Understanding the context of network traffic alerts

For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets.

[1]  Sumeet Dua,et al.  Data Mining and Machine Learning in Cybersecurity , 2011 .

[2]  Alexander Kott,et al.  Cyber Defense and Situational Awareness , 2015, Advances in Information Security.

[3]  D. Cox Karl Pearson and the Chi-Squared Test , 2002 .

[4]  Emden R. Gansner,et al.  A Technique for Drawing Directed Graphs , 1993, IEEE Trans. Software Eng..

[5]  Bernice E. Rogowitz,et al.  Integrating human- and computer-based approaches to feature extraction and analysis , 2012, Electronic Imaging.

[6]  Jerry den Hartog,et al.  Reading between the fields: practical, effective intrusion detection for industrial control systems , 2016, SAC.

[7]  David W. Scott,et al.  Scott's rule , 2010 .

[8]  Yarden Livnat,et al.  A visualization paradigm for network intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[9]  Michael Lardschneider,et al.  Social Engineering , 2008, Datenschutz und Datensicherheit - DuD.

[10]  G. G. Stokes "J." , 1890, The New Yale Book of Quotations.

[11]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[12]  Xiaojin Zhu,et al.  Introduction to Semi-Supervised Learning , 2009, Synthesis Lectures on Artificial Intelligence and Machine Learning.

[13]  Marian Dörk,et al.  Weaving a carpet from log entries: A network security visualization built with co-creation , 2014, 2014 IEEE Conference on Visual Analytics Science and Technology (VAST).

[14]  Jarke J. van Wijk,et al.  SNAPS: Semantic network traffic analysis through projection and selection , 2015, 2015 IEEE Symposium on Visualization for Cyber Security (VizSec).

[15]  Russ Burtner,et al.  Ocelot: user-centered design of a decision support visualization for network quarantine , 2015, 2015 IEEE Symposium on Visualization for Cyber Security (VizSec).

[16]  J. Ross Quinlan,et al.  Induction of Decision Trees , 1986, Machine Learning.

[17]  W. Tolman,et al.  Social Engineering , 2014, Encyclopedia of Social Network Analysis and Mining.

[18]  Jie Yan,et al.  Visualization Tools for Network Security , 2016, Visualization and Data Analysis.

[19]  George Bebis,et al.  A survey of network flow applications , 2013, J. Netw. Comput. Appl..

[20]  Jeffrey Heer,et al.  Scented Widgets: Improving Navigation Cues with Embedded Visualizations , 2007, IEEE Transactions on Visualization and Computer Graphics.

[21]  John Yen,et al.  How to use experience in cyber analysis: An analytical reasoning support system , 2013, 2013 IEEE International Conference on Intelligence and Security Informatics.

[22]  Ulrike Meyer,et al.  A man-in-the-middle attack on UMTS , 2004, WiSe '04.

[23]  Anita D. D'Amico,et al.  The Real Work of Computer Network Defense Analysts , 2007, VizSEC.

[24]  Pieter H. Hartel,et al.  Challenges and opportunities in securing industrial control systems , 2012, 2012 Complexity in Engineering (COMPENG). Proceedings.

[25]  Nick Nykodym,et al.  Criminal profiling and insider cyber crime , 2005, Digit. Investig..

[26]  Ali A. Ghorbani,et al.  IDS Alert Visualization and Monitoring through Heuristic Host Selection , 2010, ICICS.

[27]  Tao Zhang,et al.  Bridging the Gap of Network Management and Anomaly Detection through Interactive Visualization , 2014, 2014 IEEE Pacific Visualization Symposium.

[28]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[29]  Rob Sloan,et al.  Advanced Persistent Threat , 2014 .

[30]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[31]  Jiri Matas,et al.  On Combining Classifiers , 1998, IEEE Trans. Pattern Anal. Mach. Intell..

[32]  Mark Pollitt,et al.  An Ad Hoc Review of Digital Forensic Models , 2007, Second International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE'07).

[33]  H. Herne,et al.  How to Lie with Statistics , 1973 .