Flexible Web Visualization for Alert-Based Network Security Analytics



Similar documents
Passive Logging. Intrusion Detection System (IDS): Software that automates this process

Situational Awareness Through Network Visualization

SAS BI Dashboard 4.3. User's Guide. SAS Documentation

XpoLog Center Suite Log Management & Analysis platform

AlienVault Unified Security Management (USM) 4.x-5.x. Deployment Planning Guide

SAS BI Dashboard 4.4. User's Guide Second Edition. SAS Documentation

Network Intrusion Analysis (Hands-on)

WebFOCUS InfoDiscovery

Improving the Database Logging Performance of the Snort Network Intrusion Detection Sensor

Intrusion Detection in AlienVault

Sisense. Product Highlights.

Monitoring Replication

NetFlow Tracker Overview. Mike McGrath x ccie CTO mike@crannog-software.com

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

NStreamAware: Real-Time Visual Analytics for Data Streams to Enhance Situational Awareness

Reporting Services. White Paper. Published: August 2007 Updated: July 2008

Enterprise Data Visualization and BI Dashboard

SAS BI Dashboard 3.1. User s Guide

DEPLOYMENT GUIDE Version 2.1. Deploying F5 with Microsoft SharePoint 2010

TIBCO Spotfire Business Author Essentials Quick Reference Guide. Table of contents:

Network Monitoring On Large Networks. Yao Chuan Han (TWCERT/CC)

Classic IOS Firewall using CBACs Cisco and/or its affiliates. All rights reserved. 1

How To Choose A Business Intelligence Toolkit

A Quantitative Approach to Security Monitor Deployment

Log Analysis: Overall Issues p. 1 Introduction p. 2 IT Budgets and Results: Leveraging OSS Solutions at Little Cost p. 2 Reporting Security

DRIVE-BY DOWNLOAD WHAT IS DRIVE-BY DOWNLOAD? A Typical Attack Scenario

Client Overview. Engagement Situation. Key Requirements

SQL Server Administrator Introduction - 3 Days Objectives

About this Getting Started Guide. Enabling Log Management... 2 Applying a License... 4 Using Log Management How to forward logs...

APPLICATION PROGRAMMING INTERFACE

TIBCO Spotfire Metrics Modeler User s Guide. Software Release 6.0 November 2013

Network visualization

Indexing Full Packet Capture Data With Flow

NVisionIP and VisFlowConnect-IP: Two Tools for Visualizing NetFlows for Security

AlienVault Unified Security Management Solution Complete. Simple. Affordable Life Cycle of a log

Snort Installation - Ubuntu FEUP. SSI - ProDEI Paulo Neto and Rui Chilro. December 7, 2010

BusinessObjects Enterprise InfoView User's Guide

Network Monitoring and Traffic CSTNET, CNIC

A Visualization Technique for Monitoring of Network Flow Data

System Status Monitoring Guide. McAfee Network Security Platform 6.1

TSM Studio Server User Guide

SonicWALL Global Management System Reporting Guide Standard Edition

Team Members: Christopher Copper Philip Eittreim Jeremiah Jekich Andrew Reisdorph. Client: Brian Krzys

A Review on Network Intrusion Detection System Using Open Source Snort

Volume SYSLOG JUNCTION. User s Guide. User s Guide

RAVEN, Network Security and Health for the Enterprise

Unit 3 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

FLOVIS: A NETWORK SECURITY VISUALIZATION FRAMEWORK

NetFlow Auditor Manual Getting Started

International Journal of Enterprise Computing and Business Systems ISSN (Online) :

Securing and Accelerating Databases In Minutes using GreenSQL

Cisco IPS Manager Express

PANDORA FMS NETWORK DEVICE MONITORING

UNMASKCONTENT: THE CASE STUDY

Connecting North Carolina s Future Today. Application Monitoring: ClassScape Case Study. NCSU Centennial Networking Lab

Hunting for the Undefined Threat: Advanced Analytics & Visualization

Web Traffic Capture Butler Street, Suite 200 Pittsburgh, PA (412)

SAS IT Resource Management 3.2

How To Protect Your Network From Intrusions From A Malicious Computer (Malware) With A Microsoft Network Security Platform)

Product Characteristics Page 2. Management & Administration Page 2. Real-Time Detections & Alerts Page 4. Video Search Page 6

