Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Visualization for an Intrusion Detection System Ching-Lung Fu James Blustein Daniel Silver.

Similar presentations


Presentation on theme: "Information Visualization for an Intrusion Detection System Ching-Lung Fu James Blustein Daniel Silver."— Presentation transcript:

1 Information Visualization for an Intrusion Detection System Ching-Lung Fu James Blustein Daniel Silver

2 2 Overview Research Objective: Research Objective: explore / discover factors for building a better IDS (network based) explore / discover factors for building a better IDS (network based) Initial stage of our research Initial stage of our research Short comings of IDS Short comings of IDS Spatial Hypertext / visualization Spatial Hypertext / visualization ML & UM + IDS + SH ML & UM + IDS + SH Recent Update Recent Update Revisit the IDS users Revisit the IDS users

3 3 Problem Source Rule based IDS Rule based IDS resulting a network too restricted to be used, or resulting a network too restricted to be used, or an IDS vulnerable to new types of attacks an IDS vulnerable to new types of attacks Machine Learning based IDS, high errors Machine Learning based IDS, high errors Training Data imbalance: available “real-attack” training examples are scarce Training Data imbalance: available “real-attack” training examples are scarce A machine learning algorithm need to “see” enough examples to generalize to “unseen” future examples A machine learning algorithm need to “see” enough examples to generalize to “unseen” future examples Ambiguous data Ambiguous data Could a human expert do better? Could a human expert do better? Current Machine Learning algorithms cannot generalize better than humans Current Machine Learning algorithms cannot generalize better than humans

4 4 Problem Source High false detections High false detections Preventing immediate response to the real attacks Preventing immediate response to the real attacks User’s trust User’s trust Unusable IDS  Most system admins now attend to the problem after the attack or after the damage has been done. Unusable IDS  Most system admins now attend to the problem after the attack or after the damage has been done.

5 5 Alternative IDS Reduce the dependability on detection mechanism Reduce the dependability on detection mechanism Visual intelligence Visual intelligence harnessing human abilities harnessing human abilities keeps humans “in the loop” keeps humans “in the loop” contributing judgment and sharing some responsibility contributing judgment and sharing some responsibility personal involvement & empowerment personal involvement & empowerment

6 6 Alternative IDS A visualization + machine learning tool could provide the answer A visualization + machine learning tool could provide the answer

7 7 SH as a visualization mechanism Information Triage Information Triage What is Spatial Hypertext (SH) ? What is Spatial Hypertext (SH) ? Graphic workspace with freely manipulable objects. Graphic workspace with freely manipulable objects. Relationship represented by color, proximity, alignment, containment, etc. Relationship represented by color, proximity, alignment, containment, etc. Ambiguity & implicit Ambiguity & implicit Examples in the next few pages Examples in the next few pages

8 8 SH – example 1

9 9

10 10 Power of Visualization example 2

11 11 An on-line example

12 12 SH as a visualization mechanism - continued Emerging information Emerging information Human has excellent visual intelligence Human has excellent visual intelligence Able to contain lot of information Able to contain lot of information Please see my poster for a new developing framework Please see my poster for a new developing framework

13 13 Challenges The information visualization cannot be effective if the machine learning components cannot deliver accurate information The information visualization cannot be effective if the machine learning components cannot deliver accurate information The publicly available testing dataset are not good enough The publicly available testing dataset are not good enough Data ambiguity always exist Data ambiguity always exist The ML algorithms are not the bottleneck, feature extraction processes are The ML algorithms are not the bottleneck, feature extraction processes are The ML algorithms may be used to “mine” the features used directly by visualization tools; human eyes detect the anomalies The ML algorithms may be used to “mine” the features used directly by visualization tools; human eyes detect the anomalies

14 14 Revisit the IDS users Most of them still rely on primitive tools Most of them still rely on primitive tools IDS are completely not trusted IDS are completely not trusted Response to problems only after complaints have been made Response to problems only after complaints have been made Many organizations refuse the visit as they do not have an IDS — “Security through obscurity” Many organizations refuse the visit as they do not have an IDS — “Security through obscurity” Some organizations simply unplug the important system from the network to avoid unnecessary exposures Some organizations simply unplug the important system from the network to avoid unnecessary exposures

15 15 Conclusion Improve current ML based IDS as a component Improve current ML based IDS as a component Data Mining on features for information visualization Data Mining on features for information visualization Spatial Hypertext – a hybrid approach in which information visualization complements the IDS Spatial Hypertext – a hybrid approach in which information visualization complements the IDS

16 16 Questions ? Ching-Lung Fu Dalhousie Computer Science


Download ppt "Information Visualization for an Intrusion Detection System Ching-Lung Fu James Blustein Daniel Silver."

Similar presentations


Ads by Google