|
3.1.3 Statistical Visualization for Managing Network Intrusion and Anomaly Detection
David L. Banks, Mark Levenson Statistical Engineering Division, ITL
John Cugini, Joseph Konczal, Sharon Laskowski Information Access and User Interfaces Division, ITL
Donald Marks Computer Security Division, ITL Experts in computer security are concerned with the need for intrusion/anomaly detection, and a number of automated system monitors are under development. Most of this research has not yet been informed by the results of NIST's work in the Information Exploration Shoot-Out, which used system audit logs with known intrusions as the testbed for a comparison of visualization-based data-mining methods. Our project is to develop an interactive visualization tool that acts as a post-processor for the output of an automated system monitor, thereby presenting the system manager with information on threat levels and system anomalies in a more directly interpretable way. Also, the tool will enable managers to take direct action in response to a threat, or access information useful in evaluating an apparent threat. The Information Security Systems Company (ISS) has provided support for this research, as has DARPA and Roy Maxion's Harbinger Project at the School of Computer Science, Carnegie Mellon University. Our interactive visualization tool is called NAIVE, for Network Anomaly/Intrusion Visualization and Exploration. The tool has two versions; one is appropriate for maintaining security in small local area networks, and the other is scalable to address the needs of very large systems. NAIVE is being designed to ensure platform-independence. The development platform is a Unix workstation; software is written using Tcl/Tk, a portable user-interface environment, and the visualization is being accomplished with OpenGL, a portable graphics library.
An example prototype has been built using DARPA's Common Detection Intrusion
Framework.
It presents real-time intrusion data visually as a graph.
Nodes represent terminals and whose edges represent links between
terminals. The edges carry color-coded information about the
transmission of secure files, atypical usage patterns, and other
performance anomalies.
By clicking on an edge, the display can indicate which ports are
involved in the transmission, and other detailed information.
Figure 3: This figure shows a screendump of the NAIVE system, using simulated data to show threat levels and traffic on a small local area network. The colors of the edges show the level of threat, and their width indicates the volume of traffic. The colors of the nodes indicate categories of user.
Date created: 7/20/2001 |