1 / 14

Visualization Techniques for Intrusion Detection

Visualization Techniques for Intrusion Detection. Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection June 11 – 13, 2002 Johns Hopkins University. Steven Johnston Communications Security Establishment William Wright Oculus Info Inc. Outline.

timothyroberts
Download Presentation

Visualization Techniques for Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Visualization Techniques for Intrusion Detection Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection June 11 – 13, 2002 Johns Hopkins University Steven JohnstonCommunications Security Establishment William Wright Oculus Info Inc.

  2. Outline • Intrusion detection issues • Using visualization as a solution • Current visualization tools developed • Future development of visualization in intrusion detection

  3. Intrusion Detection Issues • Large amounts of IDS data • Bad “signal/noise” ratio on most un-tuned IDS 630443,2001-12-29 00:00:05,"SNMP_Suspicious_Get",17,1025,161,"1025","SNMP",-815068385,-815007770,"207.107.11.31","207.107.247.230","","","",2,False,"00:05:32:02:DD:EC","","00:00:0C:05:D0:43","",0,"",5,"207.107.11.12",False,0,000000000009A8E2 630444,2001-12-29 00:00:10,"PingFlood",1,0,0,"","",-829255711,-815068333,"206.146.143.225","207.107.11.83","","Echo Request","None",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"",0,"207.107.11.12",False,0,000000000009A8E3 630445,2001-12-29 00:00:29,"PingFlood",1,0,0,"","",1072699914,-815068333,"63.240.26.10","207.107.11.83","","Echo Request","None",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"",0,"207.107.11.12",False,0,000000000009A8E4 630446,2001-12-29 00:00:38,"HTTP_ActiveX",6,80,1545,"HTTP","1545",-825489548,-815068285,"206.204.7.116","207.107.11.131","","","",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"",0,"207.107.11.12",False,0,000000000009A8E5

  4. Intrusion Detection Issues • If alarms are removed, harmful events may slip through unnoticed • Event correlation (IDS, routers, firewalls) • Reporting incidents to senior management or other non-experts • Advances in technology and increases in network capacity are a mixed blessing

  5. Visualization as a Solution • Allows people to see and comprehend large amounts of complex data in a short period of time • Helps the analyst to identify significant incidents and reduce time wasted with false positives • Facilitates explanation of incidents to a broader, non-expert audience • Provides ability to cue the analyst through the use of colour, shape, patterns, or motion

  6. Visualization Tool Development • Two graphical applications have been developed for evaluation • Intrusion Detection Analyst Workbench • Animated Incident Explanation Engine • Both display data visually, but currently have two distinct audiences

  7. Intrusion Detection Analyst Workbench • More than two million events can be displayed and analyzed in multiple concurrent dynamic charts • Each chart is linked, allowing the analyst to select something in one chart, and the relevant details will be highlighted in the other charts

  8. Intrusion Detection Analyst Workbench • Assists in isolating, investigating and prioritizing events • Evaluated side-by-side with traditional methods and proved to be significantly faster and easier • Run by commercial off-the-shelf Advizor™ product

  9. Intrusion Detection Analysts Workbench - Demo

  10. Animated Incident Explanation Engine • Designed to show the significance and nature of the events without overwhelming the viewer • Easy to see who did what to whom and when • Excellent for explaining concepts to non-experts

  11. Animated Incident Explanation Engine - Demo

  12. Future Developments • Expansion and integration of the two current tools • Anomaly detection capability through the use of network traffic data along with fused IDS alarms • Integrated time based comparisons • Overlaying analytical methods and results

  13. Conclusions • Visualization has proved to be an effective analyst’s tool • Complex information is easily understood by non-experts • More development and research needed

  14. Questions? To contact us: Steven Johnston, Communications Security Establishment: steven.johnston@cse-cst.gc.ca William Wright, Oculus Info Inc.: bill.wright@oculusinfo.com

More Related