Visualizing web server attacks: patterns in PHPIDS logs‡

The prevalence and severity of application-layer vulnerabilities increase dramatically their corresponding attacks. In this paper, we present an extension to PHPIDS, an open source intrusion detection and prevention system for PHP-based web applications, to visualize its security log. Our usage of security data visualization is motivated by the fact that most security defense systems are mainly based on text-based logs for recording security-related events, which are difficult to analyze and correlate. The proposed extension analyzes PHPIDS logs, correlates these logs with the corresponding web server logs, and plots the security-related events. We use a set of tightly coupled visual representations of hypertext transfer protocol server requests containing known and suspicious malicious content, to provide system administrators and security analysts with fine-grained visual-based querying capabilities. We present multiple case studies to demonstrate the ability of our PHPIDS visualization extension to support security analysts with analytic reasoning and decision making in response to ongoing web server attacks. Experimenting the proposed PHPIDS visualization extension on real-world datasets shows promise for providing complementary information for effective situational awareness. Copyright © 2014 John Wiley & Sons, Ltd.

[1]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[2]  Rafeeq Ur Rehman,et al.  Intrusion Detection with SNORT (Bruce Perens' Open Source Series): Advanced IDS Techniques Using Snort, Apache, MySQL, PHP, and ACID , 2003 .

[3]  Mehdi Dastani,et al.  The Role of Visual Perception in Data Visualization , 2002, J. Vis. Lang. Comput..

[4]  Mansour Alsaleh,et al.  Christopher Alexander's fifteen properties: Toward developing evaluation metrics for security visualizations , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[5]  Kofi Nyarko,et al.  Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration , 2002, Proceedings 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems. HAPTICS 2002.

[6]  Xiaoping Fan,et al.  A real-time visualization framework for IDS alerts , 2012, VINCI.

[7]  William Yurcik,et al.  NVisionIP: netflow visualizations of system state for security situational awareness , 2004, VizSEC/DMSEC '04.

[8]  Yong Joon Park,et al.  Web Application Intrusion Detection System for Input Validation Attack , 2008, 2008 Third International Conference on Convergence and Hybrid Information Technology.

[9]  Jeffrey Heer,et al.  prefuse: a toolkit for interactive information visualization , 2005, CHI.

[10]  Hideki Koike,et al.  Tudumi: information visualization system for monitoring and auditing computer logs , 2002, Proceedings Sixth International Conference on Information Visualisation.

[11]  Ying Zhu,et al.  Measuring Effective Data Visualization , 2007, ISVC.

[12]  Ioanna Vekiri What Is the Value of Graphical Displays in Learning? , 2002 .

[13]  Raheem A. Beyah,et al.  Visual firewall: real-time network security monitor , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[14]  Dirk Reiners,et al.  Exploring three-dimensional visualization for intrusion detection , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[15]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[16]  Deborah Hix,et al.  Graphical encoding for information visualization: an empirical study , 2002, IEEE Symposium on Information Visualization, 2002. INFOVIS 2002..

[17]  AbdulMalik S. Al-Salman,et al.  Visualizing PHPIDS log files for better understanding of web server attacks , 2013, VizSec '13.

[18]  Martin Wattenberg,et al.  Analyzing Perceptual Organization in Information Graphics , 2004, Inf. Vis..

[19]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[20]  Adrian Perrig,et al.  XTRec: Secure Real-Time Execution Trace Recording on Commodity Platforms , 2011, 2011 44th Hawaii International Conference on System Sciences.

[21]  Gregory Stephens,et al.  Statistical profiling and visualization for detection of malicious insider attacks on computer networks , 2004, VizSEC/DMSEC '04.