prev
next
out of 17

VizSec05

Embed Size (px)

DESCRIPTION

vvv

Citation preview

  • IDS RainStorm: Visualizing IDS Alarms

    Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland, John Stasko

  • IntroductionAlarm logs are smaller than network traffic capture logs but still large and time consuming to go through.

    Many alarms are generated as real attacks progress increasing the log size and redundant information.

    Information visualization techniques used in network security research have initial success and future promise.

    Text logs and machine learning algorithms are complemented and information is represented more densely.

    2

  • Georgia Tech NetworkCampus population: 15,000 undergraduate and graduate students, approximately 5,000 staff and faculty.

    Networked systems: 30,000-35,000

    IP Addresses: 2.5 Class B distributed across 69 individual departments and various buildings.

    Throughput: Two OC-12's and one OC-48 connected to the Internet with an average throughput of 600Mbps.

    Total Data Processed: 4 terabytes each day.

    3

  • Office of Information Technology (OIT) at Georgia Tech

    They maintain the campus network and the Internet links connecting the campus to the Internet.

    They monitor and secure the network.

    Also technical and educational support is provided.

    Each academic dept. has Computer Support Representatives (CSR).

    They work with OIT to maintain and protect their respective network.

    4

  • User InterviewsOIT sysadmins were interviewed to find out:

    How they monitor alarms.

    Browsing through text alarm log is usually the method. Calibrating IDS with visual components is time consuming.

    What they look for to identify potential anomalies

    Location of high-priority alarms

    Quantity and pattern of alarms

    What a particular host provides.

    This motivated the design of the system.5

  • Alarms with StealthWatchThe Stealthwatch IDS is anomaly based IDS and one of the security appliances used at Georgia Tech.

    Alarms that were generated on the perimeter of the network were used.

    About 7,000-10,000 alarms are generated from this sensor each day.

    ~40,000 alarms are generated each day from all campus sensors.

    6

  • Alarm Parameters

    Alarm types: 33 definitions.

    These can be adjusted and threshold values changed by administrators for a network.

    Time: recorded as an alarm is generated.

    This helps determine temporal position among the rest of the alarms and can help find patterns.

    IP Addresses: Victim internal IP address of the alarm is given, and/or an external IP depending on the alarm type.

    7

  • Main view

    System Design

    Zoom view8

  • 20 IPs represented on each line

    24 hours of alarms shown

    2.5 Class B addresses plotted along 8 vertical axis.

    Color represents severity

    The most severe alarm is shown when multiplealerts occupy the same pixel.

    9

  • Interaction TechniquesGlossing:popup box when mouseover the alarm in zoom view.

    Gets semantic detail.

    Filtering: focus on alarm color.

    Reduces unneeded info. in the view.

    Panning: Click and drag mouse in the overview, panning movement seen in zoom view.

    Useful for when anomalous behavior could be targeting internal IPs that are spread across the logical space.

    demo

    10

  • Examples

    11

  • Worm

    Watch port active alarms in dorm space. Port watch was

    on a known exploit.

    2x zoom

    12

  • Botnet

    Cluster of watch host active alarms seen. Watch host was an external IP known to install bots

    on the network

    Time pattern similar for 2 consecutive days

    13

  • This tool is not a complete solution. It can be used with other IDS tools, signature and anomaly based.

    It adds human analysis which can notice activity that machine learning algorithms might not, since network traffic is dynamic by nature.

    If alarm count were much higher, more difficult to notice anomaly on initial glances--need more interaction.

    Result Summary

    14

  • Further detailed user study based on current system.

    Visually encoding other alarm parameters.

    More filtering (queries on host, alarm type).

    Pivoting axis.

    Current and Future Work

    15

  • Acknowledgements

    OIT - for giving us the dataset and discussions with them to motivate the design.

    The reviewers comments which helped to improve the paper.

    Lancope (www.lancope.com) for sponsoring the project.

    Dr. Raheem Beyah, Georgia State University.

    16

  • For feedback & more info

    Email:[email protected]

    Centers webpage:www.csc.gatech.edu

    Personal webpage: users.ece.gatech.edu/~kulsoom

    Thanks for coming

    17


How Computer Monitors Work

How Computer Monitors Work

Documents
Iron Mills Essay

Iron Mills Essay

Documents
Star Wars Prequel Trilogy Trivia (Episodes I-III)

Star Wars Prequel Trilogy Trivia (Episodes I-III)

Documents
1 시스템분석입문

1 시스템분석입문

Documents
xCDC14a

xCDC14a

Documents
United States Constitution

United States Constitution

Documents
Algorithms

Algorithms

Documents
The Last Carnival I Ever Saw

The Last Carnival I Ever Saw

Documents
Basic Buffer Overflows Explained

Basic Buffer Overflows Explained

Documents
The Dutch Republic In International Trade

The Dutch Republic In International Trade

Documents
(Tesla) - The Tesla Magnetic Car Engine

(Tesla) - The Tesla Magnetic Car Engine

Documents
Keyboard Shortcuts for the Opera Browser for Mac OS X

Keyboard Shortcuts for the Opera Browser for Mac OS X

Documents
Improve the Color Quality Of Your Monitor

Improve the Color Quality Of Your Monitor

Documents
Barclays1

Barclays1

Documents
18 Tricks to Teach Your Body

18 Tricks to Teach Your Body

Documents
Fortran

Fortran

Documents
Star Wars Original Trilogy Trivia (Episodes IV-VI)

Star Wars Original Trilogy Trivia (Episodes IV-VI)

Documents
Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Bodybuilding - The Rock Hard Challenge (Month 1 Training)

Documents
Effective Parenting: Establishing Boundaries

Effective Parenting: Establishing Boundaries

Documents
Acetone Peroxide

Acetone Peroxide

Documents
Puntuación PAEF,s

Puntuación PAEF,s

Documents
Aesops Fables

Aesops Fables

Documents
Chapter 24

Chapter 24

Documents
Compressing And Decompressing Folders

Compressing And Decompressing Folders

Documents
Chapter-01

Chapter-01

Documents
Chapter 23

Chapter 23

Documents
Plato - Symposium

Plato - Symposium

Documents
Explore The Levels of Creation

Explore The Levels of Creation

Documents
The Best American Humorous Short Stories

The Best American Humorous Short Stories

Documents
European Colinization of Latin America

European Colinization of Latin America

Documents