Visualization Techniques for Intrusion Detection · Visualization Techniques for Intrusion Detection William Wright and Peter Clarke Point of Contact: William Wright Oculus Info Inc

Visualization Techniques for Intrusion Detection

William Wright and Peter Clarke Point of Contact: William Wright

Oculus Info Inc. 572 King Street West, Suite 200

Toronto, Ontario M5V 1M3 CANADA

[email protected]

INTRODUCTION This paper reports on the experiences of using interactive animated 2D and 3D graphics in an Intrusion Detection (ID) Analysts Workbench prototype. Visualization techniques allow people to see and comprehend large amounts of complex data. Graphics are used to assist with the ID investigation and reporting process by helping the analyst identify significant incidents and reduce false conditions (positives, negatives and alarms). Visualization is then used in reporting incidents to a broader senior level audience. Complex patterns are clearly displayed over time in an easy to understand and compelling manner. Initial evaluations of the prototype have been positive, and a second development stage has been initiated.

ID ISSUES Large numbers of events are generated by network intrusion detection sensors; however not all these events are malicious in nature, not all malicious events are applicable to a given network environment and, perhaps of even more concern, certain malicious events can be missed.

There are several emerging trends in enterprise networking that are making traditional signature based intrusion detection more challenging. The increase use of very high-speed lines and more prevalent use of encryption technology are a challenge for the intrusion detection community. As the data collected becomes larger in volume, or the increasing dependence on traffic pattern anomaly detection as a workaround for payload encryption becomes more widespread, the amount of data the analyst must cope with increases.

Through the use of various types of detection tools and techniques, including signature based network intrusion detection, anomaly based network intrusion detection, and full packet capture, a better picture can be formed. The analyst is able to fuse this data and gain a more comprehensive insight into what is truly of malicious nature.

The massive amounts of data involved in this type of thorough multi-source analysis make it infeasible for most organizations. The significance of the events contained within the data can often only be determined by scanning the huge amounts of data looking for subtle and sometimes unexpected patterns and correlations.

This investigative process is required in order to place the events around an alarm in context and to assess if further action is required, but the process is labor intensive. Fused logs for a short period can easily contain tens to hundreds of thousands of records. Tools are needed to help accomplish this investigative task in less time.

RTO-MP

Paper presented at the RTO IST Workshop on “Massive Military Data Fusion and Visualisation: Users Talk with Developers”, held in Halden, Norway, 10-13 September 2002, and published in RTO-MP-105.

-105 15 - 1

Report Documentation Page Form ApprovedOMB No. 0704-0188

Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.

1. REPORT DATE 00 APR 2004

2. REPORT TYPE N/A

3. DATES COVERED -

4. TITLE AND SUBTITLE Visualization Techniques for Intrusion Detection

5a. CONTRACT NUMBER

5b. GRANT NUMBER

5c. PROGRAM ELEMENT NUMBER

6. AUTHOR(S) 5d. PROJECT NUMBER

5e. TASK NUMBER

5f. WORK UNIT NUMBER

7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) Point of Contact: William Wright Oculus Info Inc. 572 King Street West,Suite 200 Toronto, Ontario M5V 1M3 CANADA

8. PERFORMING ORGANIZATIONREPORT NUMBER

9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)

11. SPONSOR/MONITOR’S REPORT NUMBER(S)

12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release, distribution unlimited

13. SUPPLEMENTARY NOTES See also ADM001665, RTO-MP-105 Massive Military Data Fusion and Visualization: Users Talk withDevelopers., The original document contains color images.

14. ABSTRACT

15. SUBJECT TERMS

16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT

UU

18. NUMBEROF PAGES

26

19a. NAME OFRESPONSIBLE PERSON

a. REPORT unclassified

b. ABSTRACT unclassified

c. THIS PAGE unclassified

Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18


Another issue is that network ID sensors are not always effective for detecting new exploits or for activities that span many weeks and / or multiple network systems. To detect and investigate these types of activities requires the analyst to review extremely large amounts of packet level data.

