8. Statistical Data
So far we've discussed two forms of network-based information used to identify and validate intrusions. First we explored full content data, in which every element of a packet is available for analysis. In some cases we care about header details, but more often the application content is what we need. Next we looked at session data, where conversations between parties are summarized to include IP addresses, ports, protocols, timestamps, and counts of data transferred. Analyzing session data is the easiest way to track the timing and movements of some intruders. Collection of both forms of data is content neutral; we generate full content or session data regardless of the information conveyed by those forms.
We can limit the ...
Get The Tao of Network Security Monitoring Beyond Intrusion Detection now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.