Ankit Fadia / Manu Zacharia - "Network Intrusion Alert" Heavily Plagiarized

Mon Jan 3 02:43:17 CST 2011


"Network Intrusion Alert: An Ethical Hacking Guide to Intrusion Detection" written by Ankit Fadia and Manu Zacharia (ISBN 1598634143 and 9781598634143) contains significant amounts of plagiarized material. Published in 2008, the book uses material from a wide variety of sources to varying degrees. In many cases, entire paragraphs are used with little or no alteration, and no citation or credit. This large-scale plagiarism is detailed below. The book, published by Thomson Course Technology, was technically reviewed by Arlie Hartman, who apparently did not check if the material was original.

In this review, material that is underlined has been plagiarized from sources made public well before this book was published. The original source material is underlined to show a side-by-side comparison, and demonstrate the extent of the plagiarism. The one section in italics denotes the material was reworded significantly, but clearly taken from another source.

An extremely detailed analysis has been performed for the first chapter (10 pages) to show the scope and method of plagiarism. Our analysis shows that roughly 90% of the first chapter, including the six graphics used, has been taken from other sources. Due to time constraints, notes are used for brevity for the rest of the material.

Pages / total Fadia / Zacharia text Original Text & Source
2 A security policy can be defined as the framework within which an organization establishes needed levels of information security to achieve the desired confidentiality goals. A policy is a statement of information values, protection responsibilities, and organization committment for a system. Before you can evaluate attacks against a system and decide on apprpriate mechanisms to repulse these threats, it is necessary to specify your security policy. Oregon Department of Administrative Services (DAS) Enterprise Information Strategy and Policy

Security Policy: Documentation that describes senior management's directives toward the role that security plays within the organization. It provides a framework within which an organization establishes needed levels of information security to achieve the desired confidentiality, availability and integrity goals. A policy is a statement of information values, protection responsibilities, and organization commitment managing risks.
3 Interruption: This kind of attack targets the source or the communication channel and prevents the information from reaching its intended target. For example, the attacker could cut the physical wire, thus preventing the information from reaching its destination. Another commonly used technique by the attacker is to overload the carrying media so that pertinent information is dropped due to the congestion. Attacks in this category attempt to perform a kind of denial-of-service (DOS).

Interception: Interception happens when an unauthorized party gets access to the information by eavesdropping into the communication channel. Wiretapping is a good example of an interception.
Internet Security, by Christopher Kruegel (chris[at]auto.tuwien.ac.at) / Feb 2005

1. Interruption: An asset of the system gets destroyed or becomes unavailable. This attack targets the source or the communication channel and prevents information from reaching its intended target (e.g. cut the wire, overload the link so that the information gets dropped because of congestion). Attacks in this category attempt to perform a kind of denial-of-service (DOS).

Interception: An unauthorized party gets access to the information by eavesdropping into the communication channel (e.g. wiretapping).
4 Modification: With modification, the information is not only intercepted, but modified by an unauthorized party while in transit from the source to the destination. (The unauthorized party modifies the message content and sends the modified content to the destination.)

Fabrication: Fabrication occurs when an attacker inserts forged objects into the system without a senders' knowledge or involvement. Fabrication can be categorized as:
Replaying - When a previously intercepted entity is inserted, this process is called replaying. For example, replaying an authentication message. Masquerading - When the attacker pretends to be the legitimate source and inserts his/her desired information, the attack is called masquerading. For example, adding new records to a file or database.
Internet Security, by Christopher Kruegel (chris[at]auto.tuwien.ac.at) / Feb 2005

Modification: The information is not only intercepted, but modified by an unauthorized party while in transit from the source to the destination. By tampering with the information, it is actively altered (e.g. modifying message content).

Fabrication: An attacker inserts counterfeit objects into the system without having the sender doing anything. When a previously intercepted object is inserted, this processes is called replaying. When the attacker pretends to be the legitimate source and inserts his desired information, the attack is called masquerading (e.g. replay an authentication message, add records to a file).
2-4 Diagrams: (click to enlarge)
Internet Security, by Christopher Kruegel (chris[at]auto.tuwien.ac.at) / Feb 2005

5 Security Property: A security property describes a desired feature of a system with regard to certain types of attacks. The four classes of attacks - Interruption, Interception, Modification, and Fabrication - violate the various security properties of a computer system. Some of the security properties and their descriptions are defined in the following sections.

Confidentiality: Confidentiality is defined by the International Organization for Standardization (ISO) as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security. Confidentiality covers the protection of transmitted data against its release to unauthorized parties. It is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptography.

