Scribd Logo
Upload

Welcome to Scribd!

  • Ids Rainstorm: Visualizing Ids Alarms: Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland, John Stasko

    Uploaded by

    WebTutors
    26 views17 pages
    This document describes a visualization tool called IDS RainStorm that was created to help network security administrators more easily analyze large volumes of intrusion detection system (IDS) alarms. The tool uses an interactive pixel-based visualization to display IDS alarms clustered by source and destination IP addresses over time. This allows analysts to more quickly identify patterns and anomalies within IDS alarm data that may indicate actual security threats. The tool was created based on interviews with IDS administrators at Georgia Tech who needed a more efficient way to analyze the thousands of alarms generated daily across their campus network.

    Original Description:

    vvv

    Original Title

    VizSec05

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document describes a visualization tool called IDS RainStorm that was created to help network security administrators more easily analyze large volumes of intrusion detection system (IDS) alarms. The tool uses an interactive pixel-based visualization to display IDS alarms clustered by source and destination IP addresses over time. This allows analysts to more quickly identify patterns and anomalies within IDS alarm data that may indicate actual security threats. The tool was created based on interviews with IDS administrators at Georgia Tech who needed a more efficient way to analyze the thousands of alarms generated daily across their campus network.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    26 views17 pages

    Ids Rainstorm: Visualizing Ids Alarms: Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland, John Stasko

    Uploaded by

    WebTutors
    This document describes a visualization tool called IDS RainStorm that was created to help network security administrators more easily analyze large volumes of intrusion detection system (IDS) alarms. The tool uses an interactive pixel-based visualization to display IDS alarms clustered by source and destination IP addresses over time. This allows analysts to more quickly identify patterns and anomalies within IDS alarm data that may indicate actual security threats. The tool was created based on interviews with IDS administrators at Georgia Tech who needed a more efficient way to analyze the thousands of alarms generated daily across their campus network.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 17

    IDS RainStorm: Visualizing

    IDS Alarms
    Kulsoom Abdullah, Chris Lee, Gregory Conti,
    John A. Copeland, John Stasko

    Introduction
    Alarm logs are smaller than network traffic capture logs but
    still large and time consuming to go through.
    Many alarms are generated as real attacks progress
    increasing the log size and redundant information.
    Information visualization techniques used in network
    security research have initial success and future promise.
    Text logs and machine learning algorithms are
    complemented and information is represented more
    densely.
    2

    Georgia Tech Network


    Campus population: 15,000
    undergraduate and graduate
    students, approximately 5,000
    staff and faculty.

    Total Data Processed: 4 terabytes


    each day.

    Networked systems:
    30,000-35,000
    IP Addresses: 2.5 Class B
    distributed across 69 individual
    departments and various
    buildings.
    Throughput: Two OC-12's and
    one OC-48 connected to the
    Internet with an average
    throughput of 600Mbps.

    Office of Information Technology


    (OIT) at Georgia Tech
    They maintain the campus network and the Internet
    links connecting the campus to the Internet.
    They monitor and secure the network.
    Also technical and educational support is provided.
    Each academic dept. has Computer Support
    Representatives (CSR).
    They work with OIT to maintain and protect their
    respective network.
    4

    User Interviews
    OIT sysadmins were interviewed to find out:
    How they monitor alarms.
    Browsing through text alarm log is usually the method.
    Calibrating IDS with visual components is time consuming.
    What they look for to identify potential anomalies
    Location of high-priority alarms
    Quantity and pattern of alarms
    What a particular host provides.
    This motivated the design of the system.
    5

    Alarms with StealthWatch


    The Stealthwatch IDS is anomaly based IDS and
    one of the security appliances used at Georgia
    Tech.
    Alarms that were generated on the perimeter of
    the network were used.
    About 7,000-10,000 alarms are generated from
    this sensor each day.
    ~40,000 alarms are generated each day from all
    campus sensors.
    6

    Alarm Parameters
    Alarm types: 33 definitions.
    These can be adjusted and threshold values changed by
    administrators for a network.
    Time: recorded as an alarm is generated.
    This helps determine temporal position among the rest
    of the alarms and can help find patterns.
    IP Addresses: Victim internal IP address of the alarm is
    given, and/or an external IP depending on the alarm type.
    7

    System Design

    Main view

    Zoom view

    20 IPs represented on
    each line
    2.5 Class B addresses
    plotted along 8
    vertical axis.
    24 hours of alarms
    shown
    Color represents
    severity
    The most severe alarm
    is shown when multiple
    alerts occupy the same
    pixel.
    9

    Interaction Techniques
    Glossing:popup box when mouseover the
    alarm in zoom view.
    Gets semantic detail.
    Filtering: focus on alarm color.
    Reduces unneeded info. in the view.
    Panning: Click and drag mouse in the
    overview, panning movement seen in
    zoom view.
    Useful for when anomalous behavior
    could be targeting internal IPs that are
    spread across the logical space.
    10

    demo

    Examples

    11

    Worm

    2x zoom

    Watch port active alarms in


    dorm space. Port watch was
    on a known exploit.

    12

    Botnet

    Time pattern similar


    for 2 consecutive days

    Cluster of watch host active


    alarms seen. Watch host was an
    external IP known to install bots
    on the network

    13

    Result Summary
    This tool is not a complete solution. It can be
    used with other IDS tools, signature and anomaly
    based.
    It adds human analysis which can notice activity
    that machine learning algorithms might not, since
    network traffic is dynamic by nature.
    If alarm count were much higher, more difficult to
    notice anomaly on initial glances--need more
    interaction.
    14

    Current and Future Work


    Further detailed user study based on current
    system.
    Visually encoding other alarm parameters.
    More filtering (queries on host, alarm type).
    Pivoting axis.
    15

    Acknowledgements
    OIT - for giving us the dataset and discussions
    with them to motivate the design.
    The reviewers comments which helped to improve
    the paper.
    Lancope (www.lancope.com) for sponsoring the
    project.
    Dr. Raheem Beyah, Georgia State University.
    16

    For feedback & more info


    Email:kulsoom@gatech.edu
    Centers webpage:www.csc.gatech.edu
    Personal webpage: users.ece.gatech.edu/~kulsoom
    Thanks for coming

    17

    You might also like