Hyperion: A Visual Analytics Tool for an Intrusion Detection and Prevention System

Intrusion detection and prevention systems (IDPSs) are at the core of protecting an enterprise’s network. In general, IDPSs use pre-defined rules to detect potential attacks. As the size of an organization grows and new types of intrusions appear, the quantity and complexity of the rules also increase. Moreover, IDPSs generate an overwhelming number of logs that are challenging to handle and analyze. For a more effective and integrative analysis and management of the rules and logs, we propose a novel visual analytics tool, Hyperion. Hyperion interactively visualizes rules to help users understand how the IDPS rules are managed and applied to the enterprise’s network entities. Hyperion also provides effective visualizations to enable users to visually analyze the type, period, traffic, and frequency of attacks in addition to a traditional count-based timeline visualization. Finally, Hyperion enables users to interactively simulate the effect of a change in parameters of a detection rule. These features can help streamline the security control cycle consisting of rule application, information collection, log analysis, and rule revision.

[1]  Ehab Al-Shaer,et al.  PolicyVis: Firewall Security Policy Visualization and Inspection , 2007, LISA.

[2]  Kofi Nyarko,et al.  Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration , 2002, Proceedings 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems. HAPTICS 2002.

[3]  Daniel A. Keim,et al.  Visual support for analyzing network traffic and intrusion detection events using TreeMap and graph representations , 2009, CHIMIT.

[4]  王莹 使用Security—Enhanced Linux增强系统安全 , 2003 .

[5]  Tamara Munzner,et al.  Visualization Analysis and Design , 2014, A.K. Peters visualization series.

[6]  Chris North,et al.  Visualizing cyber security: Usable workspaces , 2009, 2009 6th International Workshop on Visualization for Cyber Security.

[7]  Dong Seong Kim,et al.  Firewall ruleset visualization analysis tool based on segmentation , 2017, 2017 IEEE Symposium on Visualization for Cyber Security (VizSec).

[8]  Robert Gove,et al.  V3SPA: A visual analysis, exploration, and diffing tool for SELinux and SEAndroid security policies , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[9]  Niklas Elmqvist,et al.  Graphical Perception of Multiple Time Series , 2010, IEEE Transactions on Visualization and Computer Graphics.

[10]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[11]  Patrice Clemente,et al.  SPTrack: Visual Analysis of Information Flows within SELinux Policies and Attack Logs , 2012, AMT.

[12]  Xiaoping Fan,et al.  IDSRadar: a real-time visualization framework for IDS alerts , 2012, Science China Information Sciences.

[13]  Maxime Dumas,et al.  Alertwheel: radial bipartite graph visualization applied to intrusion detection system alerts , 2012, IEEE Network.

[14]  Yaoxue Zhang,et al.  A Novel Radial Visualization of Intrusion Detection Alerts , 2016, IEEE Computer Graphics and Applications.

[15]  Martin Roesch,et al.  Snort - Lightweight Intrusion Detection for Networks , 1999 .

[16]  Lisandro Zambenedetti Granville,et al.  A Survey on Information Visualization for Network and Service Management , 2016, IEEE Communications Surveys & Tutorials.

[17]  Salvatore J. Stolfo,et al.  A Geometric Framework for Unsupervised Anomaly Detection , 2002, Applications of Data Mining in Computer Security.

[18]  Min Chen,et al.  A survey of security visualization for computer network logs , 2012, Secur. Commun. Networks.

[19]  Qian Xu,et al.  Visualization Analysis of Multi-Domain Access Control Policy Integration Based on Tree-Maps and Semantic Substrates , 2012 .

[20]  Bill Cheswick,et al.  Visual analysis of complex firewall configurations , 2012, VizSec '12.

[21]  Raheem A. Beyah,et al.  Visual firewall: real-time network security monitor , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[22]  Daniel A. Keim,et al.  Large-Scale Network Monitoring for Visual Analysis of Attacks , 2008, VizSEC.

[23]  Gail-Joon Ahn,et al.  Visualization based policy analysis: case study in SELinux , 2008, SACMAT '08.

[24]  Alex Endert,et al.  7 key challenges for visualization in cyber network defense , 2014, VizSEC.

[25]  Lujo Bauer,et al.  Expandable grids for visualizing and authoring computer security policies , 2008, CHI.

[26]  Denis Lalanne,et al.  SpiralView: Towards Security Policies Assessment through Visual Correlation of Network Resources with Evolution of Alarms , 2007, 2007 IEEE Symposium on Visual Analytics Science and Technology.

[27]  Marc Dacier,et al.  Visualization of actionable knowledge to mitigate DRDoS attacks , 2016, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec).

[28]  Diane Staheli,et al.  Unlocking user-centered design methods for building cyber security visualizations , 2015, 2015 IEEE Symposium on Visualization for Cyber Security (VizSec).

[29]  Mohamed Shehab,et al.  SEGrapher: Visualization-based SELinux policy analysis , 2011, 2011 4th Symposium on Configuration Analytics and Automation (SAFECONFIG).

[30]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[31]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[32]  Hideki Koike,et al.  Visualizing cyber attacks using IP matrix , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[33]  Shaun Moon,et al.  Visual correlation for situational awareness , 2005, IEEE Symposium on Information Visualization, 2005. INFOVIS 2005..

[34]  Ali A. Ghorbani,et al.  IDS Alert Visualization and Monitoring through Heuristic Host Selection , 2010, ICICS.

[35]  Xiaoping Fan,et al.  MVSec: multi-perspective and deductive visual analytics on heterogeneous network security data , 2014, J. Vis..

[36]  Gail-Joon Ahn,et al.  Visualization-based policy analysis for SELinux: framework and user study , 2012, International Journal of Information Security.

[37]  AbdulMalik S. Al-Salman,et al.  Visualizing PHPIDS log files for better understanding of web server attacks , 2013, VizSec '13.

[38]  Wei Chen,et al.  A survey of network anomaly visualization , 2017, Science China Information Sciences.

[39]  Georges G. Grinstein,et al.  Visualizing firewall configurations using created voids , 2009, 2009 6th International Workshop on Visualization for Cyber Security.