Abstract
In this research study, we focus on intrusion alerts and the burden of analyzing numerous security events by network administrators. We present Avisa2, a network security visualization system that can assist in the comprehension of IDS alerts and detection of abnormal pattern activities. The quantity of security events triggered by modern day intrusion systems, accompanied by the level of complexity and lack of correlation between events, limits the human cognitive process in identifying anomalous behavior. This shortcoming induces the need for an automated process that would project critical situations and prioritize network hosts encountering peculiar behaviors. At the heart of Avisa2 lies a collection of heuristic functions that are utilized to score, rank, and prioritize internal hosts of the monitored network. We believe this contribution elevates the practicality of Avisa2 in identifying critical situations and renders it to be far superior to traditional security systems that solely focus on visualization. The effectiveness of Avisa2 is evaluated on two multi-stage attack scenarios; each intentionally focused on a particular attack type, network service, and network range. Avisa2 proved effective and accurate in prioritizing hosts under attack or hosts in which attacks were performed from.
Chapter PDF
Similar content being viewed by others
References
Shiravi, H., Shiravi, A., Ghorbani, A.A.: A survey of visualization systems for network security. IEEE Transactions on Visualization and Computer Graphics 99(PrePrints) (2011)
Few, S.: Now You See It: Simple Visualization Techniques for Quantitative Analysis, 1st edn. Analytics Press (2009)
Endsley, M.: Toward a theory of situation awareness in dynamic systems: Situation awareness. Human Factors 37(1), 32–64 (1995)
Ball, R., Fink, G.A., North, C.: Home-centric visualization of network traffic for security administration. In: Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security, pp. 55–64 (2004)
Goodall, J.R., Lutters, W.G., Rheingans, P., Komlodi, A.: Preserving the big picture: visual network traffic analysis with tnv. In: IEEE Workshop on Visualization for Computer Security (VizSEC 2005), pp. 47–54 (2005)
Erbacher, R., Walker, K., Frincke, D.: Intrusion and misuse detection in large-scale systems. IEEE Computer Graphics and Applications, 38–48 (2002)
McPherson, J., Ma, K., Krystosk, P., Bartoletti, T., Christensen, M.: PortVis: a tool for port-based detection of security events. In: Proceedings of the ACM Workshop on Visualization and Data Mining for Computer Security, pp. 73–81 (2004)
PaloAltoNetworks: Re-Inventing Network Security (2010), http://www.paloaltonetworks.com/literature/whitepapers/Re-inventing-Network-Security.pdf (online; accessed July 12, 2011)
Shiravi, H., Shiravi, A., Ghorbani, A.: Ids Alert Visualization and Monitoring through Heuristic Host Selection. In: Soriano, M., Qing, S., López, J. (eds.) ICICS 2010. LNCS, vol. 6476, pp. 445–458. Springer, Heidelberg (2010)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shiravi, H., Shiravi, A., Ghorbani, A.A. (2011). Situational Assessment of Intrusion Alerts: A Multi Attack Scenario Evaluation. In: Qing, S., Susilo, W., Wang, G., Liu, D. (eds) Information and Communications Security. ICICS 2011. Lecture Notes in Computer Science, vol 7043. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-25243-3_32
Download citation
DOI: https://doi.org/10.1007/978-3-642-25243-3_32
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-25242-6
Online ISBN: 978-3-642-25243-3
eBook Packages: Computer ScienceComputer Science (R0)