On the Use of Context in Network Intrusion Detection Systems

Jayanth Kumar Kannan

EECS Department
University of California, Berkeley
Technical Report No. UCB/EECS-2009-110
August 9, 2009

http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-110.pdf

This thesis examines frameworks and mechanisms for building network intrusion detection systems. These systems perform a variety of complex analysis in order to enforce security policies, and such enforcement requires contextual information from several sources. In this thesis, we examine three such sources of context. First, we propose semi-automatic mechanisms that can be used in order to understand how application traffic manifests in the network; such mechanisms are necessary to incorporate application semantics into security policy enforcement. Second, we analyze the enullffectiveness of information exchange amongst multiple sites in containing a fast spreading worm. Third, we propose a framework that helps a network security system gain access to encrypted network traffic that is typically decipherable only by the end-host, while at the same time, respecting confidentiality constraints on sensitive content embedded in network traffic.

Advisor: Ion Stoica


BibTeX citation:

@phdthesis{Kannan:EECS-2009-110,
    Author = {Kannan, Jayanth Kumar},
    Title = {On the Use of Context in Network Intrusion Detection Systems},
    School = {EECS Department, University of California, Berkeley},
    Year = {2009},
    Month = {Aug},
    URL = {http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-110.html},
    Number = {UCB/EECS-2009-110},
    Abstract = {This thesis examines frameworks and mechanisms for building network intrusion detection systems. These systems perform a variety of complex analysis in order to enforce security policies, and such enforcement requires contextual information from several sources. In this thesis, we examine three such sources of context. First, we propose semi-automatic mechanisms that can be used in order to understand how application traffic manifests in the network; such mechanisms are necessary to incorporate application semantics into security policy enforcement. Second, we analyze the effectiveness of information exchange amongst multiple sites in containing a fast spreading worm. Third, we propose a framework that helps a network security system gain access to encrypted network traffic that is typically decipherable only by the end-host, while at the same time, respecting confidentiality constraints on sensitive content embedded in network traffic.}
}

EndNote citation:

%0 Thesis
%A Kannan, Jayanth Kumar
%T On the Use of Context in Network Intrusion Detection Systems
%I EECS Department, University of California, Berkeley
%D 2009
%8 August 9
%@ UCB/EECS-2009-110
%U http://www2.eecs.berkeley.edu/Pubs/TechRpts/2009/EECS-2009-110.html
%F Kannan:EECS-2009-110