Skip to Main content Skip to Navigation
New interface
Conference papers

Zeek-Osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection

Abstract : Intrusion Detection Systems (IDSs) can analyze network traffic for signs of attacks and intrusions. However, encrypted communication limits their visibility and sophisticated attackers additionally try to evade their detection. To overcome these limitations, we extend the scope of Network IDSs (NIDSs) with additional data from the hosts. For that, we propose the integrated open-source zeek-osquery platform that combines the Zeek IDS with the osquery host monitor. Our platform can collect, process, and correlate host and network data at large scale, e.g., to attribute network flows to processes and users. The platform can be flexibly extended with own detection scripts using already correlated, but also additional and dynamically retrieved host data. A distributed deployment enables it to scale with an arbitrary number of osquery hosts. Our evaluation results indicate that a single Zeek instance can manage more than 870 osquery hosts and can attribute more than 96% of TCP connections to host-side applications and users in real-time.
Document type :
Conference papers
Complete list of metadata
Contributor : Hal Ifip Connect in order to contact the contributor
Submitted on : Monday, November 22, 2021 - 3:32:37 PM
Last modification on : Monday, November 22, 2021 - 4:37:50 PM
Long-term archiving on: : Wednesday, February 23, 2022 - 7:57:34 PM


 Restricted access
To satisfy the distribution rights of the publisher, the document is embargoed until : 2023-01-01

Please log in to resquest access to the document


Distributed under a Creative Commons Attribution 4.0 International License




Steffen Haas, Robin Sommer, Mathias Fischer. Zeek-Osquery: Host-Network Correlation for Advanced Monitoring and Intrusion Detection. 35th IFIP International Conference on ICT Systems Security and Privacy Protection (SEC), Sep 2020, Maribor, Slovenia. pp.248-262, ⟨10.1007/978-3-030-58201-2_17⟩. ⟨hal-03440828⟩



Record views