Visualisation for intrusion detection hooking the worm
Paper in proceeding, 2003

Even though intrusion detection systems have been studied for a number of years several problems remain; chiefly low detection rates and high false alarm rates. Instead of building automated alarms that trigger when a computer security violation takes place, we propose to visualise the state of the computer system such that the operator himself can determine whether a violation has taken place. In effect replacing the "burglar alarm" with a "security camera". In order to illustrate the use of visualisation for intrusion detection purposes, we applied a trellis plot of parallel coordinate visualisations to the log of a small personal web server. The intent was to find patterns of malicious activity from so called worms, and to be able to distinguish between them and benign traffic. Several such patterns were found, including one that was unknown at the time to the security community at large.

Author

Stefan Axelsson

Chalmers, Department of Computing Science

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

03029743 (ISSN) 16113349 (eISSN)

Vol. 2808 309-325
3-540-20300-1 (ISBN)

Subject Categories

Computer and Information Science

DOI

10.1007/978-3-540-39650-5_18

ISBN

3-540-20300-1

More information

Created

10/6/2017