Wenbo Wang,Xi Luo,Liang Fu Lu,Youyi Zheng

DOI: https://doi.org/10.1109/BigComp.2018.00057

2018-01-01

Abstract:Visualization techniques on hierarchical information have been proved their capability in presenting structured disk storage data. However, most existing techniques represented with simple visual methods such as pie chart or histogram, lacking the ability of grasping the usage of the computer. This paper presents a new interactive visualization technique named iHard Disk Viewer (iHDViewer), which aims to display file details and their movement histories, as well as predict the user's activities through visualization results. This tool mainly utilizes four different view panels to display the distribution of files and file folders for a computer system. Specifically, A tree view explains the general distribution of the whole disk storage; A river trend view tracks the files moving history, which is implemented by cubic spline interpolator with restricted boundary conditions to ensure the trend stability and information accuracy; We also use the concept of coordinate extension to visualize the file moving events which supports more intuitive results; A filelist view panel shows the details of the selected files; while a circle view panel interactively displays the status of files and file folders. In addition, considering the importance of human visual perception system in the data analyzing processes, we utilize three color design principles to work through all visual methods. Lastly, this paper demonstrates the effectiveness and efficiency of our new idea to visually analyze computer FileSystems.

M D Poat,J Lauret,D Fedele

DOI: https://doi.org/10.1088/1742-6596/2438/1/012040

2023-02-17

Journal of Physics: Conference Series

Abstract:A difficult aspect of cyber security is the ability to achieve automated real time intrusion prevention across various sets of systems. To this extent, several companies are offering comprehensive solutions that leverage an "accuracy of scale" and moving much of the intelligence and detection on the Cloud, relying on an ever-growing set of data and analytics to increase decision accuracy. Often, they provide tools to visualize the decision workflows in attack prevention (as well as tune the algorithm) but those solutions are not always practical as companies see the problem as "global" that is, from a unified Cyber-security standpoint. However, a key to a successful Cyber-security program is transparency and trust: from an experimental team viewpoint, this specifically means having the ability to immediately see what and from where, who has been blocked and being able to inform the community in case of a revoked access without the need for filing a "ticket" (that may eventually be answered) – in other words, rapid response to their user-base is essential but solutions targeting "sub-groups" in an organization are not often available. We have come up with a versatile solution leveraging the ELK stack (Elasticsearch, Logstash, & Kibana) and an IPS (Intrusion Prevention System) based WAF (Web Application Firewall) from Signal Sciences. Signal Science allows the streaming of detailed logs in a Logstash format suitable for custom solutions for visualization. By combining these two tools, we have strengthened our security posture and enabled individual experiments to monitor their own traffic. Specifically, the IPS WAF provides unique data such as country of origin, protocol, response code, source IP, and paths accessed. In this contribution, we will show how we engineered a visualization solution so experiment groups could access a dashboard with predefined graphs but also, where they can create individual customizable dashboards used to display blocked traffic and troubleshoot latency issues. We will discuss the details and procedures for developing and configuring these tools and how it benefits cyber security postures across our scientific based environment.

English Else

Andrea Brennen,David Danico,Raul Harnasch,Maureen Hunter,Richard Larkin,Jeremy Mineweaser,Kevin Nam,David O'Gwynn,Harry Phan,Alexia Schulz,Michael Snyder,Diane Staheli,Tamara Yu

DOI: https://doi.org/10.48550/arXiv.1412.3768

2014-12-12

Abstract:As modern industry shifts toward significant globalization, robust and adaptable network capability is increasingly vital to the success of business enterprises. Large quantities of information must be distilled and presented in a single integrated picture in order to maintain the health, security and performance of global networks. We present a design for a network situational awareness display that visually aggregates large quantities of data, identifies problems in a network, assesses their impact on critical company mission areas and clarifies the utilization of resources. This display facilitates the prioritization of network problems as they arise by explicitly depicting how problems interrelate. It also serves to coordinate mitigation strategies with members of a team.