In addition to the protection of the content itself, the information flow should also be resistant against traffic analysis. Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication. Traffic analysis is used to gather other information than the transmitted values themselves from the data flow. For example, the following information can be collected using a simple traffic analysis:
* The source of the communication * The destination of the communication * The timing of the data * The frequency of particular messages * The type of data/communication

Integrity: When data has integrity, it means that the data has not been altered or destroyed in an unauthorized manner or by unauthorized users; it is a security principle that protects information from being modified or otherwise corrupted, either maliciously or accidentally. This property ensures that a single message reaches the receiver just as it left the sender. Integrity means that no messages are lost, duplicated, or re-ordered, and it makes sure that messages cannot be replayed. Because this property also contains information about whether or not data has been destroyed en route to the destination system, it plays a very important role in verifying that all data is received successfully.

Availability: High availability refers to a system or component that is continuously operational for a desirably long time. Availability can be measured relative to "100% operational" or "never failing." A widely held but difficult-to-achieve standard of availability for a system or product is known as "five 9s" (99.999 percent) availability. Availability characterizes a system whose resources are always available for use. This property makes sure that attacks cannot prevent resources from being used for their intended purpose.
Internet Security, by Christopher Kruegel (chris[at]auto.tuwien.ac.at) / Feb 2005

The four classes of attacks listed above violate different security properties of the computer system. A security property describes a desired feature of a system with regards to a certain type of attack.

Wikipedia: Confidentiality

Confidentiality has also been defined by the International Organization for Standardization (ISO) in ISO-17799 [1] as "ensuring that information is accessible only to those authorized to have access" and is one of the cornerstones of information security. Confidentiality is one of the design goals for many cryptosystems, made possible in practice by the techniques of modern cryptography.

Internet Security, by Christopher Kruegel (chris[at]auto.tuwien.ac.at) / Feb 2005

Confidentiality: This property covers the protection of transmitted data against its release to non-authorized parties. In addition to the protection of the content itself, the information flow should also be resistant against traffic analysis. Traffic analysis is used to gather other information than the transmitted values themselves from the data flow (e.g. timing data, frequency of messages).

Wikipedia: Traffic Analysis

Traffic analysis is the process of intercepting and examining messages in order to deduce information from patterns in communication.

Internet Security, by Christopher Kruegel (chris[at]auto.tuwien.ac.at) / Feb 2005

Integrity: Integrity protects transmitted information against modifications. This property assures that a single message reaches the receiver as it has left the sender, but integrity also extends to a stream of messages. It means that no messages are lost, duplicated or reordered and it makes sure that messages cannot be replayed. As destruction is also covered under this property, all data must arrive at the receiver. Integrity is not only important as a security property, but also as a property for network protocols. Message integrity must also be ensured in case of random faults, not only in case of malicious modifications.

Understanding Information Security: Taxonomy

A security principle that keeps information from being modified or otherwise corrupted either maliciously or accidentally.

SearchDataCenter.com "high availability"

In information technology, high availability refers to a system or component that is continuously operational for a desirably long length of time. Availability can be measured relative to "100% operational" or "never failing." A widely-held but difficult-to-achieve standard of availability for a system or product is known as "five 9s" (99.999 percent) availability.

The Industrial Communication Technology Handbook By Richard Zurawski

Availability characterizes a system whose resources are always ready to be used. Whenever information needs to be transmitted, the communication channel is available and the receiver can cope with the incoming data. This property makes sure that attacks cannot prevent resources from being used for their intended purpose.
6 Authentication: Authentication is defined as a security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information. Authentication is mainly concerned with making sure that the information is authentic. A system implementing the authentication property ensures the recipient that the data is from the source that it claims to be. The authentication system must make sure that no third party can masquerade successfully as another source.

Nonrepudiation: Nonrepudation is the concept of ensuring that a contract, especially one agreed to via the Internet, cannot later be denied by one of the parties involved. This property describes the mechanism that prevents either sender or receiver from denying a transmitted message. Nonrepudiation means that it can be verified that the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively. In other words, nonrepudiation of origin proves that data was sent, and nonrepudiation of delivery proves it was received.

Security Mechanisms: The security properties discussed previously are the core qualities of any information system. Various security mechanisms can be used to enforce the security properties. A smart security professional has to anticipate the various attacks and apply various countermeasures to safeguard the security properties of the information system. The various measures that can be initiated to counter the attacks on the security properties are as follows: * Attack prevention * Attack avoidance * Attack detection

Attack Prevention: Hackers and individuals with malicious intent commonly target corporate networks and services that constitute the corporate information system. By overwhelming these critical applications and networks with bogus service requests, denial-of-service attacks (DoS), and distributed denial of service (DDoS) attacks can severely disrupt the business, resulting in lost communications, failed business transactions, reduced business productivity, and lower profitability.

Attack prevention is defined as a series of security mechanisms implemented to prevent or defend against various kinds of attacks before they can actually reach and affect the target system.
Wikipedia: Information Assurance

Security measure designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual's authorization to receive specific categories of information.

The Industrial Communication Technology Handbook by Richard Zurawski (2005)

Authentication: Authentication is concerned with making sure that the information is authentic. A system implementing the authentication property ensures the recipient that the data is from the source that it claims to be. The system must make sure that no third party can masquerade successfully as another source.

Network Dictionary by Javvin (2007)

Non-Repudiation: Non-repudation is the concept of ensuring that a contract, especially one agreed to via the Internet, cannot later be denied by one of the parties involved. In regard to digital security, non-repudiation means that it can be verified that the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively. In other words, non-repudiation is the ability for a system to prove that a specific user and only that specific user sent a message and that it hasn't been modified.

Intrusion Detection and Correlation: Challenges and Solutions by Christopher Kruegel, Fredrik Valeur, Giovanni Vigna (2005)

This property describes the mechanism that prevents either sender or receiver from denying a transmitted message.

The Industrial Communication Technology Handbook by Richard Zurawski (2005)

Different security mechanisms can be used to enforce the security properties defined in a given security policy. Depending on the anticipated attacks, different means have to be applied to satisfy the desired properties. We divide these measures against attacks into three different classes: attack prevention, attack avoidance, and attack detection.

Attack prevention is a class of security mechanisms that contain ways of preventing or defending against certain attacks before they can actually reach and affect the target.
7 An important mechanism in this category is access control. Access control is the process of limiting access to the resources of an IS to authorized users, programs, processes, or other systems. Access control can be applied at different levels such as the operating system, the network layer, or the application layer.

Access Control: Access control is the ability to permit or deny the use of an object (a passive entity, such as a sytem or file) by a subject (an active entity, such as an individual or process).

Access control includes authentication, authorization, and audit. It also includes additional measures such as physical devices, including but not limited to biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humands and automated systems (for all newbies reading this book, just do a simple Google or Wikipedia search for detailed information on these access control mechanisms). Authorization can also be implemented using role-based access control, access control lists, or a policy language such as XACML.

Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability, where identification and authentication determine who can log on to a system, authorization determines what an authenticated user can do, and accountability identifies what a user did.

A firewall is an important access control system that is implemented at the network layer. The concept behind a firewall is to separate the trusted network (internal network) from the untrusted network (an external network or Internet). The firewall prevents the attack from the outside world from reaching the machines in the inside network by preventing connection attempts from unauthorized entities located outside. Firewalls also perform the additional role of preventing the internal users from using certain services. All these are based on certain rules and criteria.

Attack Avoidance: The expansion of the connectivity of computers makes ways of protecting data and messages from tampering or reading important. Attack avoidance is the technique in which the information is modified in a way that makes it unusable for the attacker. This is performed under the assumption that the attacker can access the subject information. The sender pre-processes the information before it is sent through the unsecure communication channel and the same is post-processed at the receiver end.
The Industrial Communication Technology Handbook by Richard Zurawski (2005)

An important element in this category is access control, a mechanism that can be applied at different levels, such as the operating system, the network, or the application layer.

Wikipedia: Access Control

The process of limiting access to the resources of an AIS to authorized users, programs, processes, or other systems.

In computer security, access control includes authentication, authorization and audit. It also includes measures such as physical devices, including biometric scans and metal locks, hidden paths, digital signatures, encryption, social barriers, and monitoring by humans and automated systems.

CISSP For Dummies (2002)

Access control is the ability to permit or deny the use of an object (a passive entity such as a system or file) by a subject (an active entity such as individual or process).

WikiVisual: Access Control

Authorization may be implemented using role based access control, access control lists or a policy language such as XACML. [..] Access control systems provide the essential services of identification and authentication (I&A), authorization, and accountability where identification and authentication determine who can log on to a system, authorization determines what an authenticated user can do, and accountability identifies what a user did.

Proceedings of the 2nd National Conference on Emerging Trends in Information by Amol C. Goje, Shivanand S. Gornale, Pravin L. Yannawar

The expansion of the connectivity of computers makes necessary to protect data and messages from tampering or reading.

