Visualization Techniques for Intrusion Detection

1
Visualization Techniques for Intrusion Detection
Workshop on Statistical and Machine Learning
Techniques in Computer Intrusion Detection June
11 13, 2002 Johns Hopkins University
Steven JohnstonCommunications Security
Establishment William Wright Oculus Info Inc.
2
Outline

• Intrusion detection issues
• Using visualization as a solution
• Current visualization tools developed
• Future development of visualization in intrusion
  detection

3
Intrusion Detection Issues

• Large amounts of IDS data
• Bad signal/noise ratio on most un-tuned IDS

630443,2001-12-29 000005,"SNMP_Suspicious_Get",1
7,1025,161,"1025","SNMP",-815068385,-815007770,"20
7.107.11.31","207.107.247.230","","","",2,False,"0
0053202DDEC","","00000C05D043","",0,"",5
,"207.107.11.12",False,0,000000000009A8E2 630444,2
001-12-29 000010,"PingFlood",1,0,0,"","",-829255
711,-815068333,"206.146.143.225","207.107.11.83","
","Echo Request","None",1,False,"00000C05D043
","","00053202DDEC","",0,"",0,"207.107.11.12"
,False,0,000000000009A8E3 630445,2001-12-29
000029,"PingFlood",1,0,0,"","",1072699914,-81506
8333,"63.240.26.10","207.107.11.83","","Echo
Request","None",1,False,"00000C05D043","","00
053202DDEC","",0,"",0,"207.107.11.12",False,0
,000000000009A8E4 630446,2001-12-29
000038,"HTTP_ActiveX",6,80,1545,"HTTP","1545",-8
25489548,-815068285,"206.204.7.116","207.107.11.13
1","","","",1,False,"00000C05D043","","0005
3202DDEC","",0,"",0,"207.107.11.12",False,0,000
000000009A8E5
4
Intrusion Detection Issues

• If alarms are removed, harmful events may slip
  through unnoticed
• Event correlation (IDS, routers, firewalls)
• Reporting incidents to senior management or other
  non-experts
• Advances in technology and increases in network
  capacity are a mixed blessing

5
Visualization as a Solution

• Allows people to see and comprehend large amounts
  of complex data in a short period of time
• Helps the analyst to identify significant
  incidents and reduce time wasted with false
  positives
• Facilitates explanation of incidents to a
  broader, non-expert audience
• Provides ability to cue the analyst through the
  use of colour, shape, patterns, or motion

6
Visualization Tool Development

• Two graphical applications have been developed
  for evaluation
• Intrusion Detection Analyst Workbench
• Animated Incident Explanation Engine
• Both display data visually, but currently have
  two distinct audiences

7
Intrusion Detection Analyst Workbench

• More than two million events can be displayed and
  analyzed in multiple concurrent dynamic charts
• Each chart is linked, allowing the analyst to
  select something in one chart, and the relevant
  details will be highlighted in the other charts

8
Intrusion Detection Analyst Workbench

• Assists in isolating, investigating and
  prioritizing events
• Evaluated side-by-side with traditional methods
  and proved to be significantly faster and easier
  
• Run by commercial off-the-shelf Advizor product

9
Intrusion Detection Analysts Workbench - Demo
10
Animated Incident Explanation Engine

• Designed to show the significance and nature of
  the events without overwhelming the viewer
• Easy to see who did what to whom and when
• Excellent for explaining concepts to non-experts

11
Animated Incident Explanation Engine - Demo
12
Future Developments

• Expansion and integration of the two current
  tools
• Anomaly detection capability through the use of
  network traffic data along with fused IDS alarms
• Integrated time based comparisons
• Overlaying analytical methods and results

13
Conclusions

• Visualization has proved to be an effective
  analysts tool
• Complex information is easily understood by
  non-experts
• More development and research needed

14
Questions?

• To contact us
• Steven Johnston, Communications Security
  Establishment steven.johnston_at_cse-cst.gc.ca
• William Wright, Oculus Info Inc.
• bill.wright_at_oculusinfo.com