Content

•  
   1 Introduction
•  
   1.1 Intrusion Detection Systems
•  
   1.2 Research Questions
•  
   1.3 Thesis Organization and Contribution
•  
  1.4 Publications
•  
   1.4.1 Publications This Thesis Is Based On
•  
   1.4.2 Publications Not Related to This Thesis
•  
   1.5 A Note on Moral Implications of Network Monitoring
•  
   2 Fundamentals and Related Work
•  
  2.1 Improving the Network Throughput Performance of NIDS
•  
   2.1.1 Improving the Pattern Matching of NIDS
•  
   2.1.2 Reducing Network Traffic for Analysis
•  
   2.2 Flow Monitoring
•  
   2.2.1 Cisco NetFlow
•  
   2.2.2 Internet Protocol Flow Information Export (IPFIX)
•  
   2.3 Flow-Based Intrusion Detection
•  
   2.4 The Vermont Network Monitoring Toolkit
•  
   2.5 Intrusion Detection on Encrypted Traffic
•  
   3 Web 2.0 Security
•  
   3.1 Motivation
•  
   3.2 New Attacks of the Web 2.0
•  
   3.2.1 Merging of Security Domains Inside a Browser
•  
   3.2.2 Incomplete or Conflicting Standards
•  
   3.2.3 Unjustified Trust in the DNS and Public Key Infrastructures
•  
   3.3 Practical Mitigation Methods Today
•  
   3.3.1 Browser-Side Approaches
•  
   3.3.2 Server-Side Approaches
•  
   3.3.3 Solutions for Intermediate Devices
•  
   3.3.4 Attack Coverage
•  
   3.4 Open Research Challenges
•  
   3.4.1 Browsers Protection Against Typical Web 2.0 Attacks
•  
   3.4.2 Protection in Intermediate Devices
•  
   3.4.3 Secure and Easy to Use Application Frameworks for the Server-Side
•  
   3.4.4 Rethinking the Interaction Between Browser, Server and Components
•  
   3.5 Lessons Learned
•  
   4 Combining Anomaly Detectors Using Controlled Skips
•  
   4.1 Motivation
•  
  4.2 Architecture
•  
   4.2.1 Packet Analysis
•  
   4.2.2 Controlled Load Allocation Scheme
•  
   4.2.3 Post-Processing of Packets
•  
   4.3 Evaluation
•  
   4.3.1 Anomaly Detection Algorithms
•  
   4.3.2 Controlled Load Allocation Scheme
•  
   4.3.3 Behavior under Stress
•  
   4.4 Lessons Learned
•  
   5 Preprocessing HTTP for Network Monitoring and Intrusion Detection
•  
   5.1 Motivation
•  
   5.2 Importance of HTTP-Related Threats
•  
  5.3 Aggregating HTTP into IPFIX
•  
   5.3.1 Related Work In HTTP Monitoring and Aggregation
•  
   5.3.2 HTTP Aggregation Architecture
•  
   5.3.3 TCP Reassembly Engine
•  
   5.3.4 HTTP Parser
•  
   5.3.5 HTTP Aggregation Evaluation
•  
  5.4 HPA: HTTP-Based Payload Aggregation
•  
   5.4.1 HPA Concept
•  
   5.4.2 HPA Implementation
•  
   5.4.3 HPA Evaluation
•  
   5.5 Lessons Learned
•  
   6 FIXIDS: A Signature-Based Flow Intrusion Detection System
•  
   6.1 Motivation
•  
  6.2 FIXIDS
•  
   6.2.1 Rules and Signatures
•  
   6.2.2 Implementation
•  
  6.3 Evaluation Experiment Setup
•  
   6.3.1 Snort
•  
   6.3.2 FIXIDS Setup
•  
   6.3.3 Vermont Flow Probe
•  
   6.3.4 nProbe Flow Probe
•  
   6.3.5 Network Setup
•  
   6.3.6 Used Detection Rules
•  
   6.3.7 Attack Network Traffic
•  
   6.3.8 Realistic Network Traffic
•  
   6.4 Functional Evaluation
•  
  6.5 Throughput Performance Evaluation
•  
   6.5.1 Basic Throughput Experiments
•  
   6.5.2 Third-Party Flow Exporter Experiments
•  
   6.5.3 Real World Scenario
•  
   6.6 Lessons Learned
•  
   7 GENESIDS: An Automated System for Generating Attack Traffic
•  
   7.1 Motivation
•  
   7.2 Related Work in Traffic Generation
•  
  7.3 GENESIDS Architecture
•  
   7.3.1 Input and Connection Management
•  
   7.3.2 Rules
•  
   7.3.3 Limitations
•  
   7.3.4 Generating Mixed Traffic
•  
   7.4 Evaluation
•  
   7.5 Lessons Learned
•  
   8 Conclusion
•  
   Bibliography