Understanding Intrusion Detection Through Visualisation
Doctoral thesis, 2005
With the ever increasing use of computers for critical systems, computer security, the protection of data and computer systems from intentional, malicious intervention, is attracting much attention. Among the methods for defence, intrusion detection, i.e. the application of a tool to help the operator identify ongoing or already perpetrated attacks has been the subject of considerable research in the past ten years. A key problem with current intrusion detection systems is the high number of false alarms they produce. This thesis presents research into why false alarms are and will remain a problem and proposes to apply results from the field of information visualisation to the problem of intrusion detection. This was thought to enable the operator to correctly identify false (and true) alarms, and also aid the operator in identifying other operational characteristics of intrusion detection systems. Four different visualisation approaches were tried, mainly on data from web server access logs. Two direct approaches were tried; where the system puts the onus of identifying the malicious access requests on the operator by way of the visualisation. Two indirect approaches were also tried; where the state of two self learning automated intrusion detection systems were visualised to enable the operator to examine their inner workings. This with the hope that in doing so, the operator would gain an understanding of how the intrusion detections systems operated and whether that level of operation, and the quality of the output, was satisfactory. Several experiments were performed and many different attacks in web access data from publicly available web servers were found. The visualisation helped the operator either detect the attacks herself and more importantly the false alarms. It also helped her determine whether other aspects of the operation of the self learning intrusion detection systems were satisfactory.