Skip to main content
SpringerLink
Log in
Book cover

International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2005: Detection of Intrusions and Malware, and Vulnerability Assessment pp 206–221Cite as

Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context

  • Conference paper

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3548))

Abstract

In the recent past, both network- and host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the best of both worlds: we preserve the advantages of network-based detection, but alleviate its weaknesses by improving the accuracy of the traffic analysis with specific host-based context. Our framework preserves a separation of policy from mechanism, is highly configurable and more flexible than sensor/manager-based architectures, and imposes a low overhead on the involved end hosts. We include a case study of our approach for a notoriously hard problem for purely network-based systems: the correct processing of HTTP requests.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc. (1998)

    Google Scholar 

  2. Handley, M., Kreibich, C., Paxson, V.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proc. 10th USENIX Security Symposium (2001)

    Google Scholar 

  3. Shankar, U., Paxson, V.: Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In: Proc. IEEE Symposium on Security and Privacy (2003)

    Google Scholar 

  4. Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: National Information Systems Security Conference, Baltimore, MD (1997)

    Google Scholar 

  5. Vigna, G., Kemmerer, R.A.: Netstat: A network-based intrusion detection system. Journal of Computer Security 7, 37–71 (1999)

    Google Scholar 

  6. Spafford, E.H., Zamboni, D.: Intrusion Detection Using Autonomous Agents. Computer Networks 34, 547–570 (2000)

    Article  Google Scholar 

  7. Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)

    Google Scholar 

  8. Almgren, M., Lindqvist, U.: Application-Integrated Data Collection for Security Monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 22. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  9. Welz, M., Hutchison, A.: Interfacing Trusted Applications with Intrusion Detection Systems. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 37. Springer, Heidelberg (2001)

    Chapter  Google Scholar 

  10. Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. Technical Report TUM-I0420, TU München (2004)

    Google Scholar 

  11. Kreibich, C., Sommer, R.: Policy-controlled Event Management for Distributed Intrusion Detection. In: Proc. 4th International Workshop on Distributed Event-Based Systems (2005)

    Google Scholar 

  12. Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proc. 10th ACM Conference on Computer and Communications Security (2003),

    Google Scholar 

  13. Broccoli: The Bro Client Communications Library, http://www.cl.cam.ac.uk/~cpk25/broccoli/

  14. Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. 13th Systems Administration Conference (LISA), pp. 229–238 (1999)

    Google Scholar 

  15. Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison Wesley Professional, Reading (2004)

    Google Scholar 

  16. Berners-Lee, T., Fielding, R., Irvine, U., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax (1998), RFC 2396

    Google Scholar 

  17. Roelker, D.J.: HTTP IDS Evasions Revisited (2004), http://www.sourcefire.com/products/downloads/secured/sf_HTTP_IDS_evasions.pdf

  18. Internet Security Systems Security Alert Multiple Vendor IDS Unicode Bypass Vulnerability (2001), http://xforce.iss.net/xforce/alerts/id/advise95

  19. CVE-2001-0333 (2001), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884

  20. Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proc. 11th ACM Conference on Computer and Communications Security (2004)

    Google Scholar 

  21. libwhisker, http://www.wiretrip.net/rfp

  22. Puppy, R.F.: A Look At Whisker’s Anti-IDS Tactics (1999), http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html

  23. Nikto, http://www.cirt.net/code/nikto.shtml

  24. Roelker, D.J.: URL encoder, http://code.idsresearch.org/encoder.c

  25. Mosberger, D., Jin, T.: httperf - A Tool For Measuring Web Server Performance. In: Proc. of the First Workshop on Internet Server Performance (WISP 1998), Madison, WI, pp. 59–67 (1998)

    Google Scholar 

  26. mod_benchmark Apache plugin, http://www.trickytools.com/php/mod_benchmark.php

Download references

Author information

Authors and Affiliations

  1. Computer Science Department, Technische Universität München,  

    Holger Dreger & Robin Sommer

  2. Computer Laboratory, University of Cambridge,  

    Christian Kreibich

  3. International Computer Science Institute and Lawrence Berkeley National Laboratory,  

    Vern Paxson

Authors
  1. Holger Dreger
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Christian Kreibich
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Vern Paxson
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Robin Sommer
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. IBM Research GmbH, Säumerstr. 4, 8803, Rüschlikon, Switzerland

    Klaus Julisch

  2. Secure Systems Lab, Technical University of Vienna, 1040, Vienna, Austria

    Christopher Kruegel

Rights and permissions

Reprints and permissions

Copyright information

© 2005 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Dreger, H., Kreibich, C., Paxson, V., Sommer, R. (2005). Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_13

Download citation

  • DOI: https://doi.org/10.1007/11506881_13

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-26613-6

  • Online ISBN: 978-3-540-31645-9

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation