IDGraphs: Intrusion Detection and Analysis Using Histographs

1
IDGraphs Intrusion Detection and Analysis Using
Histographs

• Pin Ren, Yan Gao, Zhichun Li, Yan Chen
• Northwestern University
• Benjamin Watson
• North Carolina State University

2
Intrusion Detection Systems (IDS)

• Automatic IDS
• Use attack signatures
• Use statistical thresholds
• Problems
• Finding attack signatures, temporal pattern
• Finding the right detection threshold
• Detecting coordinated attacks
• Studying suspicious streams interactively

3
Traditional IDS Mapping
Block
Vertical
Dest Port
Horizontal
Dest IP
4
Other Mappings Spinning Cube
Source IP
Dest IP
Dest Port
Lau 2004
5
Other Mappings PortVis
McPherson,Ma,et.al. 2004
6
Other Mappings NVisionIP
Dest IP (high)
Dest IP (low)
Lakkaraju,Yurcik and Lee 2004
7
Other Mappings VisFlowConnect
Source IP
Dest IP
Local Hosts IP
Yin, Yurcik and Treaster 2004
8
IDGraphs Mapping
High (Suspect)
Num failed connects (Suspicion)
Low (Trusted)
Time
Num failed connects SYN - SYN_ACK
9
Case Study 1
One day of traffic 9075 net traces, each with
unique (Source IP,Dest Port) key
10
Case Study 1
Net streams composited using histographs Dark
areas are data rich
11
Case Study 1
Outliers are also important we make them visible
using splatting
12
Case Study 1
Thresholding interaction visualizes automated IDS
thresholding results top 10 streams
13
Case Study 1
Lower
14
Case Study 1
Lower
15
Case Study 1
Too low far too many false positives
16
Case Study 1
Hold on, what was that?
17
Case Study 1
Filter with an upper bound
18
Case Study 1
Source IP
Dest port
Failures
Select and query, stream targets port 25
19
Case Study 1
We display only selected stream, and find an
interesting temporal signature, below typical
thresholds
20
Case Study 1
Is port 25 a target for other coordinated
attacks? We select all the streams targeting port
25
21
Case Study 1
Several streams have similar signatures We query
one of them to obtain the Source IP
22
Case Study 1
Selection of all streams from the same
subnet reveals likely coordinated, sub-threshold
attacks from that subnet
23
Case Study 1
And what was that hard line?
24
Case Study 1
Filter to isolate
25
Case Study 1
Query one point on the line reveals a scan from
one source IP to 3 Destination ports, is this
ports combination special?
26
Case Study 1
Querying one of the ports Port 9898
27
Case Study 1
Port 5554
28
Case Study 1
Port 1023 note activity for these 3 ports is
really similar
29
New Case Study 2
A different day of traffic 2515 net traces
30
Case Study 2
Select the dense, suspicious structure at days
end correlated, coordinated streams target port
445
31
Case Study 2
A linked correlation view pixel i,j shows
correlation of streams i and j green positive,
red negative
32
Case Study 2
Select the largest green block, and the dark
structure on the left is marked
33
Case Study 2
Querying the structure, we find that it shows
spoofed attacks on port 6129
34
Case Study 2
Selecting the evening, and a larger
correlation, we find 33 other correlated streams
35
Recap

• Finding attack signatures
• Time vs. failures mapping
• Highlight Temporal Pattern
• Finding good thresholds
• Interactive thresholding
• Darkness at main trends
• Splatting for outliers

36
Recap

• Detecting coordinated attacks
• Visual structures (shape, brightness, density)
• Linked correlation view
• Interactive study and analysis
• Click and query
• Search and selection

37
Future Work

• Short term
• Address clutter when highlighting
• Refine notion of outlier
• Attack classification
• Longer term
• Function with live data streams
• Integration with automated IDS

38
Thanks for your attentionAny questions?
Thanks to The National Science Foundation
Contact p-ren_at_cs.northwestern.edu www.cs.northwes
tern.edu/pren/IDgraphs.html
39
Case Study 1
Query one point Four streams with same Source
IP, 4 Dest Ports
40
Case Study 1
Query another point same pattern
41
Case Study 1
Again
42
Case Study 1
Querying one of these Source IPs, we find
activity at port 139.
43
Case Study 1
All 139 port activity
44
Data and Preprocessing

• Real traffic data (NetFlow Logs) from high speed
  central router at Northwestern University.
• Aggregate the count of failed connections using
  keys
• (Source IP, Dest ports)
• (Source IP, Dest IP)
• (Dest IP, Dest ports)
• Forming time-series sequences by
• Treat the counts of one unique key as one time
  series
• Filter out uninteresting ones.

45
(No Transcript)
46
(No Transcript)
47
(No Transcript)