A related problem is in reporting the attacks and the nature of those attacks to senior managers. This is important in order to raise awareness and provide an understanding of the need for information technology security in industry and government. Without this senior level understanding and support, obtaining security funding can be challenging. The output of most ID processes can be cryptic, and inaccessible to non-experts.

SOLUTIONS

Two graphical consoles have been built to evaluate the usefulness of visualizing intrusion data. Figure 1 shows the Intrusion Detection Analysts Workbench. Up to 2,000,000 event records or more can be displayed and analyzed in multiple concurrent dynamic charts. Each event record includes fields such as source and destination IP, port ID, alarm code, date, time. The charts are scaleable so that, for example, a bar chart showing number of events by destination IPs can easily display ten’s of thousands of IP addresses. The charts are also linked. Selecting events in one chart will highlight those events in all the other charts. So for example, selecting events associated with one type of alarm will cross reference those events in the source IP bar chart, and the destination IP bar chart. The analyst workbench is used to investigate, isolate and prioritize events. It was evaluated in a side-by-side test with existing methods and proved to be a significantly faster method. The workbench makes use of the commercial off-the-shelf Advizor product.

Figure 1: Intrusion Detection Workbench with 2M TCP and UDP Records.

The Analysts Workbench graphical tool can concurrently display the raw packet or alarm data as well as output from analytical tools that, for example, filter events or compute statistical metrics.

Figure 2 shows the Animated Incident Reporting component. It is used to report intrusion activity to senior management, and is designed to show the significance and nature of the events without overwhelming the viewer. The objective is to clearly see who did what to whom and when. A number of interactions are supported including filtering and an adjustable playback speed. This component was evaluated in a series of presentations to senior levels of government and industry.

15 - 2 RTO-MP-105


Figure 2: Animated Incident Reporting.

FUTURE DEVELOPMENT

Future work involves two separate but related streams:

The first is the expansion and integration of the two visualization tools to create a seamless intrusion detection visualization workflow environment. Given that intrusion detection analysis is often only part of a systems administration function, time is a consideration. The more effectively the visualization tools can be adapted to fit, and enhance, the human decision making process (orient, observe, decide and act), the more incidents can be effectively assessed and escalated or discarded in a shorter time period.

The second is work on migrating the tools towards an anomaly detection capability through the use of raw network data along with the fused intrusion detection alarms to gain a more comprehensive view into the network.

CONCLUSION

People excel in detecting patterns and identifying relationships when data is presented visually. Extremely large amounts of data can be viewed and compared. This is a useful ability for the ID analyst.

Experience with the visualization methods used in this work has lead to observations and recommendations for developing new methods.

Initial evaluations of the prototype have been positive, and a second development stage has been initiated. The objectives of this second stage will be discussed in the paper.

RTO-MP-105 15 - 3

OTAN


15 - 4 RTO-MP-105

SYMPOSIA DISCUSSION – PAPER NO: 15

Author’s Name:

Mr. William Wright, Oculus Info Inc, Canada Presented by Ms. Pascale Proulx, Oculus Info Inc, Canada

Question: What type of methodology was applied in the design of the visualisation?

Author’s Response: User consultations.

Comment: The system is ten times faster than the previous system that did not use any visual display at all.

Comment: These display techniques would be useful for all statistical data such as traffic jams.

Question: Is it possible to transfer the knowledge of the operator into rules for the system to automate the process?

Author’s Response: It may be possible to recognize the patterns, but it is important to investigate more to see what is generating the pattern. For example, a pattern that initially appears dangerous may only be a virus definition update.

Question: In advance of developing this system, was there consideration of mathematical methods that maybe amenable to clustering and statistical analysis?

Author’s Response: There is a trade off between the math and the visual analysis, as well as between implementation time of the math and algorithms and human interaction. There is research going on in this area right now.

