Information Technology Reference
In-Depth Information
not use fixed rules and parameters' values to construct attack scenarios, but let securi-
ty administrators to define these things themselves. Doing so offers two advantages:
the administrator is the person who knows her system best, and she will gain experi-
ence by tuning these settings herself.
3.3
User Interaction Component
This component allows administrators to interact with the system to change the way
the scenario construction and visualization work. We build a separate panel contain-
ing input elements that administrators can use to change the way the scenario con-
struction works. For example, administrators can adjust the time duration threshold
that controls the relatedness between two events. To let administrators to interact with
the scenario visualization, we implement mouse actions like hover, selection, etc. on
the main visual interface directly. For example, administrators can click on a page to
get more detailed information about that page that is not shown by default: how many
times it is accessed by users? How many alerts are generated on that page?
4
Visualization Design
The main purpose of the visualization component is to display the attack scenarios
effectively to security administrators. Once an attack (i.e. an alert generated by a web
application IDS) is selected, its related events are collected. For a true attack, usually
there are other suspicious events happen together with it. But for a false attack, usual-
ly it may happen alone. By visualizing attacks and related events together, we think
(but not have a proof yet) it is possible to detect false attacks from the real ones.
At the minimum, an event that is collected either from a web server log or from a
web application IDS includes at least:
•
The timestamp of the event
•
The page URI that raises the event
•
User agent information (IP address, agent name, version, etc.)
Additional information (query string, response code, etc.)
•
In this work, the main goal of our visualization is to show how an attack scenario
develops through time (when the chain of events happens) and space (where the chain
of events accesses to). Seeing the attack scenarios in space and time coordinate sys-
tems can bring security administrators some information about what happen before an
attack is launched (events in preparation phase), and what happen after that (events in
consequence phase). In other words, administrators can learn some useful things
about the attacking process an attacker uses: what does she do to prepare for an at-
tack; what does she do if an attack is successful; what does she do to clear her traces,
etc.
In the space-time visualization system that we use to visualize attack scenarios,
there are two main visual areas: time-oriented coordinate systems area and space-
oriented coordinate systems area. They are depicted in Fig. 2.
Search WWH ::
Custom Search