit
- VPN traffic identification, Identifying VPN traffic
- network reputation information, Types of threat intelligence data
- Network Situational Awareness (NetSA) Group, NetFlow v9 and IPFIX, The SiLK Suite
- network taps, Network Layers and Vantage
- network traffic, log data vs., Sensors in the Network Domain
- network-based IDSs (NIDS), Classifying IDSs
- Neustar, IP Intelligence: Geolocation and Demographics
- NICs (network information centers), DNS Name Structure
- NICs (network information controllers), The Basics of Network Layering
- NIDS (network-based IDSs), Classifying IDSs
- NIs (network interfaces), The Network Interfaces-The Network Interfaces
- NIST, Basic Assessment with nmap
- nmap, nmap Scanning for Discovery
- Nmap Scripting Engine (NSE), Basic Assessment with nmap
- nodes (graph element), Graph Attributes: What Is a Graph?
- nominal variable, Variables and Visualization
- normal distribution, Fit Tests: K-S and S-W
- Northcutt, Stephen, Detecting and Analyzing Fumbling
- NoSQL systems, A Brief Introduction to NoSQL Systems-A Brief Introduction to NoSQL Systems
- NS (nameserver) records, Forward DNS Querying Using dig
- NSE (Nmap Scripting Engine), Basic Assessment with nmap
- numeric character references (NCRs), Base64 encoding
- NVD (National Vulnerability Database), Basic Assessment with nmap
- NXDOMAIN message, DNS Fumbling
O
- off-days, The Workday and Its Impact on Network Traffic Volume
- Open Information Security Foundation, Classifying IDSs
- Open Shortest Path First (OSPF), Labeling, Weight, and Paths
- Open Systems Interconnection model (see OSI model)
- operating characteristics, ROC curves and, ROC curves
- operational visualization
- annotation with contextual information, Rule five: Annotate with contextual information
- avoiding excessive graphic features, Rule six: Avoid flash in favor of expressiveness
- consistency across plots, Rule four: Be consistent across plots
- labeling anomalies, Rule two: Label anomalies
- managing disruptions, Rule one: Bound and partition your visualization to manage disruptions-Rule one: Bound and partition your visualization to manage disruptions
- rules for, Operationalizing Security Visualization-Rule seven: When performing long jobs, give the user some status feedback
- status feedback for users, Rule seven: When performing long jobs, give the user some status feedback
- trendlines to distinguish artifacts from observations, Rule three: Use trendlines, distinguish artifacts from observations
- operational workflows, Operational Workflows-Switching Workflows
- ops (operations) team, On Working with Ops-Switching Workflows
- ordinal variable, Variables and Visualization
- organizationally unique identifier (OUI), MAC format and access, MAC and Hardware Addresses
- OS fingerprinting, Application Identification by Banner Grabbing
- OSI (Open Systems Interconnection) model
- OSPF (Open Shortest Path First), Labeling, Weight, and Paths
- OSPF protocol, Finding network appliances
- OUI (organizationally unique identifier), MAC format and access, MAC and Hardware Addresses
- outdegree (of node), Graph Attributes: What Is a Graph?