Comment: Change detection might be important to an analyst.

Question: There are clustering techniques that could be applied, but require a large amount of training data to make the systems work well. How much data is available for training?

Author’s Response: There currently are not many full data sets. There is a conference in LA that puts hackers against professions, but that produces a data set that is not necessarily typical. Also, networks are dynamic, so constant retraining is required.

^^rrrrfTTTTTTTraJ

Custom Solutions

15-1

Visualization Techniquesfor

Intrusion Detection

William Wright, Sr. Partner, Oculus, [email protected]

andPeter Clarke, DND, Canada

Presented byPascale Proulx, Visualization Consultant, Oculus

[email protected]

Paper first given at: Workshop on Statistical and Machine Learning Techniques inComputer Intrusion Detection, Johns Hopkins University, June 11-13, 2002.

Increasing Visibility into Intrusion Detection

oculus

2

Confidential and © 2002 Oculus Info Inc. and Others

15-2

What is Covered?

• Intrusion detection issues• Using visualization as a solution• Current visualization tools developed• Future development of visualization in

intrusion detection

oculus

3


15-3

Intrusion Detection Issues

• Large amounts of IDS (Intrusion Detection Sensor) data– 1 gigabyte of information will fill a pickup truck with printed paper

• Bad signal/noise ratio on most un-tuned IDS– Worse than TV filled with “snow”

• If alarms are removed, harmful events may slip throughunnoticed

• Event Correlation (IDS, routers, firewalls)– Very important to gaining a complete picture, but makes data

handling even more difficult

oculus

4


15-4

Intrusion Detection Issues

• Reporting incidents to senior management orother non-experts

• The problems are getting worse astechnology progresses and network speeds(i.e. bandwidth) increase

oculus

5


15-5

Visualization as a Solution

• Visualization allows people to see and comprehendlarge amounts of complex data in a short period oftime

• Helps the analyst to identify significant incidents andreduce time wasted with false positives

• Report incidents to a broader, non-expert audience• Ability to cue the analyst through the use of colour,

shape, patterns, or motion

oculus

6


15-6

Visualization Tool Development

• Two graphical applications have been built forevaluation– Intrusion Detection Analyst Workbench– Animated Incident Explanation Engine

• Each displays data visually, but currently havetwo separate audiences

oculus

7


15-7

Intrusion Detection Analyst Workbench

• More than 2 million events can be displayed andanalyzed in multiple concurrent dynamic charts

• Each chart is linked, allowing the analyst to selectsomething in one chart, and it will highlight therelevant details in the other charts

• High performance interactive analysis possible for 2Mrecords on high end Windows / Intel machine – 2GHz, 1 GB RAM and good graphics card.

oculus

8


15-8

Intrusion Detection Analyst Workbench

• Assists in isolating, investigating andprioritizing events

• Evaluated side-by-side with existing methodsand proved to be significantly faster andeasier

• Run by commercial off-the-shelf Advizor™product

oculus

9


15-9

Log Data Fields

• Date• Time• Direction out-in, in-out,

out-out, in-in• Alarm Code (alarms and/or normal traffic)• Alarm Name• Source IP• Destination IP• Port ID - Source• Port ID - Destination• Port Name ~10 well known,

65,000 possible• Sensor ID

oculus

10


15-10

Intrusion Detection Analysts WorkbenchLayout consists of multiple charts.

Each chart has all the records.All TCP UDP – 2M records in each chart(And that’s only for a two person network for five days!!)

