Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis

	This Article
	Subscribers, please Login Purchase article: $19 PDF IEEE Xplore Subscribers RSS feed
	Share
	Email this Article to a friend
	Bibliographic References
	ASCII Text BibTex RefWorks Procite/RefMan/Endnote
	Add to:
	Digg Furl Spurl Blink Simpy Google Del.icio.us Y!MyWeb
	Search
	Similar Articles Articles by Jingmin Zhou Articles by Adam J. Carlson Articles by Matt Bishop

21st Annual Computer Security Applications Conference (ACSAC'05)

Tucson, Arizona

December 05-December 09

ISBN: 0-7695-2461-3

	ASCII Text	x
	Jingmin Zhou, Adam J. Carlson, Matt Bishop, "Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis," Computer Security Applications Conference, Annual, pp. 117-126, 21st Annual Computer Security Applications Conference (ACSAC'05), 2005.

	BibTex	x
	@article{ 10.1109/CSAC.2005.62, author = {Jingmin Zhou and Adam J. Carlson and Matt Bishop}, title = {Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis}, journal ={Computer Security Applications Conference, Annual}, volume = {0}, year = {2005}, issn = {1063-9527}, pages = {117-126}, doi = {http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.62}, publisher = {IEEE Computer Society}, address = {Los Alamitos, CA, USA}, }

	RefWorks Procite/RefMan/Endnote	x
	TY - CONF JO - Computer Security Applications Conference, Annual TI - Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis SN - 1063-9527 SP117 EP126 A1 - Jingmin Zhou, A1 - Adam J. Carlson, A1 - Matt Bishop, PY - 2005 KW - null VL - 0 JA - Computer Security Applications Conference, Annual ER -

Jingmin Zhou, University of California, Davis

Adam J. Carlson, University of California, Davis

Matt Bishop, University of California, Davis

DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/CSAC.2005.62

We propose a method to verify the result of attacks detected by signature-based network intrusion detection systems using lightweight protocol analysis. The observation is that network protocols often have short meaningful status codes saved at the beginning of server responses upon client requests. A successful intrusion that alters the behavior of a network application server often results in an unexpected server response, which does not contain the valid protocol status code. This can be used to verify the result of the intrusion attempt. We then extend this method to verify the result of attacks that still generate valid protocol status code in the server responses. We evaluate this approach by augmenting Snort signatures and testing on real-world data. We show that some simple changes to Snort signatures can effectively verify the result of attacks against the application servers, thus significantly improve the quality of alerts.

Citation:

Jingmin Zhou, Adam J. Carlson, Matt Bishop, "Verify Results of Network Intrusion Alerts Using Lightweight Protocol Analysis," acsac, pp.117-126, 21st Annual Computer Security Applications Conference (ACSAC'05), 2005

Peer Review Notice | Give Us Feedback

Usage of this product signifies your acceptance of the Terms of Use.