UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION Advances in Information Security Sushil Jajodia Consulting Editor Center for Secure Information Systems George Mason University Fairfax, VA 22030-4444 email: iaiodia @ smu, edu The goals of the Springer International Series on ADVANCES IN INFORMATION SECURITY are, one, to establish the state of the art of, and set the course for future research in information security and, two, to serve as a central reference source for advanced and timely topics in information security research and development The scope of this series includes all aspects of computer and network security and related areas such as fault tolerance and software assurance ADVANCES IN INFORMATION SECURITY aims to publish thorough and cohesive overviews of specific topics in information security, as well as works that are larger in scope or that contain more detailed background information than can be accommodated in shorter survey articles The series also serves as a forum for topics that may not have reached a level of maturity to warrant a comprehensive textbook treatment Researchers, as well as developers, are encouraged to contact Professor Sushil Jajodia with ideas for books under this series Additional titles in the series: HOP INTEGRITY IN THE INTERNET by Chin-Tser Huang and Mohamed G Gouda; ISBN-10: 0-387-24426-3 PRIVACY PRESERVING DATA MINING by Jaideep Vaidya, Chris Clifton and Michael Zhu;ISBN-10: 0-387-25886-8 BIOMETRIC USER AUTHENTICATION FOR IT SECURITY: From Fundamentals to Handwriting by Claus Vielhauer; ISBN-10: 0-387-26194-X IMPACTS AND RISK ASSESSMENT OF TECHNOLOGY FOR INTERNET SECURITY:Enahled Information Small-Medium Enterprises (TEISMES) by Charles A Shoniregun; ISBN-10: 0-387-24343-7 SECURITY IN E'LEARNING by Edgar R Weippl; ISBN: 0-387-24341-0 IMAGE AND VIDEO ENCRYPTION: From Digital Rights Management to Secured Personal Communication by Andreas Uhl and Andreas Pommer; ISBN: 0-387-23402-0 INTRUSION DETECTION AND CORRELATION: Challenges and Solutions by Christopher Kruegel, Fredrik Valeur and Giovanni Vigna; ISBN: 0-387-23398-9 THE AUSTIN PROTOCOL COMPILER by Tommy M McGuire and Mohamed G Gouda; ISBN: 0-387-23227-3 ECONOMICS OF INFORMATION SECURITY by L Jean Camp and Stephen Lewis; ISBN: 1-4020-8089-1 PRIMALITY TESTING AND INTEGER FACTORIZATION IN PUBLIC KEY CRYPTOGRAPHY by Song Y Yan; ISBN: 1-4020-7649-5 SYNCHRONIZING E-SECURITY by Godfri&d B Williams; ISBN: 1-4020-7646-0 Additional information about http://www.springeronline.com this series can be obtained from UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION by Stefan Axelsson Chalmers University of Technology Göteborg, Sweden David Sands Chalmers University of Technology Göteborg, Sweden Springer Dr Stefan Axelsson Dept of Computer Science and Engineering Chalmers University of Technology Prof David Sands Dept of Computer Science and Engineering Chalmers University of Technology 412 96 GÖTEBORG SWEDEN 412 96 GÖTEBORG SWEDEN Library of Congress Control Number: 2005933712 UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION by Stefan Axelsson and David Sands ISBN-13: 978-0-387-27634-2 ISBN-10: 0-387-27634-3 e-ISBN-13: 978-0-387-27636-6 e-ISBN-10: 0-387-27636-X Printed on acid-free paper © 2006 Springer Science+Business Media, Inc All rights reserved This work may not be translated or copied in whole or in part without the written permission of the publisher (Springer Science+Business Media, Inc., 233 Spring Street, New York, NY 10013, USA), except for brief excerpts in connection with reviews or scholarly analysis Use in connection with any form of information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now know or hereafter developed is forbidden The use in this publication of trade names, trademarks, service marks and similar terms, even if the are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights Printed in the United States of America springeronline.com SPIN 11425250, 11524885 Contents List of Figures List of Tables Foreword Preface Acknowledgments L INTRODUCTION Context Computer Security Rationale and Problem Statement Information Visualization Overview