Human-Computer Interaction

Sònia Leal Díaz,Sergio Pastrana,Azqa Nadeem

2023-10-20

Abstract:Although intrusion alerts can provide threat intelligence regarding attacker strategies, extracting such intelligence via existing tools is expensive and time-consuming. Earlier work has proposed SAGE, which generates attack graphs from intrusion alerts using unsupervised sequential machine learning. This paper proposes a querying and prioritization-enabled visual analytics dashboard for SAGE. The dashboard has three main components: (i) a Graph Explorer that presents a global view of all attacker strategies, (ii) a Timeline Viewer that correlates attacker actions chronologically, and (iii) a Recommender Matrix that highlights prevalent critical alerts via a MITRE ATT&CK-inspired attack stage matrix. We describe the utility of the proposed dashboard using intrusion alerts collected from a distributed multi-stage team-based attack scenario. We evaluate the utility of the dashboard through a user study. Based on the responses of a small set of security practitioners, we find that the dashboard is useful in depicting attacker strategies and attack progression, but can be improved in terms of usability.

Cryptography and Security

Liang Li,Yuanhui He,Feiyang Huang,Ziming Zhao,Zhuoxue Song,Tong Zhou,Zhenyuan Li,Fan Zhang

DOI: https://doi.org/10.1109/cscwd61410.2024.10580010

2024-01-01

Abstract:Intrusion Detection Systems (IDSs) are vital in detecting network attacks and ensuring the confidentiality and integrity of network resources. Currently, industry-standard IDSs primarily rely on rule-based or anomaly-detection techniques. However, existing detection techniques often generate false positives and negatives, also known as the alert fatigue problem. This influx of incorrect events diminishes the IDS’s efficiency by overburdening security analysts. In this paper, we present ACVS, an innovative automated alert cross-verification system that leverages Graph Neural Networks for identifying misclassifications in security events. Initially, ACVS generates event graphs using attributes like IP addresses and timestamps from sequences of security events and then employs correlation analysis on these events, utilizing alert information to verify misclassifications. Finally, the system uses Graph Neural Networks to classify and correct these security events automatically. We conduct evaluations for ACVS on a substantial real-world dataset comprising over 5 million security events, which are categorized into 5 distinct groups. The results reveal that ACVS markedly enhances the accuracy of intrusion detection systems and substantially reduces the need for manual analysis.

nitin v kanaskar,jiang bian,remzi seker,mais nijim,nuri yilmazer

DOI: https://doi.org/10.1109/SYSCON.2011.5929116

2011-01-01

Abstract:Insider attacks have the potential to inflict severe damage to an organizations reputation, intellectual property and financial assets. The primary difference between the external intrusions and the insider intrusions is that an insider wields power of knowledge about the information system resources, their environment, policies. We present an approach to detecting abnormal behavior of an insider by applying Dynamical System Theory to the insiders computer usage pattern. This is because abnormal system usage pattern is one of the necessary precursors to actual execution of an attack. A base profile of system usage pattern for an insider is created via applying dynamical system theory measures. A continuous monitoring of the insiders system usage and its comparison with this base profile is performed to identify considerable deviations. A sample system usage in terms of application system calls is collected, analyzed, and graphical results of the analysis are presented. Our results indicate that dynamical system theory has the potential of detecting suspicious insider behavior occurring prior to the actual attack execution.

Fu Xiao,Shi Jin,Xie Li

DOI: https://doi.org/10.4304/jnw.5.1.88-97

2010-01-01

Abstract:Current system managers often have to process huge amounts of alerts per day, which may be produced by all kinds of security products, network management tools or system logs. This has made it extremely difficult for managers to analyze and react to threats and attacks. So an effective technique which can automatically filter and analyze alerts has become urgent need. This paper presents a novel method for handling IDS alerts more efficiently. It introduces a new data mining technique, outlier detection, into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives (i.e. alerts that are triggered incorrectly by benign events). This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a three-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method can help managers analyze the root causes of false positives. And our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. Through the experiments on DARPA 2000, we have proved that our model can effectively reduce false positives. And on real-world dataset, our model has even higher reduction rate. By comparing with other alert reduction methods, we believe that our model has better performance.

