This thesis examines frameworks and mechanisms for building network intrusion detection systems. These systems perform a variety of complex analysis in order to enforce security policies, and such enforcement requires contextual information from several sources. In this thesis, we examine three such sources of context. First, we propose semi-automatic mechanisms that can be used in order to understand how application traffic manifests in the network; such mechanisms are necessary to incorporate application semantics into security policy enforcement. Second, we analyze the effectiveness of information exchange amongst multiple sites in containing a fast spreading worm. Third, we propose a framework that helps a network security system gain access to encrypted network traffic that is typically decipherable only by the end-host, while at the same time, respecting confidentiality constraints on sensitive content embedded in network traffic.