1 / 28

Adaptive Data Visualization for Network Intrusion Detection

This paper discusses the problem of adaptive data visualization for network intrusion detection, proposing a visualization system that converts data into graphical representations to help viewers gain a qualitative understanding of information contents. It also explores the data collection and transformation process for network intrusion detection and prevention. The paper highlights the importance of interactive and adaptive visualization systems that integrate domain knowledge through user interaction. The proposed algorithm involves clustering, association, and transformation to render data effectively. The paper concludes by discussing future work and potential applications in packet information collection and transformation for network intrusion detection and prevention.

jennien
Download Presentation

Adaptive Data Visualization for Network Intrusion Detection

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Adaptive Data Visualization <><><><><>Packet Information Collection and Transformation for Network Intrusion Detection and Prevention Richard A. Aló, Ali Berrached, Mohsen Beheshti, Ping Chen, Jack Han, Francois Modave Center for Computational Sciences and Advanced Distributed Simulation University of Houston-Downtown

  2. Problem: Adaptive Data Visualization Visualization- graphical presentation of a data set, with goal of helping and providing viewer with a qualitative understanding of information contents in a natural and direct way.

  3. What a visualization system should do : convert forward = f (213, 108, 30, 1704, 17, 2, 44, 140, 477, -108, 0.0)

  4. What a viewer should be allowed to do : convert backward

  5. What a viewer should be allowed to do REALLY : find knowledge

  6. Graphical elements • point • line • polyline • glyph • 2-D or 3-D surface • 3-D solid • image • text

  7. Element properties • color/intensity • location • style/texture/shade/light • size(no perspective view) • angle • relative position/motion

  8. What is the problem exactly • Basic requirement - find a f(…) satisfying: • Different data values should be represented differently in display, the more different, the more different in display • Computation constraints: • Performance: line is better than curve • Memory usage • Data constraints: • Infant stage,domain knowledge,universal theory unlikely • Display high dimensional data in 3D world or 2D screen • Human beings constraints: • not efficient, slow processing • Ambiguous • User-depended, area-depended • Eye limits

  9. Non-uniform data distribution Need cluster the data set first

  10. Non-uniform knowledge/information distribution • Water temperature: change from 40C to 41C and change from 99C to 100C are different • Change of water temperature from 40C to 41C and change of patient body temperature from 40C to 41C are different Need integrate domain knowledge by interaction with users

  11. Adaptive Data Visualization System Properties • Interactive and adaptive • Correctness • Maximizing

  12. Interactive and Adaptive Visualization System Domain knowledge integration achieved by choosing proper association function transformation functions during visualization process. Interactive/ Provide mechanism for views to adjust or change transformation functions during visualization process. Interaction allows user to guide visualization system step by step to display/ clarify what is of interest.

  13. Correctness • If possible: visualization system should show different dimensions of a data set differently through different visual objects or visual properties (visual elements) of the same visual objects. • The more different the values are, the more differently they should be rendered. • The more different the information represented by data values are, the more differently they should be rendered.

  14. Maximizing To optimize the rendering quality, the maximal range of visual objects/elements should be used.

  15. Adaptive Data Visualization Algorithm Load the dataset Find clusters for each individual dimension Perform association and transformation according to “Maxmizing” rule Render data Viewer wants to change association step? Viewer changes association Yes No Yes Viewer wants to change transformation step? Viewer changes transformation

  16. Future Work • More applications

  17. Packet Information Collection and Transformation for Network Intrusion Detection and Prevention Introduction The SNORT System The SNORT Setup The See5 System Data Transformation Information Fusion Framework for Intrusion Detection Conclusion and Future Work

  18. Introduction • Network Intrusion Detection System (IDS) • Network Intrusion Prevention System (IPS) • Suspicious network activities • misuse • anomaly

  19. Intrusion Detection Process • Network Intrusion Detection System (IDS) • Network Intrusion Prevention System (IPS) • Suspicious network activities • misuse • anomaly

  20. CSRL Fusion System Data Collection: Capture packet data in network traffic by using the tool SNORT Data Preprocess: Transform data into the suitable input format that are required by See5 Pattern Detection: Apply See5 to induce intrusion detection rules, a set of alert rules for recognizing malicious activities Response: Integrate the detection rules into a firewall to prevent potential attacks

  21. SNORT System • Network sniffer developed by Martin Roesch in 1998 • Logs packets in a database • SNORT database • four tables to record information of network packets using the following protocols, icp, udp, icmp, and ip • two other tables • acid_event to consolidate all the logs of alerts • opt to hold the optional data that can be part of the TCP/IP protocol .

  22. SNORT Setup • Database: MySql • Two Systems setup • Working system • Two servers for cross platform and data fusion • Linux server • Windows server • WAN • Testing system • Testing SNORT rules and transforming data • LAN

  23. SNORT Rule Type ruletype nonalert { type alert output database: log, mysql, user=snort password=password dbname=snortTest host=localhost }

  24. SEE5 System • A machine learning and data mining system for Windows, evolved from C4.5 • Generate a decision tree • Two input files • .names – attributes and characteristics such as data type, range, etc. • .data – the raw data set

  25. System Framework System Framework

  26. Essential Attacks Collected from Two Sensors per Day

  27. Essential Attacks Collected from Two Sensors per Hour

  28. Conclusion • CSRL Project on progress • Four components of IDS and IPS • Data Collection -- finished • Data Preprocessing -- finished • Pattern Detection -- on going • Response -- Future

More Related