David L. Banks, Mark Levenson
John Cugini, Joseph Konczal, Sharon Laskowski
Donald Marks, Peter Mell
The purpose of the NAIVE project is to help security officers and administrators in the visualization of output from intrusion detection (ID) systems. These ID systems monitor network traffic to flag known attack signatures or discover odd behaviors that presage previously unknown attacks or malfunctions. Some of the ID systems are commercially successful, such as the RealSecure ID system sold by Internet Security Systems (ISS), and others are research prototypes, such as Emerald at SRI or Harbinger at Carnegie Mellon University.
All current ID systems suffer from very high false alarm rates. These rates cannot be diminished without exposing the users to unacceptable levels of risk (i.e., the current systems have hair triggers to ensure an acceptably high percentage of intrusions are caught; dulling their sensitivity would open the door to subtle attacks). When false alarm rates are high, it erodes ID system protection. Security administrators are slow to respond, since this has productivity costs, and/or they choose to blunt the sensitivity of the system to preclude hourly alerts. But this solution is unacceptable in high-security environments, and undesirable in all others.
Our contribution to the solution of this problem is to harness visualization as a tool in assessing network threats. This allows humans to easily and speedily interpret ID system warnings, sorting the wheat from the chaff. In essence, this builds a human security officer's judgment into the ID system, creating a hybrid of human and automation that marries good judgment to real-time threat detection/response. Additionally, the visualization helps in post-mortems of successful hack attacks, and in improving and testing new ID systems.
The NAIVE visualization tool is designed to wrap most commercial and research ID systems. It provides dynamic visualization, with color-coded threats, playback capability, and details-on-demand for a range of threat situations.
Detailed specification of the NAIVE system, as well as a demo and
tarfiles, are available at http://zing.ncsl.nist.gov/naive/.
Figure 1: This figure shows a screendump of the NAIVE system, using simulated data to show threat levels and traffic on a small local area network. Color indicates the severity of the threat.
Date created: 7/20/2001