Enhancing the Accuracy of Network-Based Intrusion Detection with Host-Based Context

  • Holger Dreger
  • Christian Kreibich
  • Vern Paxson
  • Robin Sommer
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3548)


In the recent past, both network- and host-based approaches to intrusion detection have received much attention in the network security community. No approach, taken exclusively, provides a satisfactory solution: network-based systems are prone to evasion, while host-based solutions suffer from scalability and maintenance problems. In this paper we present an integrated approach, leveraging the best of both worlds: we preserve the advantages of network-based detection, but alleviate its weaknesses by improving the accuracy of the traffic analysis with specific host-based context. Our framework preserves a separation of policy from mechanism, is highly configurable and more flexible than sensor/manager-based architectures, and imposes a low overhead on the involved end hosts. We include a case study of our approach for a notoriously hard problem for purely network-based systems: the correct processing of HTTP requests.


  1. 1.
    Ptacek, T.H., Newsham, T.N.: Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection. Technical report, Secure Networks, Inc. (1998)Google Scholar
  2. 2.
    Handley, M., Kreibich, C., Paxson, V.: Network Intrusion Detection: Evasion, Traffic Normalization, and End-to-End Protocol Semantics. In: Proc. 10th USENIX Security Symposium (2001)Google Scholar
  3. 3.
    Shankar, U., Paxson, V.: Active Mapping: Resisting NIDS Evasion Without Altering Traffic. In: Proc. IEEE Symposium on Security and Privacy (2003)Google Scholar
  4. 4.
    Porras, P.A., Neumann, P.G.: EMERALD: Event monitoring enabling responses to anomalous live disturbances. In: National Information Systems Security Conference, Baltimore, MD (1997)Google Scholar
  5. 5.
    Vigna, G., Kemmerer, R.A.: Netstat: A network-based intrusion detection system. Journal of Computer Security 7, 37–71 (1999)Google Scholar
  6. 6.
    Spafford, E.H., Zamboni, D.: Intrusion Detection Using Autonomous Agents. Computer Networks 34, 547–570 (2000)CrossRefGoogle Scholar
  7. 7.
    Paxson, V.: Bro: A System for Detecting Network Intruders in Real-Time. Computer Networks 31 (1999)Google Scholar
  8. 8.
    Almgren, M., Lindqvist, U.: Application-Integrated Data Collection for Security Monitoring. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 22. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Welz, M., Hutchison, A.: Interfacing Trusted Applications with Intrusion Detection Systems. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, p. 37. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Sommer, R., Paxson, V.: Exploiting Independent State For Network Intrusion Detection. Technical Report TUM-I0420, TU München (2004)Google Scholar
  11. 11.
    Kreibich, C., Sommer, R.: Policy-controlled Event Management for Distributed Intrusion Detection. In: Proc. 4th International Workshop on Distributed Event-Based Systems (2005)Google Scholar
  12. 12.
    Sommer, R., Paxson, V.: Enhancing Byte-Level Network Intrusion Detection Signatures with Context. In: Proc. 10th ACM Conference on Computer and Communications Security (2003),Google Scholar
  13. 13.
    Broccoli: The Bro Client Communications Library, http://www.cl.cam.ac.uk/~cpk25/broccoli/
  14. 14.
    Roesch, M.: Snort: Lightweight Intrusion Detection for Networks. In: Proc. 13th Systems Administration Conference (LISA), pp. 229–238 (1999)Google Scholar
  15. 15.
    Hoglund, G., McGraw, G.: Exploiting Software: How to Break Code. Addison Wesley Professional, Reading (2004)Google Scholar
  16. 16.
    Berners-Lee, T., Fielding, R., Irvine, U., Masinter, L.: Uniform Resource Identifiers (URI): Generic Syntax (1998), RFC 2396Google Scholar
  17. 17.
    Roelker, D.J.: HTTP IDS Evasions Revisited (2004), http://www.sourcefire.com/products/downloads/secured/sf_HTTP_IDS_evasions.pdf
  18. 18.
    Internet Security Systems Security Alert Multiple Vendor IDS Unicode Bypass Vulnerability (2001), http://xforce.iss.net/xforce/alerts/id/advise95
  19. 19.
  20. 20.
    Dreger, H., Feldmann, A., Paxson, V., Sommer, R.: Operational Experiences with High-Volume Network Intrusion Detection. In: Proc. 11th ACM Conference on Computer and Communications Security (2004)Google Scholar
  21. 21.
  22. 22.
    Puppy, R.F.: A Look At Whisker’s Anti-IDS Tactics (1999), http://www.wiretrip.net/rfp/pages/whitepapers/whiskerids.html
  23. 23.
  24. 24.
    Roelker, D.J.: URL encoder, http://code.idsresearch.org/encoder.c
  25. 25.
    Mosberger, D., Jin, T.: httperf - A Tool For Measuring Web Server Performance. In: Proc. of the First Workshop on Internet Server Performance (WISP 1998), Madison, WI, pp. 59–67 (1998)Google Scholar
  26. 26.

Copyright information

© Springer-Verlag Berlin Heidelberg 2005

Authors and Affiliations

  • Holger Dreger
    • 1
  • Christian Kreibich
    • 2
  • Vern Paxson
    • 3
  • Robin Sommer
    • 1
  1. 1.Computer Science DepartmentTechnische Universität München 
  2. 2.Computer LaboratoryUniversity of Cambridge 
  3. 3.International Computer Science Institute and Lawrence Berkeley National Laboratory 

Personalised recommendations