Sciweavers

ACSAC
2005
IEEE

Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis

14 years 6 months ago
Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis
We propose a method to verify the result of attacks detected by signature-based network intrusion detection systems using lightweight protocol analysis. The observation is that network protocols often have short meaningful status codes saved at the beginning of server responses upon client requests. A successful intrusion that alters the behavior of a network application server often results in an unexpected server response, which does not contain the valid protocol status code. This can be used to verify the result of the intrusion attempt. We then extend this method to verify the result of attacks that still generate valid protocol status code in the server responses. We evaluate this approach by augmenting Snort signatures and testing on real-world data. We show that some simple changes to Snort signatures can effectively verify the result of attacks against the application servers, thus significantly improve the quality of alerts.
Jingmin Zhou, Adam J. Carlson, Matt Bishop
Added 24 Jun 2010
Updated 24 Jun 2010
Type Conference
Year 2005
Where ACSAC
Authors Jingmin Zhou, Adam J. Carlson, Matt Bishop
Comments (0)