Records plotted over TimeDestination IPs

Count by Source IPs

Count by Source Ports

Count by Destination IPsCount by Destination Ports

List of Raw Records

oculus

Htt l**lfl*f MraUOn.'DfekwVt Ml« c»i««« »»>*». rfeb

J4i?!5in nni«i.n.iR nitnu HMtHtH rORKN 2ie.miM.ifT NUinil £tbiai 74 16T J4292Mn 2iei91MIBT 74i&:671l lib HI 74 167

IT 3iiB2iii.(9i am 212S21S 141 «108 in* JWJM am list ju.iki am iiH Jin i9i am iiM jib ICH am ms 2ini9i am

11


15-11

Linked ChartingLinked Charting

Select the 600k records associated with this Source IP and those records are highlightedwhere they occur in the other graphs.

oculus

a- -. ■S-M-i.

■ lOlxl îDJxJ

gja.v^.«*' ^»A* ^BA^^V^V^V**'tf*^ ^9» J!ß&7p& ^^^■^mkaam^ ^j^zi*^.*. âê.^*-2^ Criunnft

-!*: iäi! -jgxj

tfT ^ tfß x&i A-0t> £jij2 ^4\ »tf» aT2* vW* 4** CtfutinsJ

4ai filiJfe

-J-»-ti.« .LM.'.'.W •.J.'.W.'.

si ttf t»» -J2Ö« 709 Cokjfin »5

Dill Vi

fltwWflfUfUfrthrymimriWIftvT^ 0k*^.1^0k* 2\*.W#«A9 zl*.«^«A9 HHLW^HI.« Z\S.«Â*Z\6>* ^fr^jtBîgBÎ.^ tfiA1

z\*** tf.V*z\fttf Mm #4

ilSJ jaiti

jaat.n Oofcinw *l|Column*2| Cofcjfw *3lCMumntM|Cofcjfru gS)c&mnri pi| 4 |Clären fiiinn |*i*r>-i | -■'} |**r*' f5*itig

Court ZOe-OW 2Qt-mf> ZDe*006 2.D>»DQr> Mte«QM 2JMHM satten biso ran fat si 3 rau ei si 3 ran E»kjdsd l5e*0DG MfWft l&e-Q« MfWB l5e*0DG 14r*005

Urtfifje C1F 44)1 l« WO 1 tm 6141'j 1 551 M 1 1

NMP 1D*«0OT 211,1« I]7 Jin is» 00 UP NcOfcB« 10« «OW 21b 1856 J M IM. w UK

('MtStrtf* AIOI

WiJilfifl Cüfcjflii 92 Ctt CoJunn« I cau..1Coi.

1012331 IMSfM 1012931 iomai 1012331 1DIM3I 1012931

nziznn WH

74Z92C7DQ MM2H1I 74ZB2MH 74Z&2B711 MZ.HH11

216.191 Ml WitttMJ ZIMSI 74i 2lfc1fl174.f 210.141 74 1 ML 101.74.1 ZI&181 Mt

i i T f-7 2119 216 191 4Z109 b? 21 JO attJM 47109 ST 2139 216191.42109 ft? 2139 216 101 42.100 67 2119 216 191 4Z109 6? 1139 21b tot 47100 57 2139 216.1 91.4Z 109

■IP itr du Itp 80 dp dD up 90 Up 80 Up 90tcp

- 414 » 21 w»

12


15-12

Linked Chartingoculus

V-*otf IMHIM» ACwWOflJlte««***'* F<*4>O»

ffc td* '«"■^ "."»i*n 3a**l Cf4r» 7*>»JS« h*t>

■ ■»■wcpuill» 3 Column IE 35* M □ £ ji »e©ci a. :.:

t*Mt *s ♦vtt T«rr>e mJOJ ■-•

l?i I02IMIM I9&34.1212

202 I W 200 241 2IQH8.IRW

212.112JDG.19I 21Z74.10I.9

311.1 M.171.117 2taifli.43.1a2 2iaifli 421« 21&1Q1 42 11Ü ilO 191 42 IM 2IM91 42119 21M91.42.I22 210.191.42.t2Q

216.1 W 1273 jib i DM; =3 11fl.1M4k.43 216 I 91 *: 4b 2ib i DM; SO

216.1 ÖM2S4 2161DM;« 210 191.4102 21G.I91.42M 219.191 12m 2IG 1914274 211.1014271 216 1DM;E:2

2161 DM; M 216 IDMI'M 216 IDM;D4

216 101 41-M 21BL20&212N

2ID.HJ3Q.17a 21GTB.10R7G

4.4Q.G0LH 02.1DQ.I29 14G

DO I t 1B1M 1 W<

.

