Chapter

Detection of Intrusions and Malware, and Vulnerability Assessment

Volume 3548 of the series Lecture Notes in Computer Science pp 206-221

Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context

  • Holger DregerAffiliated withLancaster UniversityComputer Science Department, Technische Universität München
  • , Christian KreibichAffiliated withLancaster UniversityComputer Laboratory, University of Cambridge
  • , Vern PaxsonAffiliated withCarnegie Mellon UniversityInternational Computer Science Institute and Lawrence Berkeley National Laboratory
  • , Robin SommerAffiliated withLancaster UniversityComputer Science Department, Technische Universität München

* Final gross prices may vary according to local VAT.

Get Access

Abstract

In the recent past, both network- and host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the best of both worlds: we preserve the advantages of network-based detection, but alleviate its weaknesses by improving the accuracy of the traffic analysis with specific host-based context. Our framework preserves a separation of policy from mechanism, is highly configurable and more flexible than sensor/manager-based architectures, and imposes a low overhead on the involved end hosts. We include a case study of our approach for a notoriously hard problem for purely network-based systems: the correct processing of HTTP requests.