- outliers, Generating a Boxplot
P
- packet
- packet capture, Domain
- packet data, Packet and Frame Formats-NetFlow Generation and Collection
- pairs plots, Pairs plots and trellising
- parallelization, A Brief Introduction to NoSQL Systems
- parent process ID (PPID), PID and PPID
- passive banner grabbing, Application Identification by Banner Grabbing
- passive discovery, Using Active Vantage Data for Verification
- password management, Basic Assessment with nmap
- PAT (Port Address Translation), NAT
- paths, on graphs, Labeling, Weight, and Paths-Labeling, Weight, and Paths
- pcap data, NetFlow Generation and Collection
- PCRE (Perl Compatible Regular Expression), Regular Expressions
- peer-to-peer worm propagation, An Overview of Attacker Behavior
- peerishness, Clustering Coefficient
- people, as last line of defense, The Goal of EDA: Applying Analysis
- Perl Compatible Regular Expression (PCRE), Regular Expressions
- PF_RING, Classifying IDSs
- phishing attacks, An Overview of Attacker Behavior
- physical taps, Network Layers and Vantage
- PID (process ID), PID and PPID
- pie charts, Bar Plots (Not Pie Charts)
- ping, Checking Connectivity: Using ping to Connect to an Address-Checking Connectivity: Using ping to Connect to an Address
- ping sweep, Checking Connectivity: Using ping to Connect to an Address
- PMAPs (prefix maps), Advanced SiLK Facilities-PMAPs
- pointer (PTR) record, The DNS Reverse Lookup
- population validity, Validity and Action
- Port Address Translation (PAT), NAT
- port mirroring, Network Layers and Vantage
- port numbers
- PPID (parent process ID), PID and PPID
- predictable phenomena, Configuring Snort
- prefetching data, Prefetching Data
- prefix maps (PMAPs), Advanced SiLK Facilities-PMAPs
- print-stat/print-volume-stat commands, Miscellaneous Filtering Options and Some Hacks
- process ID (PID), PID and PPID
- process information, host
- command and path, Command and path
- CPU, Memory, CPU, terminal, and start time
- memory, Memory, CPU, terminal, and start time
- PID and PPID, PID and PPID
- start time, Memory, CPU, terminal, and start time
- UID, UID
- process sampling, Memory, CPU, terminal, and start time
- Project Sonar, Dark ports and UDP fumbling
- proxies, Proxies
- ps (process sampling tool), Memory, CPU, terminal, and start time
- pstree, Memory, CPU, terminal, and start time
- PTR (pointer) record, The DNS Reverse Lookup
- Python, Audience, Changes Between Editions
R
- raiding
- rate limits, Engineering Solutions
- ratio variable, Variables and Visualization
- RDBMSs (relational database management systems), Log Data and the CRUD Paradigm, A Brief Introduction to NoSQL Systems
- re library, Regular Expressions
- real-time processing, Real-Time Processing
- receiver operating characteristic (ROC) curves, IDS as Classifier, ROC curves
- reference/lookup tools, Reference and Lookup: Tools for Figuring Out Who Someone Is-Scanning Repositories, Shodan et al
- reflection attacks, Basic Assessment with nmap
- Regional Internet Registries (RIRs), IPv6 Addresses, Their Structure, and Significant Addresses
- regular expressions, Regular Expressions-Regular Expressions
- relational database management systems (RDBMSs), Log Data and the CRUD Paradigm, A Brief Introduction to NoSQL Systems
- report sensor, Actions: What a Sensor Does with Data
- repository, The Repository-Knowledge base
- reputation threat, Types of threat intelligence data
- research scanners, Dark ports and UDP fumbling
- resource records (RRs), Forward DNS Querying Using dig, Forward DNS Querying Using dig
- retry attempts, automated, TCP Fumbling: Failed Sessions
- reverse lookup, The DNS Reverse Lookup
- RFC 1918, IPv4 Format and Addresses, NAT, IPv4 Addresses, Their Structure, and Significant Addresses
- RFC 2131 (see DHCP networks)
- RIP protocol, Finding network appliances
- RIRs (Regional Internet Registries), IPv6 Addresses, Their Structure, and Significant Addresses
- robots.txt (robot exclusion standard), HTTP Fumbling
- ROC (receiver operating characteristic) curves, IDS as Classifier, ROC curves
- Roesch, Marty, Classifying IDSs
- rolling buffers, Rolling Buffers
- rotating logfiles, Transfer and Logfile Rotation
- round robin DNS allocation, Forward DNS Querying Using dig
- router interfaces (network appliances), Finding network appliances
- routing infrastructure,DDoS attacks on, DDoS and Routing Infrastructure-DDoS and Routing Infrastructure
- RRs (resource records), Forward DNS Querying Using dig, Forward DNS Querying Using dig
- rwbag tool, rwbag
- rwcount tool, Combining Information Flows: rwcount-Combining Information Flows: rwcount
- rwcut tool, Choosing and Formatting Output Field Manipulation: rwcut-Choosing and Formatting Output Field Manipulation: rwcut
