Abstract
In the recent past, both network- and host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the best of both worlds: we preserve the advantages of network-based detection, but alleviate its weaknesses by improving the accuracy of the traffic analysis with specific host-based context. Our framework preserves a separation of policy from mechanism, is highly configurable and more flexible than sensor/manager-based architectures, and imposes a low overhead on the involved end hosts. We include a case study of our approach for a notoriously hard problem for purely network-based systems: the correct processing of HTTP requests.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
Similar content being viewed by others
References
Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc. (1998)
Handley, M., Kreibich, C., Paxson, V.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proc. 10th USENIX Security Symposium (2001)
Shankar, U., Paxson, V.: Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In: Proc. IEEE Symposium on Security and Privacy (2003)
Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: National Information Systems Security Conference, Baltimore, MD (1997)
Vigna, G., Kemmerer, R.A.: Netstat: A network-based intrusion detection system. Journal of Computer Security 7, 37–71 (1999)
Spafford, E.H., Zamboni, D.: Intrusion Detection Using Autonomous Agents. Computer Networks 34, 547–570 (2000)
Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)
Almgren, M., Lindqvist, U.: Application-Integrated Data Collection for Security Monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 22. Springer, Heidelberg (2001)
Welz, M., Hutchison, A.: Interfacing Trusted Applications with Intrusion Detection Systems. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 37. Springer, Heidelberg (2001)
Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. Technical Report TUM-I0420, TU München (2004)
Kreibich, C., Sommer, R.: Policy-controlled Event Management for Distributed Intrusion Detection. In: Proc. 4th International Workshop on Distributed Event-Based Systems (2005)
Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proc. 10th ACM Conference on Computer and Communications Security (2003),
Broccoli: The Bro Client Communications Library, http://www.cl.cam.ac.uk/~cpk25/broccoli/
Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. 13th Systems Administration Conference (LISA), pp. 229–238 (1999)
Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison Wesley Professional, Reading (2004)
Berners-Lee, T., Fielding, R., Irvine, U., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax (1998), RFC 2396
Roelker, D.J.: HTTP IDS Evasions Revisited (2004), http://www.sourcefire.com/products/downloads/secured/sf_HTTP_IDS_evasions.pdf
Internet Security Systems Security Alert Multiple Vendor IDS Unicode Bypass Vulnerability (2001), http://xforce.iss.net/xforce/alerts/id/advise95
CVE-2001-0333 (2001), http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0884
Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proc. 11th ACM Conference on Computer and Communications Security (2004)
libwhisker, http://www.wiretrip.net/rfp
Puppy, R.F.: A Look At Whisker’s Anti-IDS Tactics (1999), http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
Roelker, D.J.: URL encoder, http://code.idsresearch.org/encoder.c
Mosberger, D., Jin, T.: httperf - A Tool For Measuring Web Server Performance. In: Proc. of the First Workshop on Internet Server Performance (WISP 1998), Madison, WI, pp. 59–67 (1998)
mod_benchmark Apache plugin, http://www.trickytools.com/php/mod_benchmark.php
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2005 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Dreger, H., Kreibich, C., Paxson, V., Sommer, R. (2005). Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context. In: Julisch, K., Kruegel, C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11506881_13
Download citation
DOI: https://doi.org/10.1007/11506881_13
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-26613-6
Online ISBN: 978-3-540-31645-9
eBook Packages: Computer ScienceComputer Science (R0)