// Comparison

Applied Network Security Monitoring vs Malware Data Science: Which Should You Read?

Two cybersecurity books on Detection, compared honestly: who each is for, what each does best, and which to read first.

Intermediate

4/52013

Collection, Detection, and Analysis

Chris Sanders, Jason Smith

A practitioner's walkthrough of building an NSM capability end to end, from deciding what to collect through detection and the analysis workflow that ties it together. The tooling is dated, but the way it teaches you to think about monitoring is not.

Intermediate

4/52018

Malware Data Science

Attack Detection and Attribution

Joshua Saxe, Hillary Sanders

Saxe and Sanders apply machine-learning techniques (classification, clustering, deep learning) to malware detection and attribution, with working Python code and real corpora.

Read this if

SOC analysts and aspiring detection engineers who want a structured mental model for collection, detection, and analysis rather than a pile of disconnected tooling tutorials.

Malware analysts and detection engineers who want to scale beyond manual triage. Saxe and Sanders apply classification, clustering, similarity analysis, and deep learning to the malware corpus, with working Python code throughout.

Skip this if

Anyone hoping for a current toolkit. Skip this if you want hands-on Zeek/Suricata/Elastic configs you can paste today, the commands here have aged out.

Analysts whose work is one-sample-at-a-time, or readers without basic Python and statistics comfort. The book is for telemetry-rich environments where ML scales matter.

Key takeaways

Collection is a deliberate decision, not a default. Decide what data matters before you drown in everything.
The book's split of detection into signature, anomaly, and statistical approaches still maps cleanly onto how modern stacks work.
Analysis is a discipline with a workflow, not improvised packet-staring, and that framing is the most durable thing here.

Static-feature classifiers can route a triage queue effectively even at scale; the book's chapters on feature engineering pay back the cost.
Similarity analysis (locality-sensitive hashing, ssdeep, imphash, function-level fuzzy hashing) is the analyst's lever for clustering campaigns and tracking actor evolution.
Deep learning is overhyped for malware in many contexts and exactly the right tool in others; the book is honest about the trade-offs in a way most ML/security books aren't.

How they compare

Applied Network Security Monitoring and Malware Data Science are both rated 4/5 in our catalog. Pick by topic preference and reading style rather than by rating.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Applied Network Security Monitoring and Malware Data Science both cover Detection, so reading them in sequence reinforces the same material from different angles.

Keep reading

Applied Network Security Monitoring

→ Alternatives to Applied Network Security Monitoring → What to read after Applied Network Security Monitoring