@INPROCEEDINGS{1565240, author={Jingmin Zhou and Carlson, A.J. and Bishop, M.}, booktitle={Computer Security Applications Conference, 21st Annual}, title={Verify results of network intrusion alerts using lightweight protocol analysis}, year={2005}, month={dec.}, volume={}, number={}, pages={10 pp. -126}, abstract={We propose a method to verify the result of attacks detected by signature-based network intrusion detection systems using lightweight protocol analysis. The observation is that network protocols often have short meaningful status codes saved at the beginning of server responses upon client requests. A successful intrusion that alters the behavior of a network application server often results in an unexpected server response, which does not contain the valid protocol status code. This can be used to verify the result of the intrusion attempt. We then extend this method to verify the result of attacks that still generate valid protocol status code in the server responses. We evaluate this approach by augmenting Snort signatures and testing on real world data. We show that some simple changes to Snort signatures can effectively verify the result of attacks against the application servers, thus significantly improve the quality of alerts}, keywords={Snort signature;lightweight protocol analysis;network application server;network intrusion alert;network protocol status code;signature-based network intrusion detection system;unexpected server response;protocols;security of data;}, doi={10.1109/CSAC.2005.62}, ISSN={1063-9527},}