IDS RainStorm: Visualizing IDS Alarms Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland, John Stasko
Introduction Alarm logs are smaller than network traffic capture logs but still large and time consuming to go through. Many alarms are generated as real attacks progress increasing the log size and redundant information. Information visualization techniques used in network security research have initial success and future promise. Text logs and machine learning algorithms are complemented and information is represented more densely. 2
Georgia Tech Network Campus population: 15,000 undergraduate and graduate students, approximately 5,000 staff and faculty. Total Data Processed: 4 terabytes each day. Networked systems: 30,000-35,000 IP Addresses: 2.5 Class B distributed across 69 individual departments and various buildings. Throughput: Two OC-12's and one OC-48 connected to the Internet with an average throughput of 600Mbps. 3
Office of Information Technology (OIT) at Georgia Tech They maintain the campus network and the Internet links connecting the campus to the Internet. They monitor and secure the network. Also technical and educational support is provided. Each academic dept. has Computer Support Representatives (CSR). They work with OIT to maintain and protect their respective network. 4
User Interviews OIT sysadmins were interviewed to find out: How they monitor alarms. Browsing through text alarm log is usually the method. Calibrating IDS with visual components is time consuming. What they look for to identify potential anomalies Location of high-priority alarms Quantity and pattern of alarms What a particular host provides. This motivated the design of the system. 5
Alarms with StealthWatch The Stealthwatch IDS is anomaly based IDS and one of the security appliances used at Georgia Tech. Alarms that were generated on the perimeter of the network were used. About 7,000-10,000 alarms are generated from this sensor each day. ~40,000 alarms are generated each day from all campus sensors. 6
Alarm Parameters Alarm types: 33 definitions. These can be adjusted and threshold values changed by administrators for a network. Time: recorded as an alarm is generated. This helps determine temporal position among the rest of the alarms and can help find patterns. IP Addresses: Victim internal IP address of the alarm is given, and/or an external IP depending on the alarm type. 7
System Design Main view 8 Zoom view
20 IPs represented on each line 2.5 Class B addresses plotted along 8 vertical axis. 24 hours of alarms shown Color represents severity The most severe alarm is shown when multiple alerts occupy the same pixel. 9
Interaction Techniques Glossing:popup box when mouseover the alarm in zoom view. Gets semantic detail. Filtering: focus on alarm color. Reduces unneeded info. in the view. Panning: Click and drag mouse in the overview, panning movement seen in zoom view. demo Useful for when anomalous behavior could be targeting internal IPs that are spread across the logical space. 10
Examples 11
Worm 2x zoom Watch port active alarms in dorm space. Port watch was on a known exploit. 12
Botnet Time pattern similar for 2 consecutive days Cluster of watch host active alarms seen. Watch host was an external IP known to install bots on the network 13
Result Summary This tool is not a complete solution. It can be used with other IDS tools, signature and anomaly based. It adds human analysis which can notice activity that machine learning algorithms might not, since network traffic is dynamic by nature. If alarm count were much higher, more difficult to notice anomaly on initial glances--need more interaction. 14
Current and Future Work Further detailed user study based on current system. Visually encoding other alarm parameters. More filtering (queries on host, alarm type). Pivoting axis. 15
Acknowledgements OIT - for giving us the dataset and discussions with them to motivate the design. The reviewers comments which helped to improve the paper. Lancope (www.lancope.com) for sponsoring the project. Dr. Raheem Beyah, Georgia State University. 16
For feedback & more info Email:kulsoom@gatech.edu Center s webpage:www.csc.gatech.edu Personal webpage: users.ece.gatech.edu/~kulsoom Thanks for coming 17