Using Time Series 3D AlertGraph and False Alert Classification to Analyse Snort Alerts

  • Shahrulniza Musa
  • David J. Parish
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5210)

Abstract

A top-level overview of Snort alerts using 3D visual and alert classification is discussed. This paper describes the top-level view (time series 3D AlertGraph) with the integration of alert classification to visualise Snort alerts. The advantages of using this view are (1) It summarised the alerts into different colours to indicate the quantity of alerts from (SRCIP, DPORT) pairs; (2) It used alert classification to highlight the true alerts; (3) Through interaction tools, the alerts can be highlighted according to the source IP, destination IP or destination port;. (4) A large numbers of alerts can be viewed in a single display and (5) A temporal characteristic of attacks can be discovered.

Keywords

machine learning alert visualization network security information visualization alert classification 

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Lakkaraju, K., Yurcik, W., Lee, A.J.: NVisionIP: netflow visualizations of system state for security situational awareness. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. ACM Press, New York (2004)Google Scholar
  2. 2.
    Abdullah, K., et al.: IDS rainStorm: visualizing IDS alarms. In: IEEE Workshop on Visualization for Computer Security, 2005 (VizSEC 2005) (2005)Google Scholar
  3. 3.
    Koike, H., Ohno, K.: SnortView: visualization system of snort logs. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. ACM Press, New York (2004)Google Scholar
  4. 4.
    Yin, X., Yurcik, W., Slagell, A.: The Design of VisFlowConnect-IP: A Link Analysis System for IP Security Situational Awareness. In: IWIA 2005: Proceedings of the Third IEEE International Workshop on Information Assurance (IWIA 2005). IEEE Computer Society, Los Alamitos (2005)Google Scholar
  5. 5.
    Lee, W., Qin, X.: Statistical Causality Analysis of INFOSEC Alert Data. In: Vigna, G., Krügel, C., Jonsson, E. (eds.) RAID 2003. LNCS, vol. 2820, pp. 73–93. Springer, Heidelberg (2003)Google Scholar
  6. 6.
    Viinikka, J., et al.: Time series modeling for IDS alert management. In: ASIACCS 2006: Proceedings of the 2006 ACM Symposium on Information, computer and communications security. ACM, New York (2006)Google Scholar
  7. 7.
    Tedesco, G., Aickelin, U.: Data Reduction in Intrusion Alert Correlation. In: WSEAS Transactions on Computers, pp. 186–193 (2006)Google Scholar
  8. 8.
    Pietraszek, T.: Using Adaptive Alert Classification to Reduce False Positives in Intrusion Detection. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 102–124. Springer, Heidelberg (2004)Google Scholar
  9. 9.
    Bloedorn, E.E., Talbol, L.M., DeBarr, D.D.: Data Mining Applied to Intrusion Detection: MITRE Experiences. Machine Learning and Data Mining for Computer Security, pp. 65–87 (2006)Google Scholar
  10. 10.
    Colombe, J.B., Stephens, G.: Statistical profiling and visualization for detection of malicious insider attacks on computer networks. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. ACM Press, New York (2004)Google Scholar
  11. 11.
    Axelsson, S.: Combining a bayesian classifier with visualisation: understanding the IDS. In: VizSEC/DMSEC 2004: Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security. ACM Press, New York (2004)Google Scholar
  12. 12.
    Musa, S., Parish, D.J.: Visualising Communication Network Security Attacks. In: 11th International Conference. IEEE Computer Society, Zurich (2007)Google Scholar
  13. 13.
    Ren, P., et al.: IDGraphs: Intrusion Detection and Analysis Using Histographs. In: Proceedings of the IEEE Workshops on Visualization for Computer Security. IEEE Computer Society, Los Alamitos (2005)Google Scholar
  14. 14.
    Dean, F.J., John, T.S.: The Information Mural: A Technique for Displaying and Navigating Large Information Spaces. IEEE Educational Activities Department, pp. 257–271 (1998)Google Scholar
  15. 15.
    MIT, L.L.: DARPA Intrusion detection evaluation dataset (1999) Google Scholar
  16. 16.
    Shneiderman, B.: The Eyes Have It: A Task by Data Type Taxonomy for Information Visualizations. In: Proceedings of the IEEE Symposium on Visual Languages. IEEE Computer Society Press, Washington (1996)Google Scholar
  17. 17.
    Demsar, J., Zupan, B., Leban, G.: Orange: From Experimental Machine Learning to Interactive Data Mining. White Paper, Faculty of Computer and Information Science, University of Ljubljana (2004), http://www.ailab.si/orange
  18. 18.
    Kohavi, R.: A Study of Cross-Validation and Bootstrap for Accuracy Estimation and Model Selection. In: Proceedings of the Fourteenth International Joint Conference on Artificial Intelligence (IJCAI). Morgan Kaufmann, San Francisco (1995)Google Scholar
  19. 19.
    Nielsen, J.: Usability inspection methods. In: Conference companion on Human factors in computing systems, ACM Press, Boston (1994)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Shahrulniza Musa
    • 1
  • David J. Parish
    • 2
  1. 1.Malaysian Institute of Information TechnologyUniversity Kuala LumpurKuala Lumpur
  2. 2.Electronic and Electrical Eng. Dept.Loughborough UniversityLoughboroughU.K

Personalised recommendations