IDS RainStorm: Visualizing IDS Alarms. Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland, John Stasko

Similar documents
Patriot Systems Limited

DeltaV Analyze. Introduction. Benefits. Continuous automated DeltaV System alarm system performance monitoring

Tips how to use the MAS Web tool

Patriot Systems Limited

Procidia iware AlarmWorX32. AlarmWorX32 Viewer January 2010

Milestone XProtect. Central 3.7 User s Manual

AUTOMATION. Operator s Manual RST Series Web Enabled Input Module. Rev. A2, 1/12

USER S GUIDE. AXIS Cross Line Detection

The WAVE Plus Instant Notification System for Schools and Colleges

THERMO BUTTON HYGRO BUTTON The smallest temperature and humidity loggers in the world!

Security Management System - Configuring Video Analytics

PotterNet Fire & Facility Supervising Station

Integration Guide AXIS Camera Station and AXIS A8004-VE

Welcome to MultiSight TM Vision Sensor Hands-On Lab

This technical update applies to Pro-Watch Software Release 3.5 and later.

Operations Manual TS400. Test Station for G450/G460 Gas Detector

Avigilon Control Center System Integration Guide

DeltaV Operate. DeltaV Operate. Introduction. DeltaV Product Data Sheet. Robust and secure plant operations

Millennium Xtra. Millennium ATMA setup and configuration guide. May Millennium Group, Inc.

Table of Contents. i-vu CCN Standard 4.2

NeXT is a powerful stand-alone application running fully embedded in network cameras to perform an intelligent video surveillance for ATM devices.

Getting Started with Live Exceptions

System 800xA Operations

Laboratory Safety: Engaging 600+ research groups

Trident User s Manual

Campus Map Applications

TD flex is an award-winning tailgate detection solution that prevents unauthorized access at: Doors Turnstiles Transfer gates Mantraps Airlocks

Alarm module for leak detection with webserver

Bosch TCU Integration Module Administrator's Guide

Centroid Snet 2. Battery Management Software. User Manual V1.1. Eagle Eye Power Solutions, LLC Keeping an Eye on Your Critical Power!

KELTRON LS 7000 ALARM MANAGEMENT SYSTEM Keltron Alarm Monitoring, Dispatch, and Reporting Software

HWIN CCTV Camera Control Application

NextGeneration Alarm and Event Screens

Lighting Xpert Insight User Manual

University. NewVoice. San Francisco Paris Geneva Zurich Linz Mainz Shanghai Brisbane Hong Kong São Paulo Dubai

Alarm Benchmark Module By Konnection Introduction Overview Description

Datasheet Crowd Management

IntelliDoX Operator Manual

Smart Sensing and Tracking with Video and Mote Sensor Collaboration

Vision & Land Use. Discussion. Historic Preservation Plan. Foggy Bottom Campus Plan:

Setting up and Managing Alarms in McAfee ESM 10.x

Laptop / PC Programming Manual

Alarm Client. Installation and User Guide. NEC NEC Corporation. May 2009 NDA-30364, Revision 9

Using ANM Mobile CHAPTER

Update on University Avenue Study. September 21, 2015

Universal Monitoring System. TrapServer Description

DeltaV Analyze. DeltaV Analyze. Introduction. DeltaV Product Data Sheet. Continuous automated DeltaV System alarm system performance monitoring

TD flex is an award-winning tailgate detection solution that prevents unauthorized access at: Doors Turnstiles Transfer gates Mantraps Airlocks

WorkstationST* Alarm Viewer

The design of automatic remote monitoring system for the temperature and humidity based on GPRS Hui ZHANG 1, a, Honghua WANG 2,a

I am Rick Jeffress and I handle sales for Fike Video Image Detection. We thank the AFAA for coordinating the venue for this presentation, and we

Tech Data Sheet D01662GB0_Esgraf 4.1 and Configuration Server 30/2011 2/(5)

ADT Select User Manual. 131 ADT ACN

Advanced Protection Logic Lynx Touch & Lyric Series

The Chinese University of Hong Kong Campus Master Plan Stage 3 Stakeholders' Engagement Report

User manual. KNXgal. version

Surveillance Solution

USRIC-8(M) USB PDF Temperature Recorder. Product User Guide. LogTag Recorders Ltd

GMS GRAPHICAL MANAGEMENT SYSTEM

Apertum. Working with the Alarm Module. How to define and configure alarms How to visualize and recognize alarms. Airviro User s Reference.

RADview-EMS/TDM. Element Management System for TDM Applications Optimux RAD Data Communications Publication 07/04

Low Cost Vehicle Detection System to Help Green UCI Parking

Paradox Integration Module Settings Guide

Threat Warning System

Avigilon Control Center System Integration Guide

DeltaV Operate. Product Data Sheet DeltaV Operate December 2006 Page 1. Introduction. Benefits

Operation Manual Fighter ProVision Software. Version: 0.0 Revision: 1

OPI-integris Advantages

Code Maroon Emergency Notification System August 2013

APPENDIX Q SFO DESIGN WHITE PAPER

VNCManager. Version June Developed by:

MultiSite Manager. Setup Guide

Alarm Monitoring and Management

Topic: Alarm Reduction and Correlation in IDS

CRUSH: Cognitive Radio Universal Software Hardware

TD flex is an award-winning tailgate detection solution that prevents unauthorized access at: Doors Mantraps Airlocks E-gates Turnstiles

Alarms Updated 03/26/2018

Avigilon Control Center System Integration Guide

the Comprehensive Control Solution

SmartAlarm Annunciator

Radar technology in surveillance

USER MANUAL DexTempTM 1000 Temperature Monitor (P/N: IR-1001) DexTempTM 1000 USB Non-Contact Temperature Monitor. User Manual.

