Information Visualization for Information Visualization for an Intrusion Detection Systeman Intrusion Detection System

Ching-Lung FuChing-Lung FuJames BlusteinJames Blustein

Daniel SilverDaniel Silver

22

OverviewOverview

Research Objective: Research Objective: explore / discover factors for building a better explore / discover factors for building a better

IDS (network based)IDS (network based) Initial stage of our researchInitial stage of our research

Short comings of IDSShort comings of IDSSpatial Hypertext / visualizationSpatial Hypertext / visualization ML & UM + IDS + SH ML & UM + IDS + SH

Recent UpdateRecent UpdateRevisit the IDS usersRevisit the IDS users

33

Problem SourceProblem Source Rule based IDSRule based IDS

resulting a network too restricted to be used, orresulting a network too restricted to be used, or an IDS vulnerable to new types of attacksan IDS vulnerable to new types of attacks

Machine Learning based IDS, high errorsMachine Learning based IDS, high errors Training Data imbalance: available “real-attack” Training Data imbalance: available “real-attack”

training examples are scarcetraining examples are scarce A machine learning algorithm need to “see” enough A machine learning algorithm need to “see” enough

examples to generalize to “unseen” future examplesexamples to generalize to “unseen” future examples Ambiguous data Ambiguous data

Could a human expert do better?Could a human expert do better? Current Machine Learning algorithms cannot Current Machine Learning algorithms cannot

generalize better than humansgeneralize better than humans

44

Problem SourceProblem Source

High false detections High false detections Preventing immediate response to the real Preventing immediate response to the real

attacksattacks User’s trustUser’s trustUnusable IDS Unusable IDS Most system admins now Most system admins now

attend to the problem after the attack or after attend to the problem after the attack or after the damage has been done.the damage has been done.

55

Alternative IDSAlternative IDS

Reduce the dependability on detection Reduce the dependability on detection mechanismmechanism

Visual intelligenceVisual intelligenceharnessing human abilities harnessing human abilities keeps humans “in the loop” keeps humans “in the loop”

contributing judgment and sharing some contributing judgment and sharing some responsibilityresponsibility

personal involvement & empowermentpersonal involvement & empowerment

66

Alternative IDSAlternative IDS

A visualization + machine learning tool A visualization + machine learning tool could provide the answercould provide the answer

77

SH as a visualization mechanismSH as a visualization mechanism

Information TriageInformation TriageWhat is Spatial Hypertext (SH) ?What is Spatial Hypertext (SH) ?

Graphic workspace with freely manipulable Graphic workspace with freely manipulable objects.objects.

Relationship represented by color, proximity, Relationship represented by color, proximity, alignment, containment, etc.alignment, containment, etc.

Ambiguity & implicitAmbiguity & implicitExamples in the next few pagesExamples in the next few pages

88

SH – example 1SH – example 1

99

1010

Power of Visualization example 2Power of Visualization example 2

1111

An on-line exampleAn on-line example

http://http://www.hivegroup.com/salesforce.htmlwww.hivegroup.com/salesforce.html

1212

SH as a visualization mechanism - SH as a visualization mechanism - continuedcontinued

Emerging informationEmerging informationHuman has excellent visual intelligenceHuman has excellent visual intelligenceAble to contain lot of informationAble to contain lot of informationPlease see my poster for a new Please see my poster for a new

developing frameworkdeveloping framework

1313

ChallengesChallenges The information visualization cannot be effective The information visualization cannot be effective

if the machine learning components cannot if the machine learning components cannot deliver accurate informationdeliver accurate information

The publicly available testing dataset are not The publicly available testing dataset are not good enoughgood enough

Data ambiguity always existData ambiguity always exist The ML algorithms are not the bottleneck, The ML algorithms are not the bottleneck,

feature extraction processes arefeature extraction processes are The ML algorithms may be used to “mine” the The ML algorithms may be used to “mine” the

features used directly by visualization tools; features used directly by visualization tools; human eyes detect the anomalieshuman eyes detect the anomalies

1414

Revisit the IDS usersRevisit the IDS users

Most of them still rely on primitive toolsMost of them still rely on primitive tools IDS are completely not trustedIDS are completely not trusted Response to problems only after complaints Response to problems only after complaints

have been madehave been made Many organizations refuse the visit as they do Many organizations refuse the visit as they do

not have an IDS — “Security through obscurity”not have an IDS — “Security through obscurity” Some organizations simply unplug the important Some organizations simply unplug the important

system from the network to avoid unnecessary system from the network to avoid unnecessary exposures exposures

1515

ConclusionConclusion

Improve current ML based IDS as a Improve current ML based IDS as a componentcomponent

Data Mining on features for information Data Mining on features for information visualizationvisualization

Spatial Hypertext – a hybrid approach in Spatial Hypertext – a hybrid approach in which information visualization which information visualization complements the IDS complements the IDS

1616

Questions ?Questions ?

Ching-Lung FuChing-Lung FuDalhousie Computer ScienceDalhousie Computer Science

<cfu@cs.dal.ca><cfu@cs.dal.ca>