Вы находитесь на странице: 1из 17

IDS RainStorm: Visualizing

IDS Alarms
Kulsoom Abdullah, Chris Lee, Gregory Conti,
John A. Copeland, John Stasko

Alarm logs are smaller than network traffic capture logs but
still large and time consuming to go through.
Many alarms are generated as real attacks progress
increasing the log size and redundant information.
Information visualization techniques used in network
security research have initial success and future promise.
Text logs and machine learning algorithms are
complemented and information is represented more

Georgia Tech Network

Campus population: 15,000
undergraduate and graduate
students, approximately 5,000
staff and faculty.

Total Data Processed: 4 terabytes

each day.

Networked systems:
IP Addresses: 2.5 Class B
distributed across 69 individual
departments and various
Throughput: Two OC-12's and
one OC-48 connected to the
Internet with an average
throughput of 600Mbps.

Office of Information Technology

(OIT) at Georgia Tech
They maintain the campus network and the Internet
links connecting the campus to the Internet.
They monitor and secure the network.
Also technical and educational support is provided.
Each academic dept. has Computer Support
Representatives (CSR).
They work with OIT to maintain and protect their
respective network.

User Interviews
OIT sysadmins were interviewed to find out:
How they monitor alarms.
Browsing through text alarm log is usually the method.
Calibrating IDS with visual components is time consuming.
What they look for to identify potential anomalies
Location of high-priority alarms
Quantity and pattern of alarms
What a particular host provides.
This motivated the design of the system.

Alarms with StealthWatch

The Stealthwatch IDS is anomaly based IDS and
one of the security appliances used at Georgia
Alarms that were generated on the perimeter of
the network were used.
About 7,000-10,000 alarms are generated from
this sensor each day.
~40,000 alarms are generated each day from all
campus sensors.

Alarm Parameters
Alarm types: 33 definitions.
These can be adjusted and threshold values changed by
administrators for a network.
Time: recorded as an alarm is generated.
This helps determine temporal position among the rest
of the alarms and can help find patterns.
IP Addresses: Victim internal IP address of the alarm is
given, and/or an external IP depending on the alarm type.

System Design

Main view

Zoom view

20 IPs represented on
each line
2.5 Class B addresses
plotted along 8
vertical axis.
24 hours of alarms
Color represents
The most severe alarm
is shown when multiple
alerts occupy the same

Interaction Techniques
Glossing:popup box when mouseover the
alarm in zoom view.
Gets semantic detail.
Filtering: focus on alarm color.
Reduces unneeded info. in the view.
Panning: Click and drag mouse in the
overview, panning movement seen in
zoom view.
Useful for when anomalous behavior
could be targeting internal IPs that are
spread across the logical space.





2x zoom

Watch port active alarms in

dorm space. Port watch was
on a known exploit.



Time pattern similar

for 2 consecutive days

Cluster of watch host active

alarms seen. Watch host was an
external IP known to install bots
on the network


Result Summary
This tool is not a complete solution. It can be
used with other IDS tools, signature and anomaly
It adds human analysis which can notice activity
that machine learning algorithms might not, since
network traffic is dynamic by nature.
If alarm count were much higher, more difficult to
notice anomaly on initial glances--need more

Current and Future Work

Further detailed user study based on current
Visually encoding other alarm parameters.
More filtering (queries on host, alarm type).
Pivoting axis.

OIT - for giving us the dataset and discussions
with them to motivate the design.
The reviewers comments which helped to improve
the paper.
Lancope (www.lancope.com) for sponsoring the
Dr. Raheem Beyah, Georgia State University.

For feedback & more info

Centers webpage:www.csc.gatech.edu
Personal webpage: users.ece.gatech.edu/~kulsoom
Thanks for coming