Вы находитесь на странице: 1из 17

IDS RainStorm: Visualizing

IDS Alarms
Kulsoom Abdullah, Chris Lee, Gregory Conti,
John A. Copeland, John Stasko

Introduction
Alarm logs are smaller than network traffic capture logs but
still large and time consuming to go through.
Many alarms are generated as real attacks progress
increasing the log size and redundant information.
Information visualization techniques used in network
security research have initial success and future promise.
Text logs and machine learning algorithms are
complemented and information is represented more
densely.
2

Georgia Tech Network


Campus population: 15,000
undergraduate and graduate
students, approximately 5,000
staff and faculty.

Total Data Processed: 4 terabytes


each day.

Networked systems:
30,000-35,000
IP Addresses: 2.5 Class B
distributed across 69 individual
departments and various
buildings.
Throughput: Two OC-12's and
one OC-48 connected to the
Internet with an average
throughput of 600Mbps.

Office of Information Technology


(OIT) at Georgia Tech
They maintain the campus network and the Internet
links connecting the campus to the Internet.
They monitor and secure the network.
Also technical and educational support is provided.
Each academic dept. has Computer Support
Representatives (CSR).
They work with OIT to maintain and protect their
respective network.
4

User Interviews
OIT sysadmins were interviewed to find out:
How they monitor alarms.
Browsing through text alarm log is usually the method.
Calibrating IDS with visual components is time consuming.
What they look for to identify potential anomalies
Location of high-priority alarms
Quantity and pattern of alarms
What a particular host provides.
This motivated the design of the system.
5

Alarms with StealthWatch


The Stealthwatch IDS is anomaly based IDS and
one of the security appliances used at Georgia
Tech.
Alarms that were generated on the perimeter of
the network were used.
About 7,000-10,000 alarms are generated from
this sensor each day.
~40,000 alarms are generated each day from all
campus sensors.
6

Alarm Parameters
Alarm types: 33 definitions.
These can be adjusted and threshold values changed by
administrators for a network.
Time: recorded as an alarm is generated.
This helps determine temporal position among the rest
of the alarms and can help find patterns.
IP Addresses: Victim internal IP address of the alarm is
given, and/or an external IP depending on the alarm type.
7

System Design

Main view

Zoom view

20 IPs represented on
each line
2.5 Class B addresses
plotted along 8
vertical axis.
24 hours of alarms
shown
Color represents
severity
The most severe alarm
is shown when multiple
alerts occupy the same
pixel.
9

Interaction Techniques
Glossing:popup box when mouseover the
alarm in zoom view.
Gets semantic detail.
Filtering: focus on alarm color.
Reduces unneeded info. in the view.
Panning: Click and drag mouse in the
overview, panning movement seen in
zoom view.
Useful for when anomalous behavior
could be targeting internal IPs that are
spread across the logical space.
10

demo

Examples

11

Worm

2x zoom

Watch port active alarms in


dorm space. Port watch was
on a known exploit.

12

Botnet

Time pattern similar


for 2 consecutive days

Cluster of watch host active


alarms seen. Watch host was an
external IP known to install bots
on the network

13

Result Summary
This tool is not a complete solution. It can be
used with other IDS tools, signature and anomaly
based.
It adds human analysis which can notice activity
that machine learning algorithms might not, since
network traffic is dynamic by nature.
If alarm count were much higher, more difficult to
notice anomaly on initial glances--need more
interaction.
14

Current and Future Work


Further detailed user study based on current
system.
Visually encoding other alarm parameters.
More filtering (queries on host, alarm type).
Pivoting axis.
15

Acknowledgements
OIT - for giving us the dataset and discussions
with them to motivate the design.
The reviewers comments which helped to improve
the paper.
Lancope (www.lancope.com) for sponsoring the
project.
Dr. Raheem Beyah, Georgia State University.
16

For feedback & more info


Email:kulsoom@gatech.edu
Centers webpage:www.csc.gatech.edu
Personal webpage: users.ece.gatech.edu/~kulsoom
Thanks for coming

17