spiralview - unifr.ch · •an ids (intrusion detection system) analyzes traffic and generates...
TRANSCRIPT
SpiralView
a visual tool to improve monitoring andunderstanding of security data in
corporate networks
Network Security & IDS• Private networks need to keep their data safe and their
activities functional
• Traffic between nodes is monitored to detect dangerousbehaviours and devise proper solutions
• An IDS (Intrusion Detection System) analyzes traffic andgenerates alarms when suspicious behaviours aredetected
• The administrator uses alarms as a starting point to seewhether some actions are required
Network Security and Visualization
• Visualization is the perfect choice fornetwork security:– Large data can be spotted at a glance– Interaction enables exploration and thus
understanding
• Two approaches exist in network security– Visualizing traffic (with or without topology)– Visualizing alarms
Visualization and IDS
• Good mix of data mining + visualization
• Visualization helps in:1. Managing large number of alarms2. Put alarms in context (time, network resources)3. Keep track of alarms’ evolution
• Current systems permit to perform only the firsttwo, the SpiralView allows the third as well
SpiralView Features• Enable the analysis of alarms over long periods
of time (weeks, months)– from day-to-day monitoring to long term perspective
• Better understanding of how alarms distributeover network resources through simpleinteractive tools
• Uses higher level data information (applicationsand users) thus making the analysis accesible toless technical people
SpiralView Design
Alarms View
Zoom in the Alarms View
Resources Visualization
Data Exploration and Understading (1): finding the causes for spikes
1. Isolate applicativealarms
2. See how they distributeover network resources(e.g., most of them arespyware)
3. Select the spikes to seehow they map on theuser/application view
4. Most spikes aregenerated by user 17and applicationsave.exe
Data Exploration and Understading (2): exploring scan&prop alarms
1. Isolate scan&propalarms
2. They started to appearquite lately in thenetwork (outer rings)and they tend to beclustered between 4o’clock and 16 o’clock
3. The user/applicationview shows that theapplication scanner.exeand a group of usersgenerate the largemajority of them