Visualisation for Intrusion Detection Hooking the Worm

Even though intrusion detection systems have been studied for a number of years several problems remain; chiefly low detection rates and high false alarm rates. Instead of building automated alarms that trigger when a computer security violation takes place, we propose to visualise the state of the computer system such that the operator himself can determine whether a violation has taken place. In effect replacing the “burglar alarm” with a “security camera”. In order to illustrate the use of visualisation for intrusion detection purposes, we applied a trellis plot of parallel coordinate visualisations to the log of a small personal web server. The intent was to find patterns of malicious activity from so called worms, and to be able to distinguish between them and benign traffic. Several such patterns were found, including one that was unknown at the time to the security community at large.

[1]  Richard Braithwaite The pubstro phenomenon : Robin Hoods of the internet , 2003 .

[2]  Stefan Axelsson,et al.  The base-rate fallacy and the difficulty of intrusion detection , 2000, TSEC.

[3]  Deborah A. Frincke,et al.  Intrusion and Misuse Detection in Large-Scale Systems , 2002, IEEE Computer Graphics and Applications.

[4]  Alfred Inselberg,et al.  Multidimensional detective , 1997, Proceedings of VIZ '97: Visualization Conference, Information Visualization Symposium and Parallel Rendering Symposium.

[5]  Charles P. Pfleeger,et al.  Security in computing , 1988 .

[6]  Ben Shneiderman,et al.  Readings in information visualization - using vision to think , 1999 .

[7]  Kwan-Liu Ma,et al.  Case study: Interactive visualization for Internet security , 2002, IEEE Visualization, 2002. VIS 2002..

[8]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[9]  D. Frincke,et al.  A Visual Mathematical Model for Intrusion Detection , 1998 .

[10]  Dan Schnackenberg,et al.  Statistical approaches to DDoS attack detection and response , 2003, Proceedings DARPA Information Survivability Conference and Exposition.