•

■

•

Cc4umn«

■

■

■

.

•

"

i •

.

■

■ • - ■ ■

■

1

i

.

Pi ;•■!

•if-

'J

ft

•tai

'

.

••

■

INK

til^jll

69<

DK- LL ^^«e*1 #*.*

4M

_ MKr— I u> a ~

4&I

a.^V*

Court S4tottod EwUded

Ur«g8M Nod* MtfftM

n

TOP

614

l.D( 1 CK

13


15-13Analysis - All TCP UDP – 2M RecordsTCP is Blue and UDP is Red. Five days. Two people.

Time

Dest IPs

Blue bands:-Sensors talking back to console-Blackberry server talking out

Red band - Port 53 DNS.(And lots of TCP web server traffic Under it)

DNS Traffic.

Vertical lines aredeliberate scans.

oculus test IPs over Time -i

12.129.203.38 28.241.101.78 132.205.18.12 61.69.212.253

192.33.4.12 93.205.77.206

198.41.0.10 99.246.67.248 4.187.152.126 205.138.3.230 6.195.131.240 207.181.101.4 07.46.230.220 07.68.176.250 208.38.45.168 209.134.161.6 209.54.53.176 210.96.73.253 213.239.42.46 6.136.131.144 6.177.109.135 16.191.42.105 16.191.42.117 216.191.42.32 216.191.42.44 216.191.42.55 216.191.42.67 216.191.42.79 216.191.42.91 6.200.201.212 16.246.19.163

216.7.64.9 24.254.60.25

3.108.181.208 63.84.246.98 64 26169 27

64.4.22.24 65.82.101.55 66.38.151.26

1 ^ i

Column #4

in ii i i

i ■

i i

>,' •■•*■

t

■ I i

I

9

— ■'■—"■ ■'■!'■■' " " ';'(' """■ " .■ ■ ■ f,|. !"»■■ ■■. J ■■■■■. ■■ M t....... ■ — ■■■■» ■ ■>■■.■■■■■ ■■>.:, . ■ ■■■■■ — — ,!.—..- I LI.,. I. >..' ■■ l.ll. .,.■,■,.»,..:,, J ..,:: .— „ . : .

•■•■■■* ■IIIIIIMII« ■iinalVliiivHBiita IIIIIIBIIHIHB1 na* * aanaai laiaBiaai iBiBtanam laBiBtamaian aiattut «iiitaaaai iaaaBaamaBM iaan ■■■■••■•tan ■■ ■■■■iBtotiaiiii ■•■ liianaa naaiaaaaai II H

! i ■ iV( II

i

i • i

* . •

•'' 11 ' *... *... ■ MI'II

^wsmmmm. Wife: life

llfeflllll» ■A; i,

ft

VM u..;

> \

j'. />

- •

i i

i 11 II n i - - II

r t hi lüii i * liltli 1.

MK 1 MK irti

14


15-14

2. Scatter Scan

Select Src - 61k Packets

Tests2M TCP and UDP Records

1. More characteristicsmade visible.

Time

Dest IPs

oculus

|igj*ce^

Hin im; ma* i 11 (-.

HI"! Hi ;o »117 .42 1K . I i ■ .: M | «in *3 I !■ «12? . 11 ■: 11231 112»

Ml« KIM

IAIM

i am M:I HZM i im I AIM I AIM I AIM I AIM i II ■

: i IM mm mx own 21 14G

■n

-iai-1

CtlifTinf2

släL ^MaE

«T ^ j^jg 4-£T> 4-£* *&. ^\ jgfi ■$& Â ^

COUMIIJ

iäi lawk.

