Intrusion Detection
by Rebecca Bace
Macmillan Technical Publishing,  2000.
339 pages,  index, 4 appendices including glossary, bibliography, and resources check list.  Hardcover. ISBN 1-57870-185-6.    $50.00

Reviewed by  Robert Bruen   April 13, 2001


Ms. Bace has approached Intrusion Detection in a methodical manner, more notes and bibliographical references than most other related books.  She appears to have done her research over many years so that she is able to present a meaningful, coherent history of ID.  This history includes analyses of older software and older cases (eg Mitnik) that have important lessons for our work today.  The book reads like a long, clear definition of ID looking down at it from 30,000 feet.  Covering almost all aspects from the general to selected specifics, such as Anderson's Threat Matrix, this book is a great reference source.

Whenever a discipline is under construction, it must pass through stages such as identification, early models, practical and technical approaches and some work that pulls it all together to define the discipline.  It shows that the field is maturing.  The first report seems to be one by James Anderson in 1980 followed by the next important paper in 1986 by Dorothy Denning.  Since then there have been various papers and software that have appeared, but only a few good books, several of them just recently.  Bace has gathered all of this to provide the next step in placing the field on secure footing.

When reading books that draw on history to explain current events, it is almost always disheartening to realize that we do not learn from history, which causes no end of grief. The RISOS project from the 1970s is described as a study of operating systems to understand the roots of security problems.  The list of problems was looked at during a 1993 meeting where is was discovered that they all still exist as sources of exploits. Moreover, they are still with us today, about 25 years later, with no expectation of vendors fixing the problems. For example, buffer overflows, stack smashing, authentication/authorization inadequacies and race conditions were all there in the original report.  Moreover, vendors still send out products with poor configurations that are exploitable upon installation.

It is a bit hard to understand why only now "secure" operating systems are beginning to appear, unless one takes into account that we have passed from time where computer people did computing for computing's sake to a time where it is done only if there is commercial demand.  Let us hope that the bazaar will be more successful than the cathedral. Security needs to be built in from the beginning.  The beginning was a while ago.

This a recommended book that gives the reader a insightful, comprehensive picture of ID form the beginning to today.  It shares a space on my shelf with the other good books on intrusion detection because it is different enough in its approach and is good source of information.