Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context

  • Holger Dreger
  • Christian Kreibich
  • Vern Paxson
  • Robin Sommer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3548)


In the recent past, both network- and host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the best of both worlds: we preserve the advantages of network-based detection, but alleviate its weaknesses by improving the accuracy of the traffic analysis with specific host-based context. Our framework preserves a separation of policy from mechanism, is highly configurable and more flexible than sensor/manager-based architectures, and imposes a low overhead on the involved end hosts. We include a case study of our approach for a notoriously hard problem for purely network-based systems: the correct processing of HTTP requests.


Intrusion Detection Intrusion Detection System Network Intrusion Detection Signature Engine Redundant Context 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc. (1998)Google Scholar
  2. 2.
    Handley, M., Kreibich, C., Paxson, V.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proc. 10th USENIX Security Symposium (2001)Google Scholar
  3. 3.
    Shankar, U., Paxson, V.: Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In: Proc. IEEE Symposium on Security and Privacy (2003)Google Scholar
  4. 4.
    Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: National Information Systems Security Conference, Baltimore, MD (1997)Google Scholar
  5. 5.
    Vigna, G., Kemmerer, R.A.: Netstat: A network-based intrusion detection system. Journal of Computer Security 7, 37–71 (1999)Google Scholar
  6. 6.
    Spafford, E.H., Zamboni, D.: Intrusion Detection Using Autonomous Agents. Computer Networks 34, 547–570 (2000)CrossRefGoogle Scholar
  7. 7.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)Google Scholar
  8. 8.
    Almgren, M., Lindqvist, U.: Application-Integrated Data Collection for Security Monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 22. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Welz, M., Hutchison, A.: Interfacing Trusted Applications with Intrusion Detection Systems. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 37. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. Technical Report TUM-I0420, TU München (2004)Google Scholar
  11. 11.
    Kreibich, C., Sommer, R.: Policy-controlled Event Management for Distributed Intrusion Detection. In: Proc. 4th International Workshop on Distributed Event-Based Systems (2005)Google Scholar
  12. 12.
    Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proc. 10th ACM Conference on Computer and Communications Security (2003),Google Scholar
  13. 13.
    Broccoli: The Bro Client Communications Library,
  14. 14.
    Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. 13th Systems Administration Conference (LISA), pp. 229–238 (1999)Google Scholar
  15. 15.
    Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison Wesley Professional, Reading (2004)Google Scholar
  16. 16.
    Berners-Lee, T., Fielding, R., Irvine, U., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax (1998), RFC 2396Google Scholar
  17. 17.
    Roelker, D.J.: HTTP IDS Evasions Revisited (2004),
  18. 18.
    Internet Security Systems Security Alert Multiple Vendor IDS Unicode Bypass Vulnerability (2001),
  19. 19.
  20. 20.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proc. 11th ACM Conference on Computer and Communications Security (2004)Google Scholar
  21. 21.
  22. 22.
    Puppy, R.F.: A Look At Whisker’s Anti-IDS Tactics (1999),
  23. 23.
  24. 24.
    Roelker, D.J.: URL encoder,
  25. 25.
    Mosberger, D., Jin, T.: httperf - A Tool For Measuring Web Server Performance. In: Proc. of the First Workshop on Internet Server Performance (WISP 1998), Madison, WI, pp. 59–67 (1998)Google Scholar
  26. 26.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Holger Dreger
    • 1
  • Christian Kreibich
    • 2
  • Vern Paxson
    • 3
  • Robin Sommer
    • 1
  1. 1.Computer Science DepartmentTechnische Universität München 
  2. 2.Computer LaboratoryUniversity of Cambridge 
  3. 3.International Computer Science Institute and Lawrence Berkeley National Laboratory 

Personalised recommendations