•qtriLj.'.j.'.ij.'.ij.ij.'.ijj.ij.ij.'.ii.ij.'.ij.'.i.'.ij.'.ij.ijj.ii.'.i.Mj.'.i

AZ^ \15* -j^J« 2^ 40» t 40« ^tfl g^?

I LTI '-' QKUI /Ih^YAfWwîlhrrirmmriWlhwrTimmltiHmii.

«ft*«»«*«»* 2*.rttf»-W 2».»^ft-w »*•*«** ^«2i6l» ,#Vviifl' joi.^1 2\e:

3 jal£li

iClU«,»i*

. c .- :rj .ii CNdimr - .btjftis3!Cduiin*l|Cdbmi«stCiäifiiaai *

ICMOIIH

USti ■ M^H

5IBT?I tint 10*-0W Ibl-OH

:np-mf «mi

1 h*w

«48

J 1*1*1

1 lists

UM

irrt »i

ICH

1

»ifii i ir-ne

in 98 218.1 «l„ 21t ID)

1

bill i

no

.■.-•■'1'

Itm i >•[•«■

3

CMu"fifl|co»jr.n>J CM (CHiiiifiM COU ]i

CBIf* loMM EMkxMQ

UIMiP

1 1 liianMznem m n.» in iiJT.ajiJi.ajM.-. HkttUUV i("MJi7*zn6Tn ;I&HWJIP iniajij«wiia jihiauniT iDinjiMznnn HSUWJIBT

ID1JflS17429]B71l 218.14174117 ID128JI7I292M11 2IB1I174I8T

2119 215 191 12.10? JU'J JlD 1 3119 2115 191 12 109 Jim 21*10142108 2119 21U 191 12109 2110 216 Ifil 4210B 2119 210 191 12 109

1 ID 1 80 1 80 1 «0 1

N..J- H

i n N

1 dp no

801 «01 801

15


15-15

Traffic Outbound – Firewall Src

Select Firewall Src – 400k Packets

450 Dest IPs~100 are the lab

Dest IPs outsidethe lab.


oculus

MM*M>nfafl.'Dei<*we>'»liJt-i»» lfe*> >»,«!■ :ovi cm.. -*»» :■*(

mi ;a

I13JSJ

7T 41.ftM n M WUM

RMM t 1014

n n '.IM 4 Uli Hin 73 Äl 142« ».IM Hl» «IM 4.'117 142» I 42M 142» I42F 142« M2H !W3I2 .UIU ■ r.Hj tar: ti M 146 M HUI

43234 .101» .111.26

ItH

-. ,< .

I* ^VMH^W^^J M —^

, .41 *:?■': ■ . ■..'.:./■.

■ *- ' ,

.. v. , • .. ■..■.■,,.■.■■,,■.,•,■,,.■■■ .. ,.".-.. • ■•* n »'■•*> H '•■**■■• ■ .,•'■"■■ •. •, . • • i •. • i ■

■

-

: !i: :

INK m

._ 'ttllillMU ..-25^1» 0**^*3» 2^1« «i»« l2»2*1%B.V^?li-^V*^Jl*'>0»*>^rt2\ft*^* &*>

-j^ ^ÜTsi

£ WT2 ^ ji&I ^ «ßT ^\ ^jT* .ja** *& Cautiri*]

Üäl BlJ 111 ,1* «^ *W \o» \t» $*& -stflO \oV> \^

CoUrru rt

- *OOK I «44114(34"

ZZnEEE * 216« 2^*5\**1 II^'BAJ*0 **** tf.** JÖ1 "V**1■&** 2t» W3^.^ «*** J^«1 i«*> #)

