This thesis examines frameworks and mechanisms for building network intrusion detection systems. These systems perform a variety of complex analysis in order to enforce security policies, and such enforcement requires contextual information from several sources. In this thesis, we examine three such sources of context. First, we propose semi-automatic mechanisms that can be used in order to understand how application traffic manifests in the network; such mechanisms are necessary to incorporate application semantics into security policy enforcement. Second, we analyze the effectiveness of information exchange amongst multiple sites in containing a fast spreading worm. Third, we propose a framework that helps a network security system gain access to encrypted network traffic that is typically decipherable only by the end-host, while at the same time, respecting confidentiality constraints on sensitive content embedded in network traffic.
Title
On the Use of Context in Network Intrusion Detection Systems
Published
2009-08-09
Full Collection Name
Electrical Engineering & Computer Sciences Technical Reports
Other Identifiers
EECS-2009-110
Type
Text
Extent
139 p
Archive
The Engineering Library
Usage Statement
Researchers may make free and open use of the UC Berkeley Library’s digitized public domain materials. However, some materials in our online collections may be protected by U.S. copyright law (Title 17, U.S.C.). Use or reproduction of materials protected by copyright beyond that allowed by fair use (Title 17, U.S.C. § 107) requires permission from the copyright owners. The use or reproduction of some materials may also be restricted by terms of University of California gift or purchase agreements, privacy and publicity rights, or trademark law. Responsibility for determining rights status and permissibility of any use or reproduction rests exclusively with the researcher. To learn more or make inquiries, please see our permissions policies (https://www.lib.berkeley.edu/about/permissions-policies).
