International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment

DIMVA 2005: Detection of Intrusions and Malware, and Vulnerability Assessment pp 206-221

Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context

  • Holger Dreger
  • Christian Kreibich
  • Vern Paxson
  • Robin Sommer
Conference paper

DOI: 10.1007/11506881_13

Volume 3548 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Dreger H., Kreibich C., Paxson V., Sommer R. (2005) Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context. In: Julisch K., Kruegel C. (eds) Detection of Intrusions and Malware, and Vulnerability Assessment. DIMVA 2005. Lecture Notes in Computer Science, vol 3548. Springer, Berlin, Heidelberg

Abstract

In the recent past, both network- and host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the best of both worlds: we preserve the advantages of network-based detection, but alleviate its weaknesses by improving the accuracy of the traffic analysis with specific host-based context. Our framework preserves a separation of policy from mechanism, is highly configurable and more flexible than sensor/manager-based architectures, and imposes a low overhead on the involved end hosts. We include a case study of our approach for a notoriously hard problem for purely network-based systems: the correct processing of HTTP requests.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Holger Dreger
    • 1
  • Christian Kreibich
    • 2
  • Vern Paxson
    • 3
  • Robin Sommer
    • 1
  1. 1.Computer Science DepartmentTechnische Universität München 
  2. 2.Computer LaboratoryUniversity of Cambridge 
  3. 3.International Computer Science Institute and Lawrence Berkeley National Laboratory