LYNX SE CENTRAL CONTROL FOR NETWORK GDC. General Specifications

ONYXWORKS AND FIRSTVISION. Version 4

Title: Project Lead: Abstract: Promoting Landscape Stewardship Through Interactive Interpretation.

Operational Concept Description (OCD)

Intrusion Detection System: Facts, Challenges and Futures. By Gina Tjhai 13 th March 2007 Network Research Group

Please use authentic SATA hard drive, USB device and battery.

SPECTRUM Web Operator

DSS. Dahua VMS Platform

»Alarming and Evacuation«

RFP Addendum 2 March 31, 2016

Avigilon Control Center 5 System Integration Guide

Temperature Monitoring System. Specifications

Experion PKS Operator Course EXP01R201 06/2004 Rev 01

Alarms and Events. Defining Alarm Conditions. Database-Generated Alarms

Wafer Signature Detection Automatic Defect Recognition and Classification

Fairfax County Community Services Board Emergency Response System: Notifier

SRP Profile Directions

IMS Operation Manual. Version 1.1. Phonetics, Inc.

Transcription:

IDS RainStorm: Visualizing IDS Alarms Kulsoom Abdullah, Chris Lee, Gregory Conti, John A. Copeland, John Stasko

Introduction Alarm logs are smaller than network traffic capture logs but still large and time consuming to go through. Many alarms are generated as real attacks progress increasing the log size and redundant information. Information visualization techniques used in network security research have initial success and future promise. Text logs and machine learning algorithms are complemented and information is represented more densely. 2

Georgia Tech Network Campus population: 15,000 undergraduate and graduate students, approximately 5,000 staff and faculty. Total Data Processed: 4 terabytes each day. Networked systems: 30,000-35,000 IP Addresses: 2.5 Class B distributed across 69 individual departments and various buildings. Throughput: Two OC-12's and one OC-48 connected to the Internet with an average throughput of 600Mbps. 3

Office of Information Technology (OIT) at Georgia Tech They maintain the campus network and the Internet links connecting the campus to the Internet. They monitor and secure the network. Also technical and educational support is provided. Each academic dept. has Computer Support Representatives (CSR). They work with OIT to maintain and protect their respective network. 4

User Interviews OIT sysadmins were interviewed to find out: How they monitor alarms. Browsing through text alarm log is usually the method. Calibrating IDS with visual components is time consuming. What they look for to identify potential anomalies Location of high-priority alarms Quantity and pattern of alarms What a particular host provides. This motivated the design of the system. 5

Alarms with StealthWatch The Stealthwatch IDS is anomaly based IDS and one of the security appliances used at Georgia Tech. Alarms that were generated on the perimeter of the network were used. About 7,000-10,000 alarms are generated from this sensor each day. ~40,000 alarms are generated each day from all campus sensors. 6

Alarm Parameters Alarm types: 33 definitions. These can be adjusted and threshold values changed by administrators for a network. Time: recorded as an alarm is generated. This helps determine temporal position among the rest of the alarms and can help find patterns. IP Addresses: Victim internal IP address of the alarm is given, and/or an external IP depending on the alarm type. 7

System Design Main view 8 Zoom view

20 IPs represented on each line 2.5 Class B addresses plotted along 8 vertical axis. 24 hours of alarms shown Color represents severity The most severe alarm is shown when multiple alerts occupy the same pixel. 9

Interaction Techniques Glossing:popup box when mouseover the alarm in zoom view. Gets semantic detail. Filtering: focus on alarm color. Reduces unneeded info. in the view. Panning: Click and drag mouse in the overview, panning movement seen in zoom view. demo Useful for when anomalous behavior could be targeting internal IPs that are spread across the logical space. 10

Examples 11

Worm 2x zoom Watch port active alarms in dorm space. Port watch was on a known exploit. 12

Botnet Time pattern similar for 2 consecutive days Cluster of watch host active alarms seen. Watch host was an external IP known to install bots on the network 13

Result Summary This tool is not a complete solution. It can be used with other IDS tools, signature and anomaly based. It adds human analysis which can notice activity that machine learning algorithms might not, since network traffic is dynamic by nature. If alarm count were much higher, more difficult to notice anomaly on initial glances--need more interaction. 14

Current and Future Work Further detailed user study based on current system. Visually encoding other alarm parameters. More filtering (queries on host, alarm type). Pivoting axis. 15

Acknowledgements OIT - for giving us the dataset and discussions with them to motivate the design. The reviewers comments which helped to improve the paper. Lancope (www.lancope.com) for sponsoring the project. Dr. Raheem Beyah, Georgia State University. 16

For feedback & more info Email:kulsoom@gatech.edu Center s webpage:www.csc.gatech.edu Personal webpage: users.ece.gatech.edu/~kulsoom Thanks for coming 17

2024 © homedocbox.com Privacy Policy | Terms of Service | Feedback