Yawen Xue,Jie Pan,Yangyang Geng,Zeyu Yang,Mengxiang Liu,Ruilong Deng

DOI: https://doi.org/10.1109/ticps.2024.3406505

2024-01-01

Abstract:Industrial control systems (ICSs) are becoming increasingly interconnected as the rapid convergence of information technology (IT) and operation technology (OT) networks, and meanwhile massive attack surfaces have been exposed. However, traditional intrusion detection systems (IDSs) are difficult to be directly deployed in ICSs due to the hard real-time requirement and rare patching chance. Besides, the design of effective and practical IDSs is hampered by the lack of benchmarking ICS cybersecurity datasets. To bridge the gaps, this paper makes the first attempt by open-sourcing the developed ICS cybersecurity datasets and proposing a decision fusion based real-time IDS. Firstly, we design a customized cybersecurity dataset in a full-hardware and high-fidelity platform, including 7 types of cyber threats tailored for ICSs. The collected dataset includes network traffic, sensor readings, actuator status, and system parameters, providing the state-of-the-art benchmark dataset for ICSs consisting of cross-layer characteristics. Furthermore, we design an online decision fusion-based IDS by strategically integrating 4 widely-used machine learning models. The proposed IDS is deployed on a real-time running ethanol distillation, surpassing the performance of single detection models in terms of precision and F1-score, which substantially enhances intrusion detection accuracy and cybersecurity of ICS.

Jia Liu,Wang Yinchai,Teh Chee Siong,Xinjin Li,Liping Zhao,Fengrui Wei

DOI: https://doi.org/10.21203/rs.3.rs-1770107/v1

2022-01-01

Abstract:Abstract Intrusion detection is a fuzzy classification problem. Intrusion detection can detect the attack behaviors of hackers in advance. For generating a visualizing architecture for identifying intrusions, this study proposes an approach that combines ANFIS (Adaptive Network-based Fuzzy Inference System), DT (Decision Tree), and K-means clustering algorithm for visualizing the deep pattern of intrusion detection. The ANFIS generates complex and fuzzy combinations of selected attributes. To reduce the rules generation of ANFIS, Pearson Correlation analysis is used to select attributes that highly relate to the target. Meanwhile, standard deviation analysis and a proposed adaptive K-means algorithm are used for determining the interval division of selected attributes. Then, the CART (classification and regression tree) is used to identify the deep mode in generated rules and selected attributes. The architecture of the proposed algorithm is a hybrid visualizing approach. The architecture can identify deep and hybrid features in intrusion detection. The proposed algorithm was trained, validated, and tested on the NSL-KDD dataset. Using 22 attributes that highly relate to the target, the performance of the proposed method achieved a 99.86% detection rate and 0.14% false alarm rate, which is better than many classifiers. Besides, the visualizing model can help us visually identify the complex pattern of intrusions and analyze the pattern of various intrusions.

Dichao Peng,Wei Chen,Qunsheng Peng

DOI: https://doi.org/10.1002/sec.521

IF: 1.968

2012-01-01

Security and Communication Networks

Abstract:ABSTRACTThe establishment of trust relations is recognized as an important approach to initiate cooperation between unfamiliar entities in distributed computing environments. Particularly, trust relations can play a key role to help nodes make decisions on service discoveries in wireless environments. Visualizing trust relations can help us understand and analyze the real‐time threats that the distributed system is facing and consequently identify the attacks in order to deploy corresponding countermeasures. The main challenges to visualize trust in such distributed environments are as follows: (i) visually reorganizing and presenting trust relations to show underlying cooperation between attackers; (ii) mapping attacker behaviors to visual patterns in an ambiguity‐free manner; (iii) properly organizing and encoding other contextual information to analyze how these factors play along with trust. In this paper, we introduce TrustVis, a tool that helps users visually analyze trust relations to identify attacks in a semi‐automatic fashion. In parallel with a running trust evaluation engine that actively monitors trust relations, TrustVis reorganizes and presents trust relations with a matrix to map the cooperative attack schemes to visual patterns. By coordinating the trust matrix and other contextual information into a multi‐faceted view, TrustVis incorporates the intelligence of domain experts to interactively monitor the networked system toward identifying both the attackers' identities and the adopted attack schemes. Copyright © 2012 John Wiley & Sons, Ltd.

