1 / 20

PCAV: Evaluation of Parallel Coordinates Attack Visualization

This research paper evaluates the PCAV system, a real-time monitoring system for anomaly-based intrusion detection using visualization. The paper discusses the main idea, algorithm, and evaluation of the PCAV system.

rbrunet
Download Presentation

PCAV: Evaluation of Parallel Coordinates Attack Visualization

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PCAV: Evaluation of Parallel Coordinates Attack Visualization Hyunsang Choi, Heejo Lee {realchs, heejo}@korea.ac.kr Computer and Communication Security Laboratory Korea University, Korea Joint Workshop between Security Research Labs in Korea and Japan, Kyushu University, Kyushu, Japan, Feb 7 – Feb 9, 2006

  2. Contents 1. Overview 2. Main Idea of PCAV 3. Visualization 4. Algorithm of PCAV 5. Evaluation http://ccs.korea.ac.kr

  3. Introduction Overview Main Idea Algorithm Evaluation Visualization PCAV (Parallel Coordinates Attack Visualization) Propose anomaly-basedreal-time monitoring system with visualization approach Visualization approach Real-time monitoring Anomaly detection Early detection http://ccs.korea.ac.kr

  4. Characteristics: Internet Attacks Overview Main Idea Algorithm Evaluation Visualization <H.Kim et.al.,IEEE Networks 2004> • Large scale Internet attacks • Worm • Source spoofed DDoS attack • Scanning activities • Important Characteristics • One-to-many relationship http://ccs.korea.ac.kr

  5. Selected Parameters Overview Main Idea Algorithm Evaluation Visualization • What we visualize • Selected 4 main parameters in TCP/IP header field IP header TCP header http://ccs.korea.ac.kr

  6. Flow instead of Packet Overview Main Idea Algorithm Evaluation Visualization • Aggregated input data instead of raw traffic Source port Destination port Source IP address Destination IP address ... Data Header Packet Flow Internet http://ccs.korea.ac.kr

  7. Benefits of Visualization B A C D E Overview Main Idea Algorithm Evaluation Visualization Intuitive • Come up with new hypotheses • Deal large noisy • data easily Visualization higher degree of confidence Faster http://ccs.korea.ac.kr

  8. Parallel Coordinates Overview Main Idea Algorithm Evaluation Visualization • How we draw flows on parallel coordinates • Input flow: • Source address • <211.162.35.77> • Destination address • <211.162.35.105> • Destination port • <80> • Average packet length • <1240> 255.255.255.255 255.255.255.255 65000 1500 1240 211.162.35.77 211.162.35.105 80 0.0.0.0 0.0.0.0 0 0 http://ccs.korea.ac.kr c. Host scan d. Port scan Fig. 7. Rescaledattack graphs

  9. Attack Graphs from Real Traffic Overview Main Idea Algorithm Evaluation Visualization 1. Worm Graph - Slammer 2. DDoS attack 3. Hostscan 4. Portscan http://ccs.korea.ac.kr

  10. Attack Signatures Overview Main Idea Algorithm Evaluation Visualization • Graphical signatures and divergences and packet length of implied attack http://ccs.korea.ac.kr

  11. PCAV System Design Overview Main Idea Algorithm Evaluation Visualization • 4 main modules • Sensor • Analyzer • Visualizer • Database • Database • Store flow information – text, image • Remarkably compressed (1/2000) • Replay flows http://ccs.korea.ac.kr

  12. Application Overview Main Idea Algorithm Evaluation Visualization • PCAV 2.0 demo clip http://ccs.korea.ac.kr

  13. Algorithm Overview Main Idea Algorithm Evaluation Visualization • Main algorithm of analyze module http://ccs.korea.ac.kr

  14. Evaluation Overview Main Idea Algorithm Evaluation Visualization • 1Gbps backbone traffic • Windows XP (flow generator), 2003 server (PCAV) • Pentium-4 PC, 1Gbyte memory (about 100MB memory use) http://ccs.korea.ac.kr

  15. Stress Test Overview Main Idea Algorithm Evaluation Visualization • PCAV process 10Gbps trafficwith 98% accuracy. • (Gigabit network exports about 10,000 flows/s) http://ccs.korea.ac.kr

  16. Multiple Attack Overview Main Idea Algorithm Evaluation Visualization http://ccs.korea.ac.kr

  17. False Positive Test Overview Main Idea Algorithm Evaluation Visualization • False positive • Hostscan, DDoS • P2P, web traffic (flash crowd, web crawling), game, chatting (MSN), DNS, mail, streaming, etc • Length filtering effect (flag) • Threshold setting http://ccs.korea.ac.kr

  18. False Negative Test Overview Main Idea Algorithm Evaluation Visualization • False negative • Assumption • Little increased but ignorable • Worm can not be detected without length filtering. • Threshold setting http://ccs.korea.ac.kr

  19. Summary 1 2 3 Main Purpose Early detection Real-time monitoring • Effectiveness • Detect and drawa particular pattern of graph for each attack • Future Work • Auto-threshold configuration • Enhance sampling • process http://ccs.korea.ac.kr

  20. Thanks. Tel: +82-2-3290-3208 Fax: +82-2-953-0771 http://ccs.korea.ac.kr Dept. of Computer Science and Engineering Korea University. Anam-Dong SeoungBuk-Gu, Seoul, KOREA

More Related