Abstract
Despite several years of intensive study, intrusion detection systems still suffer from a key deficiency: A high rate of false alarms. To counteract this, this paper proposes to visualise the state of the computer system such that the operator can determine whether a violation has taken place. To this end a very simple anomaly detection inspired log reduction scheme is combined with graph visualisation, and applied to the log of a webserver with the intent of detecting patterns of benign and malicious (or suspicious) accesses.
The combination proved to be effective. The visualisation of the output of the anomaly detection system counteracted its high rate of false alarms, while the anomaly based log reduction helped reduce the log data to manageable proportions. The visualisation was more successful in helping identifying benign accesses than malicious accesses. All the types of malicious accesses present in the log data were found.
Chapter PDF
Keywords
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
References
D Anderson, T Frivold, and A Valdes. Next-generation intrusion-detection expert system (NIDES). Technical Report SRI-CSL-95–07, Computer Science Laboratory, SRI International, Menlo Park, CA 94025–3493, USA, May 1995.
Stefan Axelsson. The base-rate fallacy and the difficulty of intrusion detection. ACM Transactions on Information and System Security (TISSEC), 3(3):186–205, 2000.
Stefan Axelsson. Visualization for intrusion detection: Hooking the worm. In In the proceedings of the 8th European Symposium on Research in Computer Security (ESORICS 2003), volume 2808 of LNCS, Gjovik, Norway, 13–15 October 2003. Springer Verlag.
Stuart K. Card, Jock D. MacKinlay, and Ben Shneiderman. Readings in Information Visualization— Using Vision to Think. Series in Interactive Technologies. Morgan Kaufmann, Morgan Kaufmann Publishers, 340 Pine Street, Sixth Floor, San Fransisco, CA 94104–3205, USA, first edition, 1999. ISBN 1–55860-533–9.
Luc Girardin and Dominique Brodbeck. A visual approach for monitoring logs. In In the Proceedings of the 12th Systems Administration Conference (LISA ’ 98), pages 299–308, Boston, Massachusetts, USA, 6–11 December 1998. The USENIX Association.
Teuvo Kohonen. Self-Organizing Maps, volume 30 of Springer Series in Information Sciences. Springer Verlag, Third edition, 2001. ISBN 3–540-67921–9, ISSN 0720–678X.
C. Kruegel and G. Vigna. Anomaly detection of web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communication Security (CCS ’ 03), pages 251–261, Washington DC, USA, October 2003. ACM Press.
Wenke Lee and Dong Xiang. Information-theoretic measures for anomaly detection. In IEEE Symposium on Security and Privacy, Oakland, California, USA, 14–16 May 2001. IEEE.
P. Lichodzijewski, A.N. Zincir-Heywood, and Heywood M.I. Host-based intrusion detection using self-organizing maps. In In the proceedings of the IEEE International Joint Conference on Neural Networks. IEEE, May 2002.
Robert Spence. Information Visualization. ACM Press Books, Pearson education ltd., Edinburgh Gate, Harlow, Essex CM20 2JE, England, first edition, 2001. ISBN 0–201-59626–1.
Soon Tee Teoh, Kwan-Liu Ma, S. Felix Wu, and Xiaoliang Zhao. Case Study: Interactive Visualization for Internet Security. In Proceedings of IEEE Visualization 2002, The Boston Park Plaza hotel, Boston, Massachusetts, USA, 27 October to 1 November 2002. IEEE Computer society.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2004 IFIP International Federation for Information Processing
About this paper
Cite this paper
Axelsson, S. (2004). Visualising Intrusions: Watching the Webserver. In: Deswarte, Y., Cuppens, F., Jajodia, S., Wang, L. (eds) Security and Protection in Information Processing Systems. SEC 2004. IFIP — The International Federation for Information Processing, vol 147. Springer, Boston, MA. https://doi.org/10.1007/1-4020-8143-X_17
Download citation
DOI: https://doi.org/10.1007/1-4020-8143-X_17
Publisher Name: Springer, Boston, MA
Print ISBN: 978-1-4757-8016-1
Online ISBN: 978-1-4020-8143-9
eBook Packages: Springer Book Archive