Chaoqun Yang,Li Feng,Heng Zhang,Shibo He,Zhiguo Shi

DOI: https://doi.org/10.1109/tsipn.2018.2790361

2018-01-01

IEEE Transactions on Signal and Information Processing over Networks

Abstract:Networked radar systems are vulnerable to different types of attacks, including electronic countermeasure (ECM) jamming and false data injection (FDI) attack. Substantial research has concentrated on ECM jamming, which interferes with radar echoes between a radar and targets. However, FDI attack in which an attacker somehow replaces or modifies radars' measurements, has rarely been considered. FDI attack is much stealthier than ECM jamming, making detection more difficult. In this paper, we take the first attempt to investigate the FDI attack's effects on a networked radar system. Further, we propose a novel data fusion algorithm to combat this attack. The proposed algorithm can dramatically reduce the attack's adverse effects, since it creatively introduces data's confidence factors into data fusion and adaptively decreases the fusion weights of the injected data. Numerical results verify the effectiveness of the proposed algorithm.

Anthony Palladino,Christopher J. Thissen

DOI: https://doi.org/10.48550/arXiv.1812.02848

2018-12-06

Cryptography and Security

Abstract:Intrusion detection systems (IDSs) generate valuable knowledge about network security, but an abundance of false alarms and a lack of methods to capture the interdependence among alerts hampers their utility for network defense. Here, we explore a graph-based approach for fusing alerts generated by multiple IDSs (e.g., Snort, OSSEC, and Bro). Our approach generates a weighted graph of alert fields (not network topology) that makes explicit the connections between multiple alerts, IDS systems, and other cyber artifacts. We use this multi-modal graph to identify anomalous changes in the alert patterns of a network. To detect the anomalies, we apply the role-dynamics approach, which has successfully identified anomalies in social media, email, and IP communication graphs. In the cyber domain, each node (alert field) in the fused IDS alert graph is assigned a probability distribution across a small set of roles based on that node's features. A cyber attack should trigger IDS alerts and cause changes in the node features, but rather than track every feature for every alert-field node individually, roles provide a succinct, integrated summary of those feature changes. We measure changes in each node's probabilistic role assignment over time, and identify anomalies as deviations from expected roles. We test our approach using simulations including three weeks of normal background traffic, as well as cyber attacks that occur near the end of the simulations. This paper presents a novel approach to multi-modal data fusion and a novel application of role dynamics within the cyber-security domain. Our results show a drastic decrease in the false-positive rate when considering our anomaly indicator instead of the IDS alerts themselves, thereby reducing alarm fatigue and providing a promising avenue for threat intelligence in network defense.

Chenyang Qiu,Yingsheng Geng,Junrui Lu,Kaida Chen,Shitong Zhu,Ya Su,Guoshun Nan,Can Zhang,Junsong Fu,Qimei Cui,Xiaofeng Tao

