A real-time visualization framework for IDS alerts

Network security depends heavily on automated Intrusion Detection Systems (IDS) to sense malicious activities. Unfortunately, IDS often generates both too much raw information and a large number of false positive alerts. Information visualization research has been performed to help users discover and analyze information through visual exploration efficiently. Even with the aid of visualization, identifying the attack patterns and recognizing the false positives from a great number of alerts are still challenges. In this paper, we present a novel visualization framework for IDS alerts that can monitor the network and perceive the overall view of the security situation using radial graph in real-time. The framework utilizes five categories of entropy functions to quantitatively analyze the irregular behavioral patterns, and synthesizes interactions, filtering and drill-down to detect the potential intrusions. In conclusion, we describe how this framework was used to analyze the mini-challenges of the 2011 and 2012 VAST challenge.

[1]  Ali A. Ghorbani,et al.  A Survey of Visualization Systems for Network Security , 2012, IEEE Transactions on Visualization and Computer Graphics.

[2]  Richard F. Riesenfeld,et al.  A Survey of Radial Methods for Information Visualization , 2009, IEEE Transactions on Visualization and Computer Graphics.

[3]  Kuai Xu,et al.  Internet Traffic Behavior Profiling for Network Security Monitoring , 2008, IEEE/ACM Transactions on Networking.

[4]  John T. Stasko,et al.  IDS rainStorm: visualizing IDS alarms , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[5]  Hideki Koike,et al.  Visualizing cyber attacks using IP matrix , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[6]  Ali A. Ghorbani,et al.  IDS Alert Visualization and Monitoring through Heuristic Host Selection , 2010, ICICS.

[7]  Hideki Koike,et al.  SnortView: visualization system of snort logs , 2004, VizSEC/DMSEC '04.

[8]  Stefano Foresti,et al.  Visual correlation of network alerts , 2006, IEEE Computer Graphics and Applications.

[9]  Shaun Moon,et al.  Visual correlation for situational awareness , 2005, IEEE Symposium on Information Visualization, 2005. INFOVIS 2005..

[10]  Yifan Li,et al.  VisFlowConnect: netflow visualizations of link relationships for security situational awareness , 2004, VizSEC/DMSEC '04.

[11]  Kofi Nyarko,et al.  Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration , 2002, Proceedings 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems. HAPTICS 2002.

[12]  Yan Gao,et al.  IDGraphs: intrusion detection and analysis using histographs , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[13]  Keun Ho Ryu,et al.  False Alarm Classification Model for Network-Based Intrusion Detection System , 2004, IDEAL.

[14]  Yarden Livnat,et al.  A visualization paradigm for network intrusion detection , 2005, Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop.

[15]  Raffael Marty,et al.  Applied Security Visualization , 2008 .

[16]  Raheem A. Beyah,et al.  Visual firewall: real-time network security monitor , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[17]  Denis Lalanne,et al.  SpiralView: Towards Security Policies Assessment through Visual Correlation of Network Resources with Evolution of Alarms , 2007, 2007 IEEE Symposium on Visual Analytics Science and Technology.

[18]  William Yurcik,et al.  Closing-the-loop in NVisionIP: integrating discovery and search in security visualizations , 2005, IEEE Workshop on Visualization for Computer Security, 2005. (VizSEC 05)..

[19]  David J. Parish,et al.  Using Time Series 3D AlertGraph and False Alert Classification to Analyse Snort Alerts , 2008, VizSEC.