information visualization for an intrusion detection system
DESCRIPTION
Information Visualization for an Intrusion Detection System. Ching-Lung Fu James Blustein Daniel Silver. Overview. Research Objective: explore / discover factors for building a better IDS (network based) Initial stage of our research Short comings of IDS Spatial Hypertext / visualization - PowerPoint PPT PresentationTRANSCRIPT
Information Visualization for Information Visualization for an Intrusion Detection Systeman Intrusion Detection System
Ching-Lung FuChing-Lung FuJames BlusteinJames Blustein
Daniel SilverDaniel Silver
22
OverviewOverview
Research Objective: Research Objective: explore / discover factors for building a better explore / discover factors for building a better
IDS (network based)IDS (network based) Initial stage of our researchInitial stage of our research
Short comings of IDSShort comings of IDSSpatial Hypertext / visualizationSpatial Hypertext / visualization ML & UM + IDS + SH ML & UM + IDS + SH
Recent UpdateRecent UpdateRevisit the IDS usersRevisit the IDS users
33
Problem SourceProblem Source Rule based IDSRule based IDS
resulting a network too restricted to be used, orresulting a network too restricted to be used, or an IDS vulnerable to new types of attacksan IDS vulnerable to new types of attacks
Machine Learning based IDS, high errorsMachine Learning based IDS, high errors Training Data imbalance: available “real-attack” Training Data imbalance: available “real-attack”
training examples are scarcetraining examples are scarce A machine learning algorithm need to “see” enough A machine learning algorithm need to “see” enough
examples to generalize to “unseen” future examplesexamples to generalize to “unseen” future examples Ambiguous data Ambiguous data
Could a human expert do better?Could a human expert do better? Current Machine Learning algorithms cannot Current Machine Learning algorithms cannot
generalize better than humansgeneralize better than humans
44
Problem SourceProblem Source
High false detections High false detections Preventing immediate response to the real Preventing immediate response to the real
attacksattacks User’s trustUser’s trustUnusable IDS Unusable IDS Most system admins now Most system admins now
attend to the problem after the attack or after attend to the problem after the attack or after the damage has been done.the damage has been done.
55
Alternative IDSAlternative IDS
Reduce the dependability on detection Reduce the dependability on detection mechanismmechanism
Visual intelligenceVisual intelligenceharnessing human abilities harnessing human abilities keeps humans “in the loop” keeps humans “in the loop”
contributing judgment and sharing some contributing judgment and sharing some responsibilityresponsibility
personal involvement & empowermentpersonal involvement & empowerment
66
Alternative IDSAlternative IDS
A visualization + machine learning tool A visualization + machine learning tool could provide the answercould provide the answer
77
SH as a visualization mechanismSH as a visualization mechanism
Information TriageInformation TriageWhat is Spatial Hypertext (SH) ?What is Spatial Hypertext (SH) ?
Graphic workspace with freely manipulable Graphic workspace with freely manipulable objects.objects.
Relationship represented by color, proximity, Relationship represented by color, proximity, alignment, containment, etc.alignment, containment, etc.
Ambiguity & implicitAmbiguity & implicitExamples in the next few pagesExamples in the next few pages
88
SH – example 1SH – example 1
99
1010
Power of Visualization example 2Power of Visualization example 2
1111
An on-line exampleAn on-line example
http://http://www.hivegroup.com/salesforce.htmlwww.hivegroup.com/salesforce.html
1212
SH as a visualization mechanism - SH as a visualization mechanism - continuedcontinued
Emerging informationEmerging informationHuman has excellent visual intelligenceHuman has excellent visual intelligenceAble to contain lot of informationAble to contain lot of informationPlease see my poster for a new Please see my poster for a new
developing frameworkdeveloping framework
1313
ChallengesChallenges The information visualization cannot be effective The information visualization cannot be effective
if the machine learning components cannot if the machine learning components cannot deliver accurate informationdeliver accurate information
The publicly available testing dataset are not The publicly available testing dataset are not good enoughgood enough
Data ambiguity always existData ambiguity always exist The ML algorithms are not the bottleneck, The ML algorithms are not the bottleneck,
feature extraction processes arefeature extraction processes are The ML algorithms may be used to “mine” the The ML algorithms may be used to “mine” the
features used directly by visualization tools; features used directly by visualization tools; human eyes detect the anomalieshuman eyes detect the anomalies
1414
Revisit the IDS usersRevisit the IDS users
Most of them still rely on primitive toolsMost of them still rely on primitive tools IDS are completely not trustedIDS are completely not trusted Response to problems only after complaints Response to problems only after complaints
have been madehave been made Many organizations refuse the visit as they do Many organizations refuse the visit as they do
not have an IDS — “Security through obscurity”not have an IDS — “Security through obscurity” Some organizations simply unplug the important Some organizations simply unplug the important
system from the network to avoid unnecessary system from the network to avoid unnecessary exposures exposures
1515
ConclusionConclusion
Improve current ML based IDS as a Improve current ML based IDS as a componentcomponent
Data Mining on features for information Data Mining on features for information visualizationvisualization
Spatial Hypertext – a hybrid approach in Spatial Hypertext – a hybrid approach in which information visualization which information visualization complements the IDS complements the IDS
1616
Questions ?Questions ?
Ching-Lung FuChing-Lung FuDalhousie Computer ScienceDalhousie Computer Science