The Industrial Communication Technology Handbook by Richard Zurawski (2005)

Attack Avoidance: Security mechanisms in this category assume that an intruder may access the desired resource but the information is modified in a way that makes it unusable for the attacker. The information is preprocessed at the sender before it is transmitted over the communication channel and postprocessed at the receiver.
8 During this communication process, if an intruder manages to capture or access the data, it will be of no use to him, as it is modified in a specified manner at the source level. However, the attacker is still able to perform the attacks on the availability of the data. In case of any manipulation en route, the same can be detected while post-processing the data at the receiver end. The errors that may occur en route can also be detected in the same manner. If the data is not modified during the transfer, the data received is identical to the data transferred from the source.

Cryptography is one of the technologies used in the parlance of attack avoidance.



Cryptography is the discipline that embodies principles, means, and methods for the transformation of data in order to hide its information content, prevent its undetected modification, or prevent its unauthorized use. Cryptanalysis is the art of breaking these methods. Cryptology is the study of cryptography and cryptanalysis.

The cryptographic algorithms can be categorized into three areas based on the number of keys that are employed for the encryption and decryption. They are:

* Secret key cryptography (SKC) - Uses a single key for both encryption and decryption. Most modern day encryption technologies do not solely use secret key cryptography due to its susceptibility to attack. it is typically used in conjunction with public key cryptograph.

* Public key cryptography (PKC) - Uses one key for encryption and another for decryption. For example, Secure Sockets Layer (SSL) is a system commonly used by e-commerce Web sites.

* Hash functions - Use a mathematical transformation to irreversibly "encrypt" information. For example, Message Digest Algorithm 5 (MD5).
The Industrial Communication Technology Handbook by Richard Zurawski (2005)

While the information is transported over the communication channel, it resists attacks by being nearly useless for an intruder. One notable exception are attacks against the availability of the information as an attacker could still interrupt the message. During the processing step at the receiver, modifications or errors taht might have previously occurred can be detected (usually because the information cannot be correctly reconstructed). When no modification has taken place, the information at the receiver is identical to the one at the sender before the preprocessing step.

WikiVisual: Cryptography

Cryptography (or cryptology; ..) is the study of message secrecy. [..] The noted cryptographer Ron Rivest has observed that "cryptography is about communication in the presence of adversaries."

OECD About Cryptography Policy (1997)

Cryptography is a discipline that embodies principles, means, and methods for the transformation of data in order to hide its information content, establish its authenticity, prevent its undetected modification, prevent its repudiation, and/or prevent its unauthorised use.

http://www.hkcert.org/english/salert/glossary.html#Cryptography (now 404) HK Cert Glossary

Cryptanalysis is the art of breaking these methods. Cryptology is the study of cryptography and cryptanalysis.

2nd National Conference on Emerging Trends in Information by Amol C. Goje, Shivanand S. Gornale, Pravin L. Yannawar (2007), page 55

* Secret key cryptography (SKC) - Uses a single key for both encryption and decryption.
* Public key cryptography (PKC) - Uses one key for encryption and another for decryption.
* Hash functions - Use a mathematical transformation to irreversibly "encrypt" information.
9 Figure 1.6 Types of Cryptography

2nd National Conference on Emerging Trends in Information by Amol C. Goje, Shivanand S. Gornale, Pravin L. Yannawar (2007), page 55

9 Cipher text is another name for encrypted text.

Attack Detection: The methods of attack detection assume that the attacker has bypassed the installed security measures and can access the desired target/information. When such incidents occur, attack detection reports that something went wrong and, in some cases, identifies the type of attack that occurred. However, on the other hand, attack detection is not effective in providing confidentiality of information. When the security system specifies that interception of information has a serious impact on the information system, attack detection is not an applicable mechanism. In the next level of attack detection, counter measures are initiated to recover from the impact of the attack. The most important member of the attack detection class is the intrusion detection system (IDS).

Intrusion Detection: Intrusion detection encompasses a range of security techniques designed to detect (and report on) malicious system and network activity or to record evidence of intrusion. Because this book is focused on intrusion detection, the remaining sections of this book are dedicated to a more detailed view into the inner workings of IDS.
The Industrial Communication Technology Handbook By Richard Zurawski

Attack detection assumes that an attacker can obtain access to his desired targets and is successful in violating a given security policy. [..] When undesired actions occur, attack detection has the task of reporting that something went wrong and then to react in an appropriate way. [..] On the other hand, detection is not effective in providing confidentiality of information. When the security policy specifies that interception of information has a serious security impact, then attack detection is not an applicable mechanism. The most important members of the attack detection class, which have received an increasing amount of attention in the last few years, are intrusion detection systems (IDSs).
10 Summary: This chapter covered the basics of computer security and the various types of security attacks and prevention mechanisms. Connecting to a network/Internet exposes your valuable assets to the insecure world. A better understanding of computer security concepts will help you arm yourself against these risks.


