1. CSE CST Visualization Techniques for Intrusion Detection Steven Johnston Communications Security Establishment William Wright Oculus Info Inc. Workshop on Statistical and Machine Learning Techniques in Computer Intrusion Detection June 11 – 13, 2002 Johns Hopkins University

2. CSE CST OutlineOutline n Intrusion detection issues n Using visualization as a solution n Current visualization tools developed n Future development of visualization in intrusion detection

3. CSE CST Intrusion Detection Issues n Large amounts of IDS data n Bad “signal/noise” ratio on most un-tuned IDS 630443,2001-12-29 00:00:05,"SNMP_Suspicious_Get",17,1025,161,"1025","SNMP",-815068385,- 815007770,"207.107.11.31","207.107.247.230","","","",2,False,"00:05:32:02:DD:EC","","00:00:0C:05:D0:43","",0, "",5,"207.107.11.12",False,0,000000000009A8E2 630444,2001-12-29 00:00:10,"PingFlood",1,0,0,"","",-829255711,- 815068333,"206.146.143.225","207.107.11.83","","Echo Request","None",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"",0,"207.107.11.12",False,0,0000000 00009A8E3 630445,2001-12-29 00:00:29,"PingFlood",1,0,0,"","",1072699914,- 815068333,"63.240.26.10","207.107.11.83","","Echo Request","None",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0,"",0,"207.107.11.12",False,0,0000000 00009A8E4 630446,2001-12-29 00:00:38,"HTTP_ActiveX",6,80,1545,"HTTP","1545",-825489548,- 815068285,"206.204.7.116","207.107.11.131","","","",1,False,"00:00:0C:05:D0:43","","00:05:32:02:DD:EC","",0," ",0,"207.107.11.12",False,0,000000000009A8E5

4. CSE CST Intrusion Detection Issues n If alarms are removed, harmful events may slip through unnoticed n Event correlation (IDS, routers, firewalls) n Reporting incidents to senior management or other non- experts n Advances in technology and increases in network capacity are a mixed blessing

5. CSE CST Visualization as a Solution n Allows people to see and comprehend large amounts of complex data in a short period of time n Helps the analyst to identify significant incidents and reduce time wasted with false positives n Facilitates explanation of incidents to a broader, non-expert audience n Provides ability to cue the analyst through the use of colour, shape, patterns, or motion

6. CSE CST Visualization Tool Development n Two graphical applications have been developed for evaluation  Intrusion Detection Analyst Workbench  Animated Incident Explanation Engine n Both display data visually, but currently have two distinct audiences

7. CSE CST Intrusion Detection Analyst Workbench n More than two million events can be displayed and analyzed in multiple concurrent dynamic charts n Each chart is linked, allowing the analyst to select something in one chart, and the relevant details will be highlighted in the other charts

8. CSE CST Intrusion Detection Analyst Workbench n Assists in isolating, investigating and prioritizing events n Evaluated side-by-side with traditional methods and proved to be significantly faster and easier n Run by commercial off-the-shelf Advizor™ product

9. CSE CST Intrusion Detection Analysts Workbench - Demo

10. CSE CST Animated Incident Explanation Engine n Designed to show the significance and nature of the events without overwhelming the viewer n Easy to see who did what to whom and when n Excellent for explaining concepts to non-experts

11. CSE CST Animated Incident Explanation Engine - Demo

12. CSE CST Future Developments n Expansion and integration of the two current tools n Anomaly detection capability through the use of network traffic data along with fused IDS alarms n Integrated time based comparisons n Overlaying analytical methods and results

13. CSE CST ConclusionsConclusions n Visualization has proved to be an effective analyst’s tool n Complex information is easily understood by non-experts n More development and research needed

14. CSE CST Questions?Questions? To contact us: Steven Johnston, Communications Security Establishment: steven.johnston@cse-cst.gc.ca William Wright, Oculus Info Inc.: bill.wright@oculusinfo.com