Visualising Intrusions: Watching the Webserver
Paper i proceeding, 2004

Despite several years of intensive study, intrusion detection systems still suffer from a key deficiency: A high rate of false alarms. To counteract this, this paper proposes to visualise the state of the computer system such that the operator can determine whether a violation has taken place. To this end a very simple anomaly detection inspired log reduction scheme is combined with graph visualisation, and applied to the log of a webserver with the intent of detecting patterns of benign and malicious (or suspicious) accesses. The combination proved to be effective. The visualisation of the output of the anomaly detection system counteracted its high rate of false alarms, while the anomaly based log reduction helped reduce the log data to manageable proportions. The visualisation was more successful in helping identifying benign accesses than malicious accesses. All the types of malicious accesses present in the log data were found.


Intrusion detection

Computer Security


Stefan Axelsson

Chalmers, Institutionen för datavetenskap, ProSec

proceedings of the 19th IFIP International Information Security Conference (SEC2004)


Data- och informationsvetenskap



Mer information