DOI: https://doi.org/10.1145/3580305.3599238

2023-07-02

Abstract:Network-based intrusion detection system (NIDS) monitors network traffic for malicious activities, forming the frontline defense against increasing attacks over information infrastructures. Although promising, our quantitative analysis shows that existing methods perform inconsistently in declaring various unknown attacks (e.g., 9% and 35% F1 respectively for two distinct unknown threats for an SVM-based method) or detecting diverse known attacks (e.g., 31% F1 for the Backdoor and 93% F1 for DDoS by a GCN-based state-of-the-art method), and reveals that the underlying cause is entangled distributions of flow features. This motivates us to propose 3D-IDS, a novel method that aims to tackle the above issues through two-step feature disentanglements and a dynamic graph diffusion scheme. Specifically, we first disentangle traffic features by a non-parameterized optimization based on mutual information, automatically differentiating tens and hundreds of complex features of various attacks. Such differentiated features will be fed into a memory model to generate representations, which are further disentangled to highlight the attack-specific features. Finally, we use a novel graph diffusion method that dynamically fuses the network topology for spatial-temporal aggregation in evolving data streams. By doing so, we can effectively identify various attacks in encrypted traffics, including unknown threats and known ones that are not easily detected. Experiments show the superiority of our 3D-IDS. We also demonstrate that our two-step feature disentanglements benefit the explainability of NIDS.

Cryptography and Security,Artificial Intelligence,Machine Learning,Social and Information Networks

Yingjie Victor Chen,Zhenyu Cheryl Qian,Weiran Tyki Lei,Yingjie Chen,Zhenyu Qian,Weiran Lei

DOI: https://doi.org/10.3390/informatics3020006

2016-06-09

Informatics

Abstract:User experience remains a crucial consideration when assessing the successfulness of information visualization systems. The theory of affordances provides a robust framework for user experience design. In this article, we demonstrate a design case that employs an affordance-based framework and evaluate the information visualization display design. SolarWheels is an interactive information visualization designed for large display walls in computer network control rooms to help cybersecurity analysts become aware of network status and emerging issues. Given the critical nature of this context, the status and performance of a computer network must be precisely monitored and remedied in real time. In this study, we consider various aspects of affordances in order to amplify the user experience via visualization and interaction design. SolarWheels visualizes the multilayer multidimensional computer network issues with a series of integrated circular visualizations inspired by the metaphor of the solar system. To amplify user interaction and experience, the system provides a three-zone physical interaction that allows multiple users to interact with the system. Users can read details at different levels depending on their distance from the display. An expert evaluation study, based on a four-layer affordance framework, was conducted to assess and improve the interactive visualization design.

Fu Xiao,Xie Li

DOI: https://doi.org/10.1109/npc.2008.26

2008-01-01

Abstract:Intrusion detection systems (IDSs) can easily create thousands of alerts per day, up to 99% of which are false positives (i.e. alerts that are triggered incorrectly by benign events). This makes it extremely difficult for managers to analyze and react to attacks. This paper presents a novel method for handling IDS alerts more efficiently. It introduces outlier detection technique into this field, and designs a special outlier detection algorithm for identifying true alerts and reducing false positives. This algorithm uses frequent attribute values mined from historical alerts as the features of false positives, and then filters false alerts by the score calculated based on these features. We also proposed a two-phrase framework, which not only can filter newcome alerts in real time, but also can learn from these alerts and automatically adjust the filtering mechanism to new situations. Moreover our method needs no domain knowledge and little human assistance, so it is more practical than current ways. We have built a prototype implementation of our method. And the experiments on DARPA 2000 and real-world data have proved that this model has high performance.

Jingmin Zhou

2008-01-01

Abstract:Despite years of research and development efforts, intrusion detection is still facing significant challenges. A particular intriguing problem is that existing network intrusion detection systems report an excessive number of alerts, of which few are "interesting" from the point of view of security officers. Moreover, these alerts do not provide adequate details about the intrusions that can assist security officers to efficiently assess the security risks. In this dissertation, we propose methods to reduce the number of alerts and improve their quality. In our approach, we first identify and extract additional information from the intrusion alerts such as the result of an attack. Using this information, we are able to quickly filter out a majority of alerts that are generally not helpful in intrusion analysis. We also create a systematic approach to consistently and unambiguously model the extracted information, in particular the relations between different alerts. We demonstrate the scalability of this model by applying it to almost one thousand different network intrusion detection signatures. Using the model, we successfully construct high-level description of multi-stage intrusion strategies from low-level alerts, as well as compute the possible variations of multi-stage intrusions from a single intrusion instance. This not only reduces the number of total alerts, but also improves the alert quality. We conducted experiments with several real-world intrusion detection datasets, and the results showed the effectiveness of our approach.

