Jingmin Zhou
University of California, Davis
USA

Adam Carlson
University of California, Davis
USA

Matt Bishop
University of California, Davis
USA

Signature based network intrusion detection systems usually
report alerts for every intrusion attempt without verifying its
results. It often results in a burden of a large amount of alerts.
We propose to verify the results of the intrusion attempts using
lightweight protocol analysis in order to find successful
intrusions. Our observation is that network protocols often
have meaningful status code saved at the beginning of server
responses upon client requests. A successful intrusion that
alters the behavior of network application servers under attack
can result in unexpected server response. By comparing the
header of server response to the specification of the protocol,
it is feasible to verify the result of an intrusion attempt. We
then extend this method to verify the result of attacks that
do not generate outputs violating the protocol specifications.
We evaluate this method by augmenting Snort signatures and
testing on real-world data. We show that some simple changes to
Snort signatures can effectively verify the results of intrusion
attempts against the application servers, thus significantly
reduce the number of alerts.

Keywords: Alert Verification, Intrusion Attempt, Intrusion Detection, Protocol Analysis

Read Paper (in PDF)