- rwfileinfo tool, rwfileinfo and Provenance-rwfileinfo and Provenance
- rwfilter tool, Basic Field Manipulation: rwfilter-Miscellaneous Filtering Options and Some Hacks
- rwpmapbuild command, PMAPs
- rwptoflow tool, rwptoflow
- rwrandomizeip tool, rwrandomizeip
- rwset tool, rwset and IP Sets-rwset and IP Sets
- rwsetbuild tool, rwset and IP Sets, rwset and IP Sets
- rwsetmember tool, rwset and IP Sets
- rwsettool, rwset and IP Sets
- rwtuc tool, rwtuc
- rwuniq tool, rwuniq
S
- sabotage, Sabotage
- sample size, Fit Tests: K-S and S-W
- scan removal, TCP Fumbling: Failed Sessions
- scanning, Using nc as a Swiss Army Multitool
- scanning repositories, Scanning Repositories, Shodan et al
- SCAP (Security Content Automation Protocol), Basic Assessment with nmap
- Scapy, banner grabbing with, Application Identification by Banner Grabbing-Application Identification by Banner Grabbing
- scatterplots, Scatterplots-Scatterplots
- Sconzo, Mike, External Validity
- search engines
- secondary data, Types of threat intelligence data
- sector workflow
- security analysis environment, Getting Data in One Place-A Brief Introduction to NoSQL Systems
- annotation data, Annotation
- archive, Archive
- CRUD paradigm, Log Data and the CRUD Paradigm-Log Data and the CRUD Paradigm
- geolocation software, Annotation
- high-level architecture, High-Level Architecture-Source Control
- history of tools, Getting Data in One Place
- knowledge base, Knowledge base
- NoSQL systems, A Brief Introduction to NoSQL Systems-A Brief Introduction to NoSQL Systems
- query processing system, Query Processing
- real-time detection, Real-Time Processing
- real-time processing, Real-Time Processing
- repository, The Repository-Knowledge base
- sensor network, The Sensor Network
- Security Content Automation Protocol (SCAP), Basic Assessment with nmap
- security information and event management (SIEM), Getting Data in One Place, Query Processing
- security information management (SIM), Getting Data in One Place
- security log messages, The Characteristics of a Good Log Message-The Characteristics of a Good Log Message
- security operations center (SOC), Ops Environments: An Overview
- (see also ops (operations) team)
- Security Repo, External Validity
- security visualization, operationalizing, Operationalizing Security Visualization-Rule seven: When performing long jobs, give the user some status feedback
- selection, problems of, Internal Validity
- semistructured data, On Analyzing Text
- sensitivity
- sensor
- action (see action)
- control sensor, Actions: What a Sensor Does with Data
- data collection via IDS, Data Collection via IDS-IDS as Classifier
- event sensor, Actions: What a Sensor Does with Data
- improving IDS performance, Improving IDS Performance-Prefetching Data
- in host domain, Data and Sensors in the Host Domain-Other Data and Sensors: HIPS and AV
- in network domain, Sensors in the Network Domain-NAT Logs
- (see also network sensors)
- in service domain, Sensors in the Service Domain-Syslog
- log data vs. network traffic, Sensors in the Network Domain
- middlebox logs, Middlebox Logs and Their Impact-NAT Logs
- network layers and role of, The Basics of Network Layering
- packet/frame formats, Packet and Frame Formats-NetFlow Generation and Collection
- report sensor, Actions: What a Sensor Does with Data
- vantage of (see vantage)
- sensor network, The Sensor Network
- sequential hypothesis testing (SHT), Building Fumbling Alarms
- server port, Port Number
- servers, identifying for network inventory, Phase IV: Identifying Clients and Servers-Identifying servers
- service domain
- service domain data, Data in the Service Domain-Stateful Logfiles
- service level exhaustion, DDoS, Flash Crowds, and Resource Exhaustion
- service-level fumbling behaviors, Fumbling at the Service Level-DNS Fumbling
- service-specific logfiles
- SHA-256 hash function, Filesystem
- Shadowserver, Dark ports and UDP fumbling
- Shannon entropy, Entropy and Compressibility
- Shapiro-Wilk (S-W) test, Fit Tests: K-S and S-W
- shim, The Characteristics of a Good Log Message, Stateful Logfiles
- Shodan, Scanning Repositories, Shodan et al, Dark ports and UDP fumbling
- shortest paths, Labeling, Weight, and Paths-Labeling, Weight, and Paths
- SHT (sequential hypothesis testing), Building Fumbling Alarms
- SIEM (security information and event management), Getting Data in One Place, Query Processing
- signature-based IDSs, Classifying IDSs-IDS as Classifier
- SiLK (System for Internet-Level Knowledge), The SiLK Suite-rwrandomizeip
- advanced facilities, Advanced SiLK Facilities-PMAPs
- basics, What Is SiLK and How Does It Work?
