Upload
webtutors
View
216
Download
0
Embed Size (px)
DESCRIPTION
vvv
Citation preview
IDS RainStorm: Visualizing IDS Alarms
Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland, John Stasko
IntroductionAlarm logs are smaller than network traffic capture logs but still large and time consuming to go through.
Many alarms are generated as real attacks progress increasing the log size and redundant information.
Information visualization techniques used in network security research have initial success and future promise.
Text logs and machine learning algorithms are complemented and information is represented more densely.
2
Georgia Tech NetworkCampus population: 15,000 undergraduate and graduate students, approximately 5,000 staff and faculty.
Networked systems: 30,000-35,000
IP Addresses: 2.5 Class B distributed across 69 individual departments and various buildings.
Throughput: Two OC-12's and one OC-48 connected to the Internet with an average throughput of 600Mbps.
Total Data Processed: 4 terabytes each day.
3
Office of Information Technology (OIT) at Georgia Tech
They maintain the campus network and the Internet links connecting the campus to the Internet.
They monitor and secure the network.
Also technical and educational support is provided.
Each academic dept. has Computer Support Representatives (CSR).
They work with OIT to maintain and protect their respective network.
4
User InterviewsOIT sysadmins were interviewed to find out:
How they monitor alarms.
Browsing through text alarm log is usually the method. Calibrating IDS with visual components is time consuming.
What they look for to identify potential anomalies
Location of high-priority alarms
Quantity and pattern of alarms
What a particular host provides.
This motivated the design of the system.5
Alarms with StealthWatchThe Stealthwatch IDS is anomaly based IDS and one of the security appliances used at Georgia Tech.
Alarms that were generated on the perimeter of the network were used.
About 7,000-10,000 alarms are generated from this sensor each day.
~40,000 alarms are generated each day from all campus sensors.
6
Alarm Parameters
Alarm types: 33 definitions.
These can be adjusted and threshold values changed by administrators for a network.
Time: recorded as an alarm is generated.
This helps determine temporal position among the rest of the alarms and can help find patterns.
IP Addresses: Victim internal IP address of the alarm is given, and/or an external IP depending on the alarm type.
7
Main view
System Design
Zoom view8
20 IPs represented on each line
24 hours of alarms shown
2.5 Class B addresses plotted along 8 vertical axis.
Color represents severity
The most severe alarm is shown when multiplealerts occupy the same pixel.
9
Interaction TechniquesGlossing:popup box when mouseover the alarm in zoom view.
Gets semantic detail.
Filtering: focus on alarm color.
Reduces unneeded info. in the view.
Panning: Click and drag mouse in the overview, panning movement seen in zoom view.
Useful for when anomalous behavior could be targeting internal IPs that are spread across the logical space.
demo
10
Examples
11
Worm
Watch port active alarms in dorm space. Port watch was
on a known exploit.
2x zoom
12
Botnet
Cluster of watch host active alarms seen. Watch host was an external IP known to install bots
on the network
Time pattern similar for 2 consecutive days
13
This tool is not a complete solution. It can be used with other IDS tools, signature and anomaly based.
It adds human analysis which can notice activity that machine learning algorithms might not, since network traffic is dynamic by nature.
If alarm count were much higher, more difficult to notice anomaly on initial glances--need more interaction.
Result Summary
14
Further detailed user study based on current system.
Visually encoding other alarm parameters.
More filtering (queries on host, alarm type).
Pivoting axis.
Current and Future Work
15
Acknowledgements
OIT - for giving us the dataset and discussions with them to motivate the design.
The reviewers comments which helped to improve the paper.
Lancope (www.lancope.com) for sponsoring the project.
Dr. Raheem Beyah, Georgia State University.
16
For feedback & more info
Email:[email protected]
Centers webpage:www.csc.gatech.edu
Personal webpage: users.ece.gatech.edu/~kulsoom
Thanks for coming
17