Workshop on Statistical and Machine
Learning Techniques in Computer
Intrusion Detection
Item-based Visualization from Intrusion Detection
Penny Rheingans, Anita Komlodi, John Pinkston, Andrew Sears,
and Jeff Undercoffer
University of Maryland Baltimore County
Abstract:
The current practice of most operational intrusion detection
systems, when
encountering a suspect event, is to produce an alert while simultaneously
recording data that caused the alert. The responsibility of determining
the accuracy of the alert then falls on the shoulders of an analyst who
will manually evaluate the alert data in order to make a determination.
Unfortunately, most systems exhibit exceedingly high false positive rates,
making the number of items to be examines truly daunting. We believe that
visualization tools and techniques can be used to increase the effectiveness
of intrusion detection analysts by helping them distinguish between truly
suspicious activity and false alerts. Furthermore, we believe that a visualization
system which is structured around showing items of interest as glyphs,
rather than the more traditional network view, has the potential to foster
discoveries that are hidden in views based on the network connectivity.
We have developed a prototype for the glyph-based visualization
of items of
interest in the detection of computer intrusions. Items are shown as glyphs
using a 3D scatterplot metaphor. Relevant items might be network packets,
sessions, descriptions of system state, or alerts generated by an intrusion
detection system. Each item has data attributes (date, source and destination
IP addresses, length, flags, severity, etc.) which may be mapped to visual
attributes (position, color, opacity, shape, etc.). Visualization of items
of interest can draw attention to those items of greatest concern and/or
group items by similarity. Users can interactively manipulate the way
in which data attributes are mapped to visual attribute, as well as filter
items by value. Since the particular mappings used can have a great impact
on the effectiveness of the resulting visualization in highlighting a
particular similarity, we are developing a set of mapping templates targetted
for particular exploration tasks. We have used the prototype to visualize
items which represent network sessions and SNORT alerts. We are in the
process of conducting a usability study to evaluate the usefulness of
our approach.