- data collection tools, Collecting SiLK Data-rwrandomizeip
- design principles, Log Data and the CRUD Paradigm
- field manipulation with rwfilter, Basic Field Manipulation: rwfilter-Miscellaneous Filtering Options and Some Hacks
- installation, Acquiring and Installing SiLK
- IP set creation with rwset, rwset and IP Sets-rwset and IP Sets
- LBNL datafiles, The Datafiles
- PMAPs, Advanced SiLK Facilities-PMAPs
- record access with rwcut, Choosing and Formatting Output Field Manipulation: rwcut-Choosing and Formatting Output Field Manipulation: rwcut
- rwbag, rwbag
- rwcount, Combining Information Flows: rwcount-Combining Information Flows: rwcount
- rwfileinfo, rwfileinfo and Provenance-rwfileinfo and Provenance
- rwptoflow, rwptoflow
- rwrandomizeip tool, rwrandomizeip
- rwtuc tool, rwtuc
- rwuniq, rwuniq
- YAF, YAF-YAF
- SIM (security information management), Getting Data in One Place
- Simple Mail Transfer Protocol (SMTP), Simple Mail Transfer Protocol (SMTP)-Microsoft Exchange: Message Tracking Logs
- situational awareness, Preface, On Network Mapping
- Slammer, Configuring Snort
- SMTP (see Simple Mail Transfer Protocol)
- SMTP banners, Non-Web Banners
- SMTP fumbling, SMTP Fumbling
- Smurf attack, DDoS and Routing Infrastructure
- snaplen (-s) argument, Limiting the Data Captured from Each Packet
- Snort, Classifying IDSs, Configuring Snort-Configuring Snort
- SOC (see security operations center)
- SOR (Start of Authority) records, Forward DNS Querying Using dig
- SORBS (Spam and Open Relay Blocking System), DNS Blackhole Lists
- source control repository, Source Control
- source MAC, Filtering Specific Types of Packets
- Sourcefire, Classifying IDSs
- Spam and Open Relay Blocking System (SORBS), DNS Blackhole Lists
- SpamCop, DNS Blackhole Lists
- Spamhaus, DNS Blackhole Lists
- spammers, as superclients, Clustering Coefficient
- specificity
- spider plots, Spider plots
- spiders, HTTP Fumbling
- split method, Splitting Along Delimiters
- Splunk, Getting Data in One Place
- spoofing
- spread
- Squid, Proxy Logs
- staged logging, Staged Logging
- Start of Authority (SOA) records, Forward DNS Querying Using dig
- stateful logfiles, Stateful Logfiles
- statistical validity, Validity and Action, Statistical Validity
- (see also fitting/estimation of data)
- Stenographer, Packet and Frame Formats
- STIX (Structured Threat Information Expression), Maturity and format of threat intelligence data
- strings, finding, Finding a String
- subnets, IPv4 Addresses, Their Structure, and Significant Addresses
- superclients, Clustering Coefficient
- Suricata, Classifying IDSs, Configuring Snort
- sweeping ping, Checking Connectivity: Using ping to Connect to an Address
- switch vantage, Network Layers and Vantage
- SYN flood, DDoS, Flash Crowds, and Resource Exhaustion
- syslog, Syslog-Syslog
- System for Internet-Level Knowledge (see SiLK)
T
- TAXII (Trusted Automated Exchange of Intelligence Information), Maturity and format of threat intelligence data
- TCP (Transmission Control Protocol)
- TCP flags
