Upload
dustin-hart
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
1
National Computational ScienceUniversity of Illinois at Urbana-Champaign
“Enabling Proactive Prediction, Avoidance, and Diagnosis by Providing Situational Awareness to
Human Operators”{a work in progress}
Bill YurcikNational Center for Supercomputing Applications (NCSA)
University of Illinois at Urbana-Champaign
IBM Academy Conference on Proactive Problem Prediction, Avoidance, and DiagnosisApril 28, 2003
2
National Computational ScienceUniversity of Illinois at Urbana-Champaign
The Problem
• Current state of networked software systems– asymmetries of software bugs and security attacks– metrics show bad -> worse
– increasing complexity of software systems– expectation of vigilant patching for vulnerabilities– point-and-click attack software requires little skill
– surveys show insider security attacks greatest threat despite denial– critical infrastructures all depend on underlying automation
• Situational Awareness is Abysmal– “Is there a problem?” -> “Where is the problem?” -> “What is the problem?”
3
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Alternate Solutions
1) Acquiescence (learning to live with it)2) Prevention (zero defect software engineering)3) Detection (early and continuous)4) Survivability (transparent recovery)
a) human-in-the-loop decision-making for recoveryb) autonomic computing (no human-in-the-loop)
5) Disaster Recovery and Backup6) Deterrence (liability, retribution) • ….• Prediction?
… either The Holy Grail or “Minority Report”
4
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Our Solution: SIFT
Motivation: “Know Thy fill in the blank ”
• SIFT = Security Incident Fusion Tools
• NCSA Proposal – Increase Low-Level Situational Awareness to Human Operators (Anti-Autonomic Computing)– “Is there a problem?” -> “Where is the problem?” -> “What is the problem?”
– leverage human cognitive abilities especially visual processing
– continuous awareness of the security state of an entire network– Class B address space = 65K machines with 130K+ ports on each machine
5
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Prediction / Avoidance / Diagnosis
Examples:– time-sequence of network-based attacks
– software decay
How?
– Visualization– Profiling– Data Mining for Discovery
6
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Current Network Monitoring
7
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Discovery Across Network Logs
8
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Attributes Across Logs
9
National Computational ScienceUniversity of Illinois at Urbana-Champaign
The Data Management Problem
10
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Four (4) Parallel Data Management Efforts
11
National Computational ScienceUniversity of Illinois at Urbana-Champaign
SIFT Preliminary Results
12
National Computational ScienceUniversity of Illinois at Urbana-Champaign
SIFT Preliminary Results:Security Monitoring Prototype
LEGEND
DRILL-DOWNVIEWS
OPTIONS FOR 172
DIFFERENTVIEWS
MAGNIFIERWIDGET
NVisionIP
13
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Prototype Drill-Down Security Views
14
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Insights Thus Far …
• Humans are good at processing visual patterns (known) • No expert knowledge required!• Abstraction – finding the appropriate level of observation• “What If” Question Bonanza• Visual Debugging (problem-solving)• The Millisecond Fantasy • Holistic Macro/Micro Views vs Divide-and-Conquer• Though we think in pictures, we are no good at describing pictures (save
functions)• Capturing the time dimension of high-dimension data via animation is
incredibly engaging to humans• Success depends on effective HCI
– Looking at new ways to augment operators in complex environments… (anti-autonomic)
15
National Computational ScienceUniversity of Illinois at Urbana-Champaign
Demo – NVisionIP:lite
Cut to Demo and Pray it Works!