hit counter

Workshop on Statistical and Machine

Learning Techniques in Computer

Intrusion Detection

Abstract:

The volume of data available to the analyst for the forensic analysis of an intrusion or other form of successful attack is enormous. Clearly, analyzing the textual data would be prohibitive as a networked environment will generate tens of thousands of log messages a day. In complex cases, where events must be correlated both temporally and spatially, the task is daunting. Many techniques are applicable to aid the analyst, including: data mining, machine learning, and visualization. Currently, no technique is the end all be all of forensic analysis. Consequently, this paper discusses our research towards the development of visualization techniques to aid the analysis process. These techniques are geared towards incorporation of all available intrusion detection and analysis data, including both the original log data as well as the results of other intrusion detection and analysis tools. Incorporating all results into a single environment greatly increases the analyst's effectiveness. This will have the effect of reducing the time lost examining false positives, allowing identification of true anomalies, their sources, and their impact.

Our visualization techniques are designed around a glyph-based metaphor that allows many data parameters to be mapped to various visual attributes. In so doing, enormous numbers of characteristics can be represented and distinguished simultaneously. In conjunction with the glyph-based visual displays we incorporate extensive interaction and feedback paradigms. These paradigms form the basis of an exploratory data analysis environment which allows the analyst to quickly explore and comprehend detailed characteristics of the data. This rapid comprehension is critical to ensuring the analysts time is most effectively allocated by identifying behavioral characteristics of ongoing activity indicative of the type and goals of the activity.

BACK