Visualisation for intrusion detection hooking the worm
Paper i proceeding, 2003

Even though intrusion detection systems have been studied for a number of years several problems remain; chiefly low detection rates and high false alarm rates. Instead of building automated alarms that trigger when a computer security violation takes place, we propose to visualise the state of the computer system such that the operator himself can determine whether a violation has taken place. In effect replacing the "burglar alarm" with a "security camera". In order to illustrate the use of visualisation for intrusion detection purposes, we applied a trellis plot of parallel coordinate visualisations to the log of a small personal web server. The intent was to find patterns of malicious activity from so called worms, and to be able to distinguish between them and benign traffic. Several such patterns were found, including one that was unknown at the time to the security community at large.

Författare

Stefan Axelsson

Chalmers, Institutionen för datavetenskap

Lecture Notes in Computer Science

0302-9743 (ISSN)

Vol. 2808 309-325

Ämneskategorier

Data- och informationsvetenskap

DOI

10.1007/978-3-540-39650-5_18

ISBN

3-540-20300-1

Mer information

Skapat

2017-10-06