Amod Pandit,R Joe Stanley,Bruce McMillin

Abstract:Intrusion detection systems (IDS) attempt to address the vulnerability of computer-based systems for abuse by insiders and to penetration by outsiders. An IDS is required to examine an enormous amount of data generated by computer networks to assist in the abuse detection process. Thus, there is a need to develop automated tools that address these requirements to assist system operators in the detection of violations of existing security policies. In this research, an automated IDS is proposed for insider threats in a distributed system. The proposed IDS functions as an anomaly detector for insider system operations based on the analysis of the system's log files. The approach integrates dynamic programming and adaptive resonance theory (ART1) clustering. The integrated approach aligns sequences of log events with prototypical sequences of events for performing tasks and classifies the aligned sequences for intrusion detection. The system examined for this research is a Boots System for controlling the movement of boots from one place to another under specific security restrictions related to the boot orders. We present the proposed model, the results achieved and the analysis of an implemented prototype.

Max Landauer,Florian Skopik,Markus Wurzenberger

2023-08-24

Abstract:Intrusion detection systems (IDS) reinforce cyber defense by autonomously monitoring various data sources for traces of attacks. However, IDSs are also infamous for frequently raising false positives and alerts that are difficult to interpret without context. This results in high workloads on security operators who need to manually verify all reported alerts, often leading to fatigue and incorrect decisions. To generate more meaningful alerts and alleviate these issues, the research domain focused on multi-step attack analysis proposes approaches for filtering, clustering, and correlating IDS alerts, as well as generation of attack graphs. Unfortunately, existing data sets are outdated, unreliable, narrowly focused, or only suitable for IDS evaluation. Since hardly any suitable benchmark data sets are publicly available, researchers often resort to private data sets that prevent reproducibility of evaluations. We therefore generate a new alert data set that we publish alongside this paper. The data set contains alerts from three distinct IDSs monitoring eight executions of a multi-step attack as well as simulations of normal user behavior. To illustrate the potential of our data set, we experiment with alert prioritization as well as two open-source tools for meta-alert generation and attack graph extraction.

Cryptography and Security

Junhua Zhang

DOI: https://doi.org/10.1088/1742-6596/2181/1/012056

2022-01-01

Journal of Physics: Conference Series

Abstract:Abstract A novel Intelligent Radar Detection Network (IRDN) is proposed to be able to flexibly decompose and re-aggregate all functional elements in OODA cycle, so as to establish a new kind of all-domain kill web featuring on-demand service, flexibility, scalability and optimal kill channel, which can obtain and maintain asymmetric air defense superiority with benefits from all-domain sensing, all-domain C2 and all-domain strike capabilities.

Xuejiao Liu,Yingjie Xia,Yanbo Wang,Jing Ren

DOI: https://doi.org/10.1002/sec.855

IF: 1.968

2013-01-01

Security and Communication Networks

Abstract:A challenge faced by many system administrators in utilizing the intrusion detection system (IDS) is to sift out genuine alerts buried with overwhelming alerts of benign activities generated by the IDS, especially for IDS deployed in large networks. Existing methods propose to identify the real alerts to aid the administrators. In our paper, we extend the idea of filtering irrelevant alerts based on alert volumes. And we formulate the flow estimation of abrupt changes in feature distribution caused by anomalies, by computing Kullback-Leibler distance of alert feature values under observation in comparison with a reference distribution, which is the mixture of a distribution drawing a tread from historical alerts, and a distribution derived from expertise provided by administrators. Experimental studies on the Defense Advanced Research Projects Agency dataset as well as real-life data gathered from the IDS of a large network show that our method is able to distinguish and highlight genuine anomalies arising from the tremendous number of intrusion alerts, including different kinds of attacks and network failures. Application of this technique to alerts greatly helps the administrators in identifying real alerts and then reduces the alert load in the future. Copyright (C) 2013 John Wiley & Sons, Ltd.