The Importance of Time in the Identification of Anomalous Situations by Means of MOVICAB-IDS

Intrusion Detection Systems (IDSs) are a part of the computer security infrastructure of most organizations. They are designed to detect suspect patterns by monitoring and analysing computer network events. Different areas of artificial intelligence, statistical and signature verification techniques have been applied in the field of IDSs. Additionally, visualization tools have been applied for intrusion detection, some of them providing visual measurements of network traffic. As described in previous works, MOVICAB-IDS (MObile VIsualization Cooperative Agent-Based IDS) is a bio-inspired tool based on the use of unsupervised Neural Networks (NN), and provides the network administrator with a snapshot of network traffic, protocol interactions and traffic volume. It offers a complete and more intuitive visualization of the network traffic by depicting each simple packet. To improve the accessibility of the system, the administrator may visualize the results on a mobile device (such as PDA’s, mobile phones or embedded devices), enabling informed decisions to be taken anywhere and at any time. It is a combination of a connectionist model and a multiagent system enriched by a functional and mobile visualization. The viability and effectiveness of MOVICAB-IDS has been shown in previous works. This paper focuses on the importance of the time-information dependence in the identification of anomalous situations in the case of the proposed model. Several experiments show that the connectionist method on which MOVICAB-IDS is based (that has never been applied to the IDS and network security field before the beginning of this research) can highlight the evolution of packets along time. That is, MOVICAB-IDS identifies anomalous situations by taking into account the time-related dimension among others and by using unsupervised bio-inspired models

Systematic literature review for malware visualization techniques

Analyzing the activities or the behaviors of malicious scripts highly depends on extracted features. It is also significant to know which features are more effective for certain visualization types. Similarly, selecting an appropriate visualization technique plays a key role for analytical descriptive, diagnostic, predictive and prescriptive. Thus, the visualization technique should provide understandable information about the malicious code activities. This paper followed systematic literature review method in order to review the extracted features that are used to identify the malware, different types of visualization techniques and guidelines to select the right visualization techniques. An advanced search has been performed in most relevant digital libraries to obtain potentially relevant articles. The results demonstrate significant resources and types of features that are important to analyze malware activities and common visualization techniques that are currently used and methods to choose the right visualization technique in order to analyze the security events effectively

MOVICAB-IDS: Visual Analysis of Network Traffic Data Streams for Intrusion Detection

MOVICAB-IDS enables the more interesting projections of a massive traffic data set to be analysed, thereby providing an overview of any possible anomalous situations taking place on a computer network. This IDS responds to the challenges presented by traffic volume and diversity. It is a connectionist agent-based model extended by means of a functional and mobile visualization interface. The IDS is designed to be more flexible, accessible and portable by running on a great variety of applications, including small mobile ones such as PDA’s, mobile phones or embedded devices. Furthermore, its effectiveness has been demonstrated in different tests

Testing CAB-IDS Through Mutations: On the Identification of Network Scans

This study demonstrates the ability of powerful visualization tools (based on the use of connectionist models) to identify network intrusion attempts in an effective and reliable manner. It presents a novel technique to test and evaluate a previously developed network-based intrusion detection system (IDS). This technique applies mutant operators and is intended to test IDSs using numerical data sets. It should be made clear that some mutations were discarded as they did not all provide real life situations. As an application example of the proposed testing model, it has been specially applied to the identification of network scans and mutations of these. The tested Connectionist Agent-Based IDS (CAB-IDS) is used as a method to investigate the traffic which travels along the analysed network, detecting anomalous traffic patterns. The specific tests performed in this study were based on the mutation of one or several variables analysed by CAB-IDS