- TCP fumbling, TCP Fumbling: Failed Sessions-Dark ports and UDP fumbling
- tcpdump, Packet and Frame Formats, Application Identification by Banner Grabbing
- templated logfiles
- text
- text analysis, On Analyzing Text-Homoglyphs
- encoding, Text Encoding-Encryption
- entropy and compressibility, Entropy and Compressibility
- fat-fingering, Levenshtein Distance
- Hamming distance, Hamming Distance
- homoglyphs, Homoglyphs
- Jaccard distance, Jaccard Distance
- Levenshtein distance, Levenshtein Distance
- n-gram analysis, N-Gram Analysis
- skills for processing/manipulating text, Basic Skills-Regular Expressions
- techniques for, Techniques for Text Analysis-Homoglyphs
- text encoding, Text Encoding-Encryption
- as tool for attackers, Encoding for Attackers-Encryption
- base64, Base64 encoding
- compression, Compression
- encryption, Encryption
- informal encoding/obfuscation, Informal encoding/obfuscation
- Unicode, UTF, and ASCII, Unicode, UTF, and ASCII
- text processing and manipulation
- theft
- Themida, Compression
- threat intelligence, On Threat Intelligence-Brief Remarks on Creating Threat Intelligence
- commercial sources, Purchasing Sources
- construct validity, Purchasing Sources
- data, Data Types-Provenance of threat intelligence data
- data output for, Determining Data Output
- defining, Defining Threat Intelligence
- free sources, Starting with Free Sources
- goals for program, Identifying Goals
- maturity/format of data, Maturity and format of threat intelligence data
- prerequisites for creating, Brief Remarks on Creating Threat Intelligence
- program creation, Creating a Threat Intelligence Program-Brief Remarks on Creating Threat Intelligence
- provenance of data, Provenance of threat intelligence data
- types of data, Types of threat intelligence data
- threats, attacks vs., Data
- tiers, analyst, Escalation Workflow
- time
- time series data, rwcount and, Combining Information Flows: rwcount-Combining Information Flows: rwcount
- time-to-live (TTL), Network Layers and Vantage-Network Layers and Vantage, Tracerouting
- timing, internal validity and, Internal Validity
- top (process sampling tool), Memory, CPU, terminal, and start time
- top-level domain (TLD), DNS Name Structure
- tr tool, Manipulating Delimiters
- tracerout, Tracerouting
- traffic flow
- traffic volume (see volume)
- transaction, defined, Logfiles as the Basis for Service Data
- Transmission Control Protocol (see TCP)
- trellising, Pairs plots and trellising
- trendlines, Rule three: Use trendlines, distinguish artifacts from observations
- true positives, ROC curves and, ROC curves
- Trusted Automated Exchange of Intelligence Information (TAXII), Maturity and format of threat intelligence data
- TTL (time-to-live), Network Layers and Vantage-Network Layers and Vantage, Tracerouting
- TTPs (tools, techniques, and procedures), Types of threat intelligence data
- Type I error, IDS as Classifier
- Type II error, IDS as Classifier
U
- UDP (User Datagram Protocol)
- UID, UID
- undirected link, Graph Attributes: What Is a Graph?