Product Guide. Sawmill Analytics, Swindon SN4 9LZ UK tel:

Tableau Your Data! Wiley. with Tableau Software. the InterWorks Bl Team. Fast and Easy Visual Analysis. Daniel G. Murray and

PANDORA FMS NETWORK DEVICES MONITORING

Challenge 10 - Attack Visualization The Honeynet Project / Forensic Challenge 2011 /

XpoLog Center Suite Data Sheet

Visualization methods for patent data

System Specification. Author: CMU Team

EINTE LAB EXERCISES LAB EXERCISE #5 - SIP PROTOCOL

Web Analytics Understand your web visitors without web logs or page tags and keep all your data inside your firewall.

Contents. Platform Compatibility. GMS SonicWALL Global Management System 5.0

Analyzing Call Signaling

White Paper April 2006

VoIP Fraud and Misuse

First Line of Defense

5nine Security for Hyper-V Datacenter Edition. Version 3.0 Plugin for Microsoft System Center 2012 Virtual Machine Manager

graphical Systems for Website Design

WildFire Reporting. WildFire Administrator s Guide 55. Copyright Palo Alto Networks

Intrusion Detection System Based Network Using SNORT Signatures And WINPCAP

Applications. Network Application Performance Analysis. Laboratory. Objective. Overview

Graph Database Proof of Concept Report

SEMANTIC SECURITY ANALYSIS OF SCADA NETWORKS TO DETECT MALICIOUS CONTROL COMMANDS IN POWER GRID

Using Tableau Software with Hortonworks Data Platform

Innovative, High-Density, Massively Scalable Packet Capture and Cyber Analytics Cluster for Enterprise Customers

NVisionIP: An Interactive Network Flow Visualization Tool for Security

RingStor User Manual. Version 2.1 Last Update on September 17th, RingStor, Inc. 197 Route 18 South, Ste 3000 East Brunswick, NJ

Network Security Monitoring

Analyzing HTTP/HTTPS Traffic Logs

Unified Security Management (USM) 5.2 Vulnerability Assessment Guide

Intrusion Detection Systems (IDS)

Transcription:

Flexible Web Visualization for Alert-Based Network Security Analytics Lihua Hao 1, Christopher G. Healey 1, Steve E. Hutchinson 2 1 North Carolina State University, 2 U.S. Army Research Laboratory lhao2@ncsu.edu VizSec 13 October 14, 2013, Atlanta, GA, USA 1/16

Introduction Building a visualization tool for Army Research Laboratory (ARL) network security analysts Driven by analysts - Our approach does not focus explicitly on network security data, but rather on network security analysts - Don t fit our problem to your tool. Build a tool to fit our problem. We must balance 1. Meeting needs of the analysts. 2. Applying knowledge and best practices from visualization. 2/16

Design Constraints 1. Mental models - Fit the mental models the analysts use to investigate problems 2. Working environment - Integrate into the analyst s current working environment (web browser for ARL analysts) 3. Configurability - Static, pre-defined presentations of the data are typically not sufficient 4. Accessibility - The visualizations should be familiar to analysts, to avoid steep learning curves 5. Scalability - Support query and retrieval from large data sources 6. Integration - Augment the analyst s current problem-solving strategies with useful support 3/16

Existing Visualization Techniques Node-link graphs - Portall, HoNe, LinkRank Treemaps - NetVis, NFlowVis Timelines and Event Plots - Aggregate value over events - Capture patterns of individual events Basic Charts - Snorby, NVisionIP Zooming, Multivariate - NVisionIP: galaxy, small multiple, and machine views - VisFlowConnect: global, domain, internal, and host views 4/16

Data Management MySQL & PHP running on a remote server - Provide reasonable scalability, efficient data filtering and projection No pre-defined table formats - Analysts choose columns to visualize, define table correlations and data filtering - Provide flexibility and configurability Cache results of current query in memory - Generate queries to retrieve the new data on demand Full SQL is available on demand to the analyst - System suggests visualization with automatically generated SQL queries - Analysts can manually configure system suggestions 5/16

Web-Based Visualization ARL analysts work in a browser - Fit analysts working environment HTML5 canvas element - No external plug-ins required - Run in any modern web browser Use 2D charts - Common in other security visualization systems - Effective for presenting values, trends, patterns and relationships our analysts want to explore - Provides accessibility 6/16