Neural visualization of network traffic data for intrusion detection

This study introduces and describes a novel intrusion detection system (IDS) called MOVCIDS (mobile visualization connectionist IDS). This system applies neural projection architectures to detect anomalous situations taking place in a computer network. By its advanced visualization facilities, the proposed IDS allows providing an overview of the network traffic as well as identifying anomalous situations tackled by computer networks, responding to the challenges presented by volume, dynamics and diversity of the traffic, including novel (0-day) attacks. MOVCIDS provides a novel point of view in the field of IDSs by enabling the most interesting projections (based on the fourth order statistics; the kurtosis index) of a massive traffic dataset to be extracted. These projections are then depicted through a functional and mobile visualization interface, providing visual information of the internal structure of the traffic data. The interface makes MOVCIDS accessible from any mobile device to give more accessibility to network administrators, enabling continuous visualization, monitoring and supervision of computer networks. Additionally, a novel testing technique has been developed to evaluate MOVCIDS and other IDSs employing numerical datasets. To show the performance and validate the proposed IDS, it has been tested in different real domains containing several attacks and anomalous situations. In addition, the importance of the temporal dimension on intrusion detection, and the ability of this IDS to process it, are emphasized in this workJunta de Castilla and Leon project BU006A08, Business intelligence for production within the framework of the Instituto Tecnologico de Cas-tilla y Leon (ITCL) and the Agencia de Desarrollo Empresarial (ADE), and the Spanish Ministry of Education and Innovation project CIT-020000-2008-2. The authors would also like to thank the vehicle interior manufacturer, Grupo Antolin Ingenieria S. A., within the framework of the project MAGNO2008-1028-CENIT Project funded by the Spanish Government

A Survey, Taxonomy, and Analysis of Network Security Visualization Techniques

Network security visualization is a relatively new field and is quickly gaining momentum. Network security visualization allows the display and projection of the network or system data, in hope to efficiently monitor and protect the system from any intrusions or possible attacks. Intrusions and attacks are constantly continuing to increase in number, size, and complexity. Textually reading through log files or other textual sources is currently insufficient to secure a network or system. Using graphical visualization, security information is presented visually, and not only by text. Without network security visualization, reading through log files or other textual sources is an endless and aggravating task for network security analysts. Visualization provides a method of displaying large volume of information in a relatively small space. It also makes patterns easier to detect, recognize, and analyze. This can help security experts to detect problems that may otherwise be missed in reading text based log files. Network security visualization has become an active research field in the past six years and a large number of visualization techniques have been proposed. A comprehensive analysis of the existing techniques is needed to help network security designers make informed decisions about the appropriate visualization techniques under various circumstances. Moreover, a taxonomy of the existing visualization techniques is needed to classify the existing network security visualization techniques and present a high level overview of the field. In this thesis, the author surveyed the field of network security visualization. Specifically, the author analyzed the network security visualization techniques from the perspective of data model, visual primitives, security analysis tasks, user interaction, and other design issues. Various statistics were generated from the literatures. Based on this analysis, the author has attempted to generate useful guidelines and principles for designing effective network security visualization techniques. The author also proposed a taxonomy for the security visualization techniques. To the author’s knowledge, this is the first attempt to generate a taxonomy for network security visualization. Finally, the author evaluated the existing network security visualization techniques and discussed their characteristics and limitations. For future research, the author also discussed some open research problems in this field. This research is a step towards a thorough analysis of the problem space and the solution space in network security visualization

User and group profiling based on user process usage

User profiling based on process usage is on approach for adding an extra security layer to our computer systems. In addition it can be of great value for classification of a company/school network and the their user groups. Groups, or classes of users, in a company might belong to the same division or department that solve similar tasks. In a company, accountants probably use the same set of tools, as would a group of students in a graphic design class. Studying if these similarities in the process that they use, can say something about an individual or a group. It is valuable in the terms of analyzing individual user and group behavior. Recognizing individual users behavior, provides the possibility of an extra layer of security in the form of an authentication scheme. Recognizing group behavior might provide valuable insight when it comes to building a profile for a new user, and see why this user fits the group or not. This thesis makes use of statistical approaches to discuss the possibility of using process profiling to classify users into groups.Master i nettverks- og systemadministrasjo