Due to time constraints, only chapters 2 and 3 were given a cursory examination to determine if the plagiarism continued. The table below shows the page number, an identifying section name or a sentence along with the source it appears to be taken from. The following section is not a full examination, but presented in good faith and believed to be incidents of continued plagiarism.

Page Fadia / Zacharia text Original Source
12 Security Events section, "auditable security event is defined as any event that can be logged using the audit subsystem .." FreeBSD Handbook Chapter 17 Security Event Auditing

"An auditable event is any event that can be logged using the audit subsystem. Examples of security-relevant events include the creation of a file, the building of a network connection, or a user logging in. Events are either "attributable", meaning that they can be traced to an authenticated user, or "non-attributable" if they cannot be. Examples of non-attributable events are any events that occur before authentication in the login process, such as bad password attempts."
13 Real-Life Case Study - An Expensive Bug and a Crash A Bug and a Crash
Copyright James Gleick
15 Real-Life Example of Buffer Overflow - eBay Picture Manager Vulnerability eBay Picture Manager Buffer Overflow
Copyright Softpedia
16 Oracle 9iAS SOAP Default Configuration Vulnerability Javier Fernandez-Sanguino (jfernandez[at]germinus.com) on nessus-plugins-writers mail list
23 Distributed DoS with Reflectors (DRDoS) Tracing the Development of Denial of Service Attacks by Yanet Manzano (2003)

Note: While this article is not public, several exact phrases from the book were found in this article via Google search.
24 Intruders intro paragraph Hitachi ID Systems Computer Security Concepts

"this person attempts to violate Security by interfering with system Availability, data Integrity or data Confidentiality."
25 Four examples of incidents 800-61 - Computer Security Incident Handling Guide
27 Introduction, "These intrusions can originate.." Snort 2.1 Intrusion Detection (Syngress) by Raven Alder, Jacob Babbin, Adam Doxtater, James C. Foster, Toby Kohlenberg, Michael Rash

What is an Intrusion? page 2 - 3
28 "The term intrusion detection covers.." Snort 2.1 Intrusion Detection (Syngress) by Raven Alder, Jacob Babbin, Adam Doxtater, James C. Foster, Toby Kohlenberg, Michael Rash

What is an Intrusion? page 2 - 3
31 Fourth paragraph, "The innate shortcomings.." Computer Security: Protecting Digital Resources by Robert C. Newman
32 Internal attack propagation prevention paragraph Intrusion Prevention Fundamentals, Cisco Press (2006)
33 Policy enforcement paragraph Intrusion Prevention Fundamentals, Cisco Press (2006)
34-35 Figure 3.3 Basic NIPS, "Dropping a single packet" paragraph, "Dropping all packets from a connection" paragraph and bullets, "Dropping all traffic from a source IP" paragraph Intrusion Prevention Fundamentals (Pearson) by E. Carter, J. Hogue
36 The History of Intrusion Detection and Prevention (multiple paragraphs) The Evolution of Intrusion Detection Systems by Paul Innella (Nov, 2001)
37 Figure 3.4 "IDS Timeline" COUNTERING THE INTELLIGENCE THREAT TO THE UNITED STATES GOVERNMENT CYBER INFRASTRUCTURE WITH A UNIFIED THREAT MANAGEMENT APPROACH by Todd Holbert

Page 11. Holbert credits the image to Innella, 2001.
38 Why Choose an IDS or IPS, list of benefits Intrusion Detection & Prevention by Carl Endorf, Eugene Schultz, Jim Mellander (McGraw Hill)
39 Figure 3.5 Network Baseline Activity, four phases of intrusion analysis Intrusion Detection & Prevention by Carl Endorf, Eugene Schultz, Jim Mellander (McGraw Hill)
40 Defense-In-Depth intro paragraph, Figure 3.6 Defense-in-Depth Wikipedia: Defense in Depth
Microsoft Technet Defense-in-Depth graphic
41 Pre-processing intro paragraph, examples Answers.com: What is preprocessing in IDS

Note: The Answers.com text may be taken from this book. Due to a lack of timestamp or history on the page, the original creation time is not known.
42 Anomaly Detection, intro, types (multiple paragraphs) Intrusion Prevention and Active Response: Deploying Network and Host IPS by Michael Brandon Rash (Syngress, 2005)
43 Target Monitoring Systems section (multiple paragraphs) Intrusion Detection and Prevention by Carl Endorf, Eugene Schultz, and Jim Mellander (McGraw Hill, 2003)
44 Some Myths (about IDS) Intrusion Detection and Prevention by Carl Endorf, Gene Schultz, and Jim Mellander (2003)