Professional Documents
Culture Documents
IDS Alarms
Kulsoom Abdullah, Chris Lee, Gregory Conti,
John A. Copeland, John Stasko
Introduction
Alarm logs are smaller than network traffic capture logs but
still large and time consuming to go through.
Many alarms are generated as real attacks progress
increasing the log size and redundant information.
Information visualization techniques used in network
security research have initial success and future promise.
Text logs and machine learning algorithms are
complemented and information is represented more
densely.
2
Networked systems:
30,000-35,000
IP Addresses: 2.5 Class B
distributed across 69 individual
departments and various
buildings.
Throughput: Two OC-12's and
one OC-48 connected to the
Internet with an average
throughput of 600Mbps.
User Interviews
OIT sysadmins were interviewed to find out:
How they monitor alarms.
Browsing through text alarm log is usually the method.
Calibrating IDS with visual components is time consuming.
What they look for to identify potential anomalies
Location of high-priority alarms
Quantity and pattern of alarms
What a particular host provides.
This motivated the design of the system.
5
Alarm Parameters
Alarm types: 33 definitions.
These can be adjusted and threshold values changed by
administrators for a network.
Time: recorded as an alarm is generated.
This helps determine temporal position among the rest
of the alarms and can help find patterns.
IP Addresses: Victim internal IP address of the alarm is
given, and/or an external IP depending on the alarm type.
7
System Design
Main view
Zoom view
20 IPs represented on
each line
2.5 Class B addresses
plotted along 8
vertical axis.
24 hours of alarms
shown
Color represents
severity
The most severe alarm
is shown when multiple
alerts occupy the same
pixel.
9
Interaction Techniques
Glossing:popup box when mouseover the
alarm in zoom view.
Gets semantic detail.
Filtering: focus on alarm color.
Reduces unneeded info. in the view.
Panning: Click and drag mouse in the
overview, panning movement seen in
zoom view.
Useful for when anomalous behavior
could be targeting internal IPs that are
spread across the logical space.
10
demo
Examples
11
Worm
2x zoom
12
Botnet
13
Result Summary
This tool is not a complete solution. It can be
used with other IDS tools, signature and anomaly
based.
It adds human analysis which can notice activity
that machine learning algorithms might not, since
network traffic is dynamic by nature.
If alarm count were much higher, more difficult to
notice anomaly on initial glances--need more
interaction.
14
Acknowledgements
OIT - for giving us the dataset and discussions
with them to motivate the design.
The reviewers comments which helped to improve
the paper.
Lancope (www.lancope.com) for sponsoring the
project.
Dr. Raheem Beyah, Georgia State University.
16
17