Zeek-Osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection - ICT Systems Security and Privacy Protection
Conference Papers Year : 2020

Zeek-Osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection

Steffen Haas
  • Function : Author
  • PersonId : 1117593
Robin Sommer
  • Function : Author
  • PersonId : 1117594
Mathias Fischer
  • Function : Author
  • PersonId : 1042922

Abstract

Intrusion Detection Systems (IDSs) can analyze network traffic for signs of attacks and intrusions. However, encrypted communication limits their visibility and sophisticated attackers additionally try to evade their detection. To overcome these limitations, we extend the scope of Network IDSs (NIDSs) with additional data from the hosts. For that, we propose the integrated open-source zeek-osquery platform that combines the Zeek IDS with the osquery host monitor. Our platform can collect, process, and correlate host and network data at large scale, e.g., to attribute network flows to processes and users. The platform can be flexibly extended with own detection scripts using already correlated, but also additional and dynamically retrieved host data. A distributed deployment enables it to scale with an arbitrary number of osquery hosts. Our evaluation results indicate that a single Zeek instance can manage more than 870 osquery hosts and can attribute more than 96% of TCP connections to host-side applications and users in real-time.
Fichier principal
Vignette du fichier
497034_1_En_17_Chapter.pdf (526.35 Ko) Télécharger le fichier
Origin Files produced by the author(s)

Dates and versions

hal-03440828 , version 1 (22-11-2021)

Licence

Identifiers

Cite

Steffen Haas, Robin Sommer, Mathias Fischer. Zeek-Osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection. 35th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2020, Maribor, Slovenia. pp.248-262, ⟨10.1007/978-3-030-58201-2_17⟩. ⟨hal-03440828⟩
70 View
108 Download

Altmetric

Share

More