TY - CONF JO - Computer Security Applications Conference, 21st Annual TI - Verify results of network intrusion alerts using lightweight protocol analysis T2 - Computer Security Applications Conference, 21st Annual IS - SN - 1063-9527 VO - SP - 10 pp. EP - 126 AU - Jingmin Zhou AU - Carlson, A.J. AU - Bishop, M. Y1 - 5-9 Dec. 2005 PY - 2005 KW - protocols KW - security of data KW - Snort signature KW - lightweight protocol analysis KW - network application server KW - network intrusion alert KW - network protocol status code KW - signature-based network intrusion detection system KW - unexpected server response VL - JA - Computer Security Applications Conference, 21st Annual DOI - 10.1109/CSAC.2005.62 AB - We propose a method to verify the result of attacks detected by signature-based network intrusion detection systems using lightweight protocol analysis. The observation is that network protocols often have short meaningful status codes saved at the beginning of server responses upon client requests. A successful intrusion that alters the behavior of a network application server often results in an unexpected server response, which does not contain the valid protocol status code. This can be used to verify the result of the intrusion attempt. We then extend this method to verify the result of attacks that still generate valid protocol status code in the server responses. We evaluate this approach by augmenting Snort signatures and testing on real world data. We show that some simple changes to Snort signatures can effectively verify the result of attacks against the application servers, thus significantly improve the quality of alerts ER -