of the book ix xi xiii xvii xix 1 AN INTRODUCTION TO INTRUSION DETECTION Intrusion Prevention Intrusion Detection 15 15 17 THE BASE-RATE FALLACY AND THE DIFFICULTY OF INTRUSION DETECTION Problems in Intrusion Detection The Base-Rate Fallacy The Base-Rate Fallacy in Intrusion Detection Impact on Intrusion Detection Systems Future Directions Further Reading Conclusions 31 32 32 35 40 46 46 47 vi UNDERSTANDING INTRUSION DETECTION VISUALIZING INTRUSIONS: WATCHING THE WEBSERVER 49 The Experimental System 50 The Log Reduction Scheme 51 VisuaHzing the Lowest Scoring Requests 52 Detailed Analysis of the Features Found 56 Effectiveness of the Log Reduction Scheme 59 Discussion 63 Future Work 66 Conclusions 66 Further Reading 67 COMBINING A BAYESIAN CLASSIFIER WITH VISUALIZATION 69 Automated Learning for Intrusion Detection 69 Naive Bayesian Detection 70 The Experimental Data 71 Visualizing a Bayesian IDS 73 The Training Data 80 The Experiment 80 Conclusions 86 VISUALIZING THE INNER WORKINGS OF A SELF LEARNING CLASSIFIER 89 Introduction 89 Markovian Matching with Chi Square Testing 90 Visualizing the Detector 92 The Experimental Data 98 Experimental Results 99 Conclusions Future Work VISUALIZATION FOR INTRUSION DETECTION —HOOKING THE WORM Introduction The Monitored System Scientific Visualization 109 109 111 111 112 114 Contents vii Visual Analysis of the Log File Results of the Investigation Discussion Conclusion Future Work 119 121 125 126 126 EPILOGUE Results in Perspective Further Reading Conclusions and Future Work 129 129 130 132 References 133 Author Index 141 Index 143 List of Figures 2.1 2.2 2.3 2.4 3.1 3.2 3.3 3.4 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 5.1 5.2 5.3 5.4 5.5 Anti-intrusion techniques Organisation of a generalised intrusion detection system Classical detection theory model One dimensional detection model Venn diagram of medical diagnostic example Plot of Bayesian detection rate versus false alarm rate ROC-curves for the "low performers" ROC-curve for the "high performers" Frequencies of component frequencies Requests sorted by lowest score Graph of the lowest scoring requests Zoom on feature (Spam attack in this case) Zoom on feature (benign accesses forming a subgraph, isolated) Zoom on feature (benign accesses forming a subgraph, in vivo) Zoom on feature (benign accesses forming a not very clear subgraph) The remaining accesses deemed to be intrusion attempts, 2D graph The remaining accesses deemed to be intrusion attempts, 3D graph The Bayesvis tool The Bayesvis tool after retraining on false alarms The Bayesvis tool after having corrected under training False positives during the training phase Examples of false alarms in February log 15 21 23 25 34 39 41 41 51 51 53 54 55 56 57 60 61 75 78 79 83 84 List of Figures 5.6 6.1 6.2 6.3 6.4 6.5 6.6 6.7 6.8 7.1 7.2 7.3 7.4 7.5 Generalized detection of Unicode attacks The Chi2vis tool after training one bad and one good The Chilvis tool after training one bad and two good The Chi2vis tool after training two bad and two good Generalising the Unicode training to detect new instances False alarms: Example of the //EAD-pattem Results from training on syscall data All the false alarms of Bayesvis The "cgi-bin" pattern false alarms of Bayesvis Sample records from the webserver log file A simple parallel coordinate plot A trellis of parallel coordinate plots A plot of the "Code-red" worm access pattern The six different requests made by pattern from Figure 7.3 86 93 96 97 102 103 104 107 108 114 116 120 122 123 ... Visualization Overview of the book ix xi xiii xvii xix 1 AN INTRODUCTION TO INTRUSION DETECTION Intrusion Prevention Intrusion Detection 15 15 17 THE BASE-RATE FALLACY AND THE DIFFICULTY OF INTRUSION. .. AND THE DIFFICULTY OF INTRUSION DETECTION Problems in Intrusion Detection The Base-Rate Fallacy The Base-Rate Fallacy in Intrusion Detection Impact on Intrusion Detection Systems Future Directions... 1-4020-7646-0 Additional information about http://www.springeronline.com this series can be obtained from UNDERSTANDING INTRUSION DETECTION THROUGH VISUALIZATION by Stefan Axelsson Chalmers University