Verify results of network intrusion alerts using lightweight protocol analysis

Author

Zhou, Jingmin ; Carlson, Adam J. ; Bishop, Matt

Author_Institution

Comput. Security Lab., California Univ., Davis, CA

fYear

2005

fDate

5-9 Dec. 2005

Lastpage

126

Abstract

We propose a method to verify the result of attacks detected by signature-based network intrusion detection systems using lightweight protocol analysis. The observation is that network protocols often have short meaningful status codes saved at the beginning of server responses upon client requests. A successful intrusion that alters the behavior of a network application server often results in an unexpected server response, which does not contain the valid protocol status code. This can be used to verify the result of the intrusion attempt. We then extend this method to verify the result of attacks that still generate valid protocol status code in the server responses. We evaluate this approach by augmenting Snort signatures and testing on real world data. We show that some simple changes to Snort signatures can effectively verify the result of attacks against the application servers, thus significantly improve the quality of alerts

Keywords

protocols; security of data; Snort signature; lightweight protocol analysis; network application server; network intrusion alert; network protocol status code; signature-based network intrusion detection system; unexpected server response; Application software; Computer security; Computer worms; Data security; Intrusion detection; Laboratories; Monitoring; Network servers; Protocols; Testing;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Security Applications Conference, 21st Annual

Conference_Location

Tucson, AZ

ISSN

1063-9527

Print_ISBN

0-7695-2461-3

Type

conf

DOI

10.1109/CSAC.2005.62

Filename

1565240