- Unicode, Text Encoding-Unicode, UTF, and ASCII
- unidirectional flow filtering, Unidirectional flow filtering-Unidirectional flow filtering
- uninterested attacker, An Overview of Attacker Behavior
- univariate data, defined, Univariate Visualization
- univariate visualization, Univariate Visualization-Generating a Boxplot
- universally unique identifiers (UUIDs), The Host: Tracking Identity-The Host: Tracking Identity
- Unix
- unmonitored routes, Identifying asymmetric traffic
- unpatchable vulnerabilities, Basic Assessment with nmap
- UPX, Compression
- US-CERT, Provenance of threat intelligence data
- User Datagram Protocol (see UDP)
- User-Agent string, Web Client Banners: The User-Agent String
- UTF-8, Unicode, UTF, and ASCII
- UUIDs (universally unique identifiers), The Host: Tracking Identity-The Host: Tracking Identity
V
- validity
- action and, Validity and Action-Attacker and Attack Issues
- attacker/attack issues, Attacker and Attack Issues
- construct, Validity and Action, Construct Validity
- defined, Organizing Data: Vantage, Domain, Action, and Validity
- ecological, Validity and Action
- external, External Validity
- internal, Validity and Action-Internal Validity
- middlebox network data challenges, Validity Challenges from Middlebox Network Data-VPNs
- population, Validity and Action
- statistical, Validity and Action
- (see also fitting/estimation of data)
- vantage, Vantage: Understanding Sensor Placement in Networks-VPNs
- about, Vantage-Choosing Vantage
- addressing and, Network Layers and Addressing-VPNs
- defined, Organizing Data: Vantage, Domain, Action, and Validity
- determining, Choosing Vantage
- load balancing, Load balancing
- network layers and, Network Layers and Vantage-VPNs
- proxies, Proxies
- using active vantage data for verification, Using Active Vantage Data for Verification
- validity challenges from middlebox network data, Validity Challenges from Middlebox Network Data-VPNs
- VPNs, VPNs
- variables
- vertical scan, Using nc as a Swiss Army Multitool, Scanning
- virtual private network (VPN)
- visualization
- annotation with contextual information, Rule five: Annotate with contextual information
- avoiding excessive graphic features, Rule six: Avoid flash in favor of expressiveness
- consistency across plots, Rule four: Be consistent across plots
- labeling anomalies, Rule two: Label anomalies
- managing disruptions, Rule one: Bound and partition your visualization to manage disruptions-Rule one: Bound and partition your visualization to manage disruptions
- multivariate, Multivariate Visualization-Rule seven: When performing long jobs, give the user some status feedback
- operationalizing, Operationalizing Security Visualization-Rule seven: When performing long jobs, give the user some status feedback
- QQ plot, Simply Visualizing: Projected Values and QQ Plots-Simply Visualizing: Projected Values and QQ Plots
- raiding detection, File Transfers/Raiding
- rules for, Operationalizing Security Visualization-Rule seven: When performing long jobs, give the user some status feedback
- status feedback for users, Rule seven: When performing long jobs, give the user some status feedback
- to test data against a distribution, Simply Visualizing: Projected Values and QQ Plots-Simply Visualizing: Projected Values and QQ Plots
- trendlines to distinguish artifacts from observations, Rule three: Use trendlines, distinguish artifacts from observations
- univariate, Univariate Visualization-Generating a Boxplot
- volume/time analysis, On Volume and Time-Engineering Solutions
- beaconing, Beaconing-Beaconing
- beaconing as alarm, Using Beaconing as an Alarm
- data selection, Data Selection-Data Selection
- DDoS attacks, DDoS, Flash Crowds, and Resource Exhaustion-DDoS and Routing Infrastructure
- engineering solutions, Engineering Solutions
- file transfers/raiding, File Transfers/Raiding-File Transfers/Raiding
- locality, Locality-DDoS and Routing Infrastructure
- volume as alarm, Using Volume as an Alarm
- workday traffic volume, The Workday and Its Impact on Network Traffic Volume-The Workday and Its Impact on Network Traffic Volume
- VPN (see virtual private network)
- vulnerabilities, unpatchable, Basic Assessment with nmap
W
- Wald, Abraham, Building Fumbling Alarms
- web client banners, Web Client Banners: The User-Agent String
- web crawlers, HTTP Fumbling
- weighted graphs, Labeling, Weight, and Paths
- whitelists, Enhancing IDS Detection
- whois tool, Using whois to Find Ownership-Using whois to Find Ownership
- wildcards, Regular Expressions
- Windows
- wireless networks, Phase II: Examining the IP Space
- working set, Locality-Locality
- worms, An Overview of Attacker Behavior
Y
- Yet Another Flowmeter (YAF), YAF-YAF
..................Content has been hidden....................
You can't read the all page of ebook, please click
here login for view all page.