Detecting Successful Attacks from IDS Alerts Based On Emulation of Remote Shellcodes

Server administrators and security operation center analysts receive alerts from an intrusion detection system and check whether attacks have succeeded. However, it is difficult to handle them quickly because a tremendous number of alerts is generated in a short period of time. We propose a method to identify important alerts that lead to security incidents automatically. The key idea is to determine the success or failure of an attack based on traffic logs and the network behaviors observed during shellcode emulation. We evaluated the proposed method in terms of accuracy and performance and found that it can handle more than 60% of remote shellcodes and cope with practical attack cases.