Docstoc

Visual

Document Sample
Visual Powered By Docstoc
					      Visualization Techniques for
          Intrusion Detection
        Workshop on Statistical and Machine Learning
         Techniques in Computer Intrusion Detection
                      June 11 – 13, 2002
                 Johns Hopkins University
                         Steven Johnston
                Communications Security Establishment
                           William Wright
                           Oculus Info Inc.


CSE
CST
                               Outline

         Intrusion detection issues
         Using visualization as a solution
         Current visualization tools developed
         Future development of visualization in intrusion detection




CSE
CST
              Intrusion Detection Issues

         Large amounts of IDS data
         Bad “signal/noise” ratio on most un-tuned IDS

      630443,2001-12-29 00:00:05,"SNMP_Suspicious_Get",17,1025,161,"1025","SNMP",-815068385,-
      815007770,"207.107.11.31","207.107.247.230","","","",2,False,"00:05:32:02:DD:EC","","00:00:0C:05:D0:43","",0,
      "",5,"207.107.11.12",False,0,000000000009A8E2
      630444,2001-12-29 00:00:10,"PingFlood",1,0,0,"","",-829255711,-
      815068333,"206.146.143.225","207.107.11.83","","Echo
      Request","None",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"",0,"207.107.11.12",False,0,0000000
      00009A8E3
      630445,2001-12-29 00:00:29,"PingFlood",1,0,0,"","",1072699914,-
      815068333,"63.240.26.10","207.107.11.83","","Echo
      Request","None",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"",0,"207.107.11.12",False,0,0000000
      00009A8E4
      630446,2001-12-29 00:00:38,"HTTP_ActiveX",6,80,1545,"HTTP","1545",-825489548,-
      815068285,"206.204.7.116","207.107.11.131","","","",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"
      ",0,"207.107.11.12",False,0,000000000009A8E5




CSE
CST
            Intrusion Detection Issues

         If alarms are removed, harmful events may slip through
          unnoticed
         Event correlation (IDS, routers, firewalls)
         Reporting incidents to senior management or other non-
          experts
         Advances in technology and increases in network capacity
          are a mixed blessing




CSE
CST
           Visualization as a Solution

         Allows people to see and comprehend large amounts of
          complex data in a short period of time
         Helps the analyst to identify significant incidents and reduce
          time wasted with false positives
         Facilitates explanation of incidents to a broader, non-expert
          audience
         Provides ability to cue the analyst through the use of colour,
          shape, patterns, or motion




CSE
CST
                    Visualization Tool
                      Development
         Two graphical applications have been developed for
          evaluation
            Intrusion Detection Analyst Workbench
            Animated Incident Explanation Engine
         Both display data visually, but currently have two distinct
          audiences




CSE
CST
          Intrusion Detection Analyst
                  Workbench
         More than two million events can be displayed and analyzed
          in multiple concurrent dynamic charts
         Each chart is linked, allowing the analyst to select something
          in one chart, and the relevant details will be highlighted in
          the other charts




CSE
CST
          Intrusion Detection Analyst
                  Workbench
         Assists in isolating, investigating and prioritizing events
         Evaluated side-by-side with traditional methods and proved
          to be significantly faster and easier
         Run by commercial off-the-shelf Advizor™ product




CSE
CST
      Intrusion Detection Analysts
           Workbench - Demo




CSE
CST
      Animated Incident Explanation
                 Engine
         Designed to show the significance and nature of the events
          without overwhelming the viewer
         Easy to see who did what to whom and when
         Excellent for explaining concepts to non-experts




CSE
CST
      Animated Incident Explanation
             Engine - Demo




CSE
CST
                 Future Developments

         Expansion and integration of the two current tools
         Anomaly detection capability through the use of network
          traffic data along with fused IDS alarms
         Integrated time based comparisons
         Overlaying analytical methods and results




CSE
CST
                           Conclusions

         Visualization has proved to be an effective analyst’s tool
         Complex information is easily understood by non-experts
         More development and research needed




CSE
CST
                                 Questions?

      To contact us:
      Steven Johnston, Communications Security Establishment:
         steven.johnston@cse-cst.gc.ca

      William Wright, Oculus Info Inc.:
          bill.wright@oculusinfo.com




CSE
CST

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:9
posted:12/14/2011
language:
pages:14