Understanding Intrusion Detection Through Visualization
نویسندگان
چکیده
With the ever increasing use of computers for critical systems, computer security, the protection of data and computer systems from intentional, malicious intervention, is attracting much attention. Among the methods for defence, intrusion detection, i.e. the application of a tool to help the operator identify ongoing or already perpetrated attacks has been the subject of considerable research in the past ten years. A key problem with current intrusion detection systems is the high number of false alarms they produce. This thesis presents research into why false alarms are and will remain a problem and proposes to apply results from the field of information visualisation to the problem of intrusion detection. This was thought to enable the operator to correctly identify false (and true) alarms, and also aid the operator in identifying other operational characteristics of intrusion detection systems. Four different visualisation approaches were tried, mainly on data from web server access logs. Two direct approaches were tried; where the system puts the onus of identifying the malicious access requests on the operator by way of the visualisation. Two indirect approaches were also tried; where the state of two self learning automated intrusion detection systems were visualised to enable the operator to examine their inner workings. This with the hope that in doing so, the operator would gain an understanding of how the intrusion detections systems operated and whether that level of operation, and the quality of the output, was satisfactory. Several experiments were performed and many different attacks in web access data from publicly available web servers were found. The visualisation helped the operator either detect the attacks herself and more importantly the false alarms. It also helped her determine whether other aspects of the operation of the self learning intrusion detection systems were satisfactory.
منابع مشابه
On the Visualization of Honeypot Data through Projection Techniques
A crucial aspect in network monitoring for security purposes is the visual inspection of traffic patterns, which chiefly provides the network manager with a synthetic and intuitive representation of the current situation. In keeping with this idea, neural projection techniques can adaptively map highdimensional data into a low-dimensional space, for the userfriendly visualization of data collec...
متن کاملCorrelation between NetFlow System and Network Views for Intrusion Detection∗
We present several ways to correlate security events from two applications that visualize the same underlying data with two distinct views: system and network. Correlation of security events provide Security Engineers a better understanding of what is happening for enhanced security situational awareness. Visualization leverages human cognitive abilities and promotes quick mental connections be...
متن کاملVisualization Techniques for Intrusion Detection – a Survey
In traditional intrusion detection system (IDS) environments, little activity has been applied to using visual analysis as an aid to intrusion detection. With more information systems being attacked and attack techniques evolving, the task of detecting intrusions is becoming an increasingly difficult. Efficient information visualization is an important element required for urgent detection of i...
متن کاملVisualizing Network Anomalies for Intrusion Detection with Information Theoretic Metrics∗
Intrusion detection is a common and critical part of networks given the increasing severity and frequency of attacks on computer systems. Recently, information theoretic metrics have been used in intrusion detection to find anomalies in traffic that may indicate the presence of attacks and covert channels in the network. We develop a visualization that leverages information theoretic metrics su...
متن کاملInteractive wormhole detection and evaluation
Received: 23 June 2006 Revised: 31 July 2006 Accepted: 21 October 2006 Online publication date: 25 January 2007 Abstract Wormhole attacks in wireless networks can severely deteriorate network performance and compromise security through spoiling the routing protocols and weakening the security enhancements. This paper develops an approach, interactive visualization of wormholes (IVoW), to monito...
متن کامل