adaptive data visualization packet information collection and transformation for network intrusion...
TRANSCRIPT
Adaptive Data Visualization Adaptive Data Visualization <><><><><><><><><><>
Packet Information Collection and Packet Information Collection and Transformation for Network Intrusion Transformation for Network Intrusion
Detection and PreventionDetection and Prevention
Richard A. Aló, Ali Berrached, Mohsen Beheshti, Ping Chen, Jack Han, Francois Modave
Center for Computational Sciences and Advanced Distributed Simulation
University of Houston-Downtown
Problem: Adaptive Data Visualization
Visualization- graphical presentation of a data set, with goal of helping and providing viewer with a qualitative understanding of information contents in a natural and direct way.
What a visualization system should do : convert forward
= f (213, 108, 30, 1704, 17, 2, 44, 140, 477, -108, 0.0)
Element properties
color/intensitylocationstyle/texture/shade/lightsize(no perspective view)anglerelative position/motion
What is the problem exactly Basic requirement - find a f(…) satisfying:
– Different data values should be represented differently in display, the more different, the more different in display
Computation constraints:– Performance: line is better than curve– Memory usage
Data constraints:– Infant stage,domain knowledge,universal theory unlikely– Display high dimensional data in 3D world or 2D screen
Human beings constraints:– not efficient, slow processing– Ambiguous– User-depended, area-depended– Eye limits
Non-uniform knowledge/information distribution
– Water temperature: change from 40C to 41C and change from 99C to 100C are different
– Change of water temperature from 40C to 41C and change of patient body temperature from 40C to 41C are different
Need integrate domain knowledge by interaction with users
Interactive and Adaptive Visualization System
Domain knowledge integration achieved by choosing proper association function transformation functions during
visualization process. Interactive/ Provide mechanism for views to
adjust or change transformation functions during visualization process.
Interaction allows user to guide visualization system step by step to display/ clarify what is of interest.
Correctness
If possible: visualization system should show different dimensions of a data set differently through different visual objects or visual properties (visual elements) of the same visual objects.
The more different the values are, the more differently they should be rendered.
The more different the information represented by data values are, the more differently they should be rendered.
Maximizing
To optimize the rendering quality, the maximal range of visual objects/elements should be used.
Adaptive Data Visualization Algorithm
Load the dataset
Find clusters for each individual dimension
Perform association and transformation according to “Maxmizing” rule
Render data
Viewer changes transformation
Viewer changes association
Viewer wants to change association step?
Viewer wants to change transformation step?
No
Yes
Yes
Packet Information Collection and Transformation for Network Intrusion Detection and Prevention
Introduction The SNORT System The SNORT Setup The See5 System Data Transformation Information Fusion Framework for Intrusion Detection Conclusion and Future Work
Introduction
Network Intrusion Detection System (IDS) Network Intrusion Prevention System
(IPS) Suspicious network activities
– misuse – anomaly
Intrusion Detection Process
Network Intrusion Detection System (IDS) Network Intrusion Prevention System
(IPS) Suspicious network activities
– misuse – anomaly
CSRL Fusion System
Data Collection: Capture packet data in network traffic by using the tool SNORT
Data Preprocess: Transform data into the suitable input format that are required by See5
Pattern Detection: Apply See5 to induce intrusion detection rules, a set of alert rules for recognizing malicious activities
Response: Integrate the detection rules into a firewall to prevent potential attacks
SNORT System
Network sniffer developed by Martin Roesch in 1998 Logs packets in a database SNORT database
– four tables to record information of network packets using the following protocols, icp, udp, icmp, and ip
– two other tables • acid_event to consolidate all the logs of alerts• opt to hold the optional data that can be part of the
TCP/IP protocol .
SNORT Setup
Database: MySql Two Systems setup
– Working system• Two servers for cross platform and data fusion
– Linux server – Windows server
• WAN
– Testing system• Testing SNORT rules and transforming data• LAN
SNORT Rule Type
ruletype nonalert
{
type alert
output database: log, mysql, user=snort password=password dbname=snortTest
host=localhost
}
SEE5 System
A machine learning and data mining system for Windows, evolved from C4.5
Generate a decision tree Two input files
– .names – attributes and characteristics such as data type, range, etc.
– .data – the raw data set