DUmM ü*

«<Q|xJ

C0tiTOi>l|CBUTiftr3|Ciitiifn*3icmitifi»4|CatJftn«)ca>infi*ij .*

lN««ii jöf-mr zr*-oM joe-*»* 2»-OM JOP-WP

.-witau Miffc? 103767 M27fc7 JK7t7 W1767 IHJV Dikittod Wlflfl 69HJ61 HHII 0MH1 WI6PI IMMJ1

U(MI IJ--0M 173 MM] UM? 2 IMMH M2JM t lanr; ra fc.'i : Nrtf i0f-om jioi»i Mj 2«is» . n he ■MBH IOK0U 316IW.. »47! 6&U13. MS Mb

: | lpi:fl»7:SM2<J32|:iPH1i31« |4-J |;c«Hi>G13 i Jim

lülMr7W*133gia HlttMUI 1032 307 107 II 13 Ml I

IDiar7M4WMJ7 2IH314334 1D32 307 1071113 »1 I

KII2JI7USMSW 211,141 »34 tun 307 107 11.13 MI I

■n

16


15-16

Low Port Scan?

Select Firewall Dest – 260k Packets

Src IPs

Dest Ports

Scan?


oculus

*ttl«i*Pvt?0fl;Pf«fft*9lFdUM .»~ i—*™ teWi C«m *W» r>c

DAM *>-

17


15-17

Slow Scan? one Src, many ports, over time.

Src IP

Dest PortsTime

Dest IPs


On the weekend

Or Microsoft virus definition file update.

Internal IP(Firewall)

oculus

»trim Mumm 'Pf .»tot wl Wtto» >"~ *--■;.

KIM 11212 ■>: >M

UM if.: | p|

MM Jl :;i ■ Kl 17 .43 IM .. IM

.«IM

.13 111

.1312? asm tun 142*

1424« 14291 I4UI MtM 142B3 : | 142« 14274 142« IA$M 1421* 142H 1J2M I II '.- 2I2H man m$M UM 211«

.-;

Iiiii1|i ■ih na« Q n

' ' "

'

Mi 7[F

^ M*V*B tf""*1 «** o**0 :««v

£)T* JTO* 4JB1 ^B& ißi1 A**1 a*^6 i Co tj im 95

MX** a«*!***«^*«-0 a«lSz*rt *»■**

C«imn#l|cu»jrTr»: n- '!:■ '-tiLi-irfi

MftKMN JllUu.'j

WL'i4Mi'j n&m tii

31 1WÄJ1M- 4M3

H tS)JUiW. 4Wä

WÜ14WÜ IltlltCJ 31 1MJSJ1W- 4H3 !

18


15-18

Animated Incident Explanation Engine

• Designed to show the significance and nature of theevents without overwhelming the viewer

• Easy to see who did what to whom and when• Excellent for explaining concepts to non-experts

• Analyst workbench identifies and isolates incidents.When an incident is isolated, all the recordsassociated with it are written out and saved. Overtime, a set of verified assessed incidents is created.

• The explanation engine works on this set of incidents.

oculus

19


15-19

Animated Incident Explanation Engine

IP Half Scan is shown.

Timeline of Incidents

-one line per incident

External IPs- sorted by frequency- and/or grouped by watchlist order

Internal IPs-grouped by function

Usage – show all records, show all records associated with one incident,animate over time all records, or animate records for one or more incidents.Playback speed is from fast fwd to very slow.

oculus

20


15-20

Future Developments

• Expansion and integration of the two currenttools

• Anomaly detection capability through the useof network traffic data along with fused IDSalarms

• Integrated time based comparisons

oculus

21


15-21

Conclusions

• Visualization has proved to be an effectiveanalyst’s tool

• Massive amounts of information are easilyunderstood by non-experts

• More development and research needed

oculus

22


15-22

Questions?

oculus

Documents

Visualization Techniques for Intrusion Detection · Visualization Techniques for Intrusion Detection William Wright and Peter Clarke Point of Contact: William Wright Oculus Info Inc