Analyst-Driven Charts RGraph for basic chart visualizations - Open source library for visualization with 2D charts - Choose charts commonly used in network data visualization Assisted chart selection based on data and task (accessibility) - Pie/bar: proportion and frequency comparison - Bar: value comparison over a secondary attribute - Scatterplots: correlation between two attributes - Gantt: range value comparison Suggested chart properties - Backgrounds, grids, glyph size, color and type Free to change the initial choices 7/16

Interaction Intelligent zoom - Redraw chart to include only the selected chart elements - Rescale the visual attributes of chart elements Tooltips for value query - Display the exact attribute values encoded in a chart element - Provide access to quantitative data on demand Toolbars - Customize glyph size, color, size - Change chart title, size, label width, and so on 8/16

Correlated Views A sequence of visualizations to track an ongoing investigation - Correlate multiple data sources - Explore data at multiple levels of details Correlated charts - Select sub-regions of a chart as input for a following-on, correlated chart - Generate constraints to extract data of interest - Add additional constraints, tables, or attributes to generate a new chart Raw data spreadsheets for value examination - Text-based examination: a conventional approach - Fit the analyst s working environment, mental models 9/16

Trap Data Need real world data to test the system For security reasons, not possible to use data from ARL for testing The trap server - Data collected by network security researchers at NCSU - Real world network traffic in Computer Science building - Transmitted to a Snort sensor to perform: (1) intrusion detection and (2) extraction of network packets - Stores two types of data: (1) NetFlow data and (2) Snort alerts An example file for 24 hours of data - 17.4GB of packet headers - 938K unique source IPs, 168K unique destination IPs - 1.6M flows with 615K alerts 10/16

Example Tables Tables queried in the visualization - event: alert signature id and timestamp - flows: network flow sources and destination IP, port, start and end time - iphdr: source and destination IP and other information of packet headers - tcphdr: TCP related information such as source and destination port One of our research colleagues acted as the analyst in our scenario 11/16

Aggregate Alerts on Destination IPs Visualize number of alerts for each destination IP Pie chart, proportion of alerts by destination IP Bar chart, absolute numbers of alerts by destination IP The majority of the alerts are sent to destination IP 172.16.79.134 Sub Canvas in the tooltip to create correlated chart for target destination IP 12/16

Focus on High-Alert Destination IP Focus on the destination IP with the maximum number of alerts (i.e., 172.16.79.134) Scatterplot of an analyst-chosen source IP versus the target destination IP and port Sizes of scatterplot glyphs indicate number of alerts from the source to the destination/port Analyst requests a text table detailing the exact IPs, ports, and alert counts Most alerts are sent to port 21 (894 alerts), so follow-on analysis will focus on this port 13/16

NetFlows for Target Destination IP and port Visualize netflow traffic related to the target destination IP on port 21 Zoom to examine details in left and right flow clusters Right flow contains only one alert, does not look suspicious Most alerts happened in left flow, may contain attack Analyst decides to perform further analysis of traffic associated with left flow - E.g., include more tables and attributes to perform deeper analysis Flows are distributed over two time ranges Majority of alerts occur in left flow. Look suspicious Right flow has single alert 14/16

Summarization of the Example Major steps supported by our visualization tool: - High level aggregation to highlight destination IPs with numerous alerts - Scatterplots to examine relationship between source IP and suspicious destination IP s ports - Correlated netflow visualization to examine timeline of alerts - Further analysis will focus on traffic related with the left flow Analysts focus on the data they are interested in at a given point in an investigation Easy to request follow-on visualizations and modify them to pursue new hypotheses and investigate new findings as they are uncovered 15/16

Future work Analysis Sandbox - Individual analyses can be performed, stored, reviewed and compared - Improve an analyst s working memory capacity Analysis Preferences - Track an analyst s actions to better anticipate their strategies for specific types of tasks - Use preference elicitation algorithms to track an analyst s interest within a visualization session Real-world Validation - Not allowed to speak directly with the analysts - Coordinate with IT staffs who support the analysts 16/16

Contact Information Christopher G. Healey Department of Computer Science North Carolina State University healey@ncsu.edu Special Thanks Peng Ning, CS Department, NC State University Doug Reeves, CS Department, NC State University Cliff Wang, Army Research Office 17/16

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information