KR20060013120A - Method of visualizing intrusion detection using correlation of intrusion detection alert message - Google Patents

Abstract

The present invention provides a method of visualizing an intrusion detection warning message to allow intuitive recognition of an intrusion. The present invention may provide information by visualizing an attack that does not appear as an abnormal behavior of a user or does not cause characteristic traffic of a network by visualizing a warning message itself of an intrusion detection system. The present invention facilitates analysis and tracking of intrusions by security administrators by visualizing the highlighting and correlation information of alert messages through filtering. A wide range of visualizations and detailed visualizations were also provided to identify the overall frequency and relationship of attacks, while tracking the relationship between detailed warning meshes. The present invention was able to quickly and intuitively grasp information on a plurality of warning messages through the visualization of the warning message itself, and visually analyze and track the relationship between related warning messages by visualizing the correlation analysis. It also allows you to classify false positives for warning messages that are not related to other warning messages. Highlighting and elimination of alert messages through filtering eliminates false positives while keeping administrators from missing important alert messages.

Description

Method of visualizing intrusion detection using correlation of intrusion detection alert message}

1 is a conceptual diagram illustrating the detection of a worm through a conventional GrIDS.

2 is a diagram illustrating a Snort detection result of network data without an existing attack.

3 is a graph illustrating a warning message visualization for a conventional distributed denial of service attack.

4 is a configuration diagram showing a warning message visualization structure according to the present invention.

5 is a configuration diagram illustrating a wide area visualization performing procedure of the present invention.

6 is a graph for explaining a warning message histogram of the present invention.

7 is a warning message mapping graph of the present invention.

8 is a configuration diagram illustrating a detailed visualization procedure of the present invention.

9 is a screen illustrating a warning message list of the warning message visualization tool of the present invention.

10 is a screen illustrating a wide area, detailed visualization of the warning message visualization tool of the present invention.

<Explanation of symbols for the main parts of the drawings>

40 ... Intrusion Detection System, 50 ... Database

60 ... visualization analysis, 70 ... wide visualization

80 ... filter alert messages, 90 ... relationship analysis

100 ... Detail Visualization

The present invention relates to a method for visualizing an intrusion detection message to intuitively recognize an intrusion. More particularly, the present invention relates to a warning message itself of an intrusion detection system, out of the way of visualizing existing user behavior or network traffic information. The present invention relates to an intrusion detection visualization method using correlation of an intrusion detection warning message that can provide information by visualizing an attack which does not appear as an abnormal behavior of a user or does not cause characteristic traffic of a network.

An intrusion detection system, along with a firewall, is a widely used security system that has the ability to detect and report on unauthorized user intrusions into a computer system or network. Although various classifications of intrusion detection systems have been proposed, generally, classification methods based on COAST are mainly used. The classification method by COAST divides the intrusion detection system into host-based and network-based according to the audit data source, and according to the detection model, misuse-based Classify as Anomaly-based.

Host-based intrusion detection system uses the operating system, process information, and user behavior as audit data, and network-based intrusion detection system uses network traffic information and packet information as audit data. Early intrusion detection systems were mainly host-based, but modern commercial intrusion detection systems are mainly network-based.

Intrusion detection systems by misuse detection include Snort, STAT and NetSTAT. Misuse detection has a pattern for known intrusions and compares it with audit data to detect intrusions if they match this pattern. Misuse detection can provide accurate names and information about detected attacks, but cannot detect new attacks that do not have a detection pattern, and cannot be detected if the patterns of the attack are modified to circumvent existing detection patterns. It has a disadvantage.

Anomaly detection records a normal state of behavior without an intrusion into a profile, and if the audit data is out of this steady state profile, it is detected as an intrusion. Anomaly detection can detect new attacks that deviate from the normal state, but does not provide accurate names and information on the detected attacks, and causes a lot of detection errors because the user's normal behavior varies. Therefore, the recent detection of abnormal behavior has been focused on using the program information from the user information. Information about the execution of the program is organized into profiles using system calls, which are used to detect intrusions. Abnormal behavior detection using system call is relatively limited in scope of system call, and the change of system call by program execution is not big compared to user's change, and it does not change as frequently as user's behavior. have. Network-based anomaly detection detects an intrusion by creating a steady-state profile using information on the packet's starting address, arrival address, port number, and various flags. Recently, a method of detecting an attack code present in a packet by profiling information on transmission data in the packet has also been proposed.

First, various techniques for association analysis and integration of intrusion detection warning messages applied to the present invention and the prior art will be described.

In order to analyze the valid warning messages related to the actual attack among the many warning messages and positive errors from the intrusion detection system, a lot of researches have been conducted on the analysis and integration of the warning messages. The intrusion starts with generating a number of warning messages. Even attacks that generate a small amount of traffic, such as a buffer overflow attack, can make several related attempts because the attacker cannot succeed in one attempt. In addition, the attacker will perform a lot of scanning to identify the network configuration or find vulnerable systems prior to a full-scale attack. These attempts will generate a number of warning messages by the intrusion detection system. An attack that generates a large amount of network traffic, such as a distributed denial of service attack, generates a large number of warning messages in a short time, all of which are of the same kind and have one or a few targets. Therefore, by analyzing the association between these warning messages, more detailed information about the intrusion can be obtained. Also, individual warning messages that are not associated with other warning messages are likely false positives. In other words, relevance analysis and integration of warning messages integrate related warning messages into one and provide a way to overcome false positives.

Correlation and integration of warning messages can be analyzed by evaluating the similarity between warning messages, or by analyzing the associated warning messages using the preceding and following relationships between warning messages. One way to do this is to combine the alert messages that match these rules using rules that describe the order or the sequence of related alert messages.

A. Association analysis using stochastic similarity

Correlation analysis and integration of warning messages using probabilistic similarity evaluation formula evaluates the similarity between each component of warning message and weighted average of similarity between each component to obtain total similarity. When the total similarity between warning messages exceeds a specified threshold, the information is consolidated into one warning message. For similarity evaluation, the attack start address, destination address, attack time, and attack type are used. The similarity between the attack's origin and destination addresses is to assess the similarity of IP addresses. For example, if the IP addresses of two warning messages are in the same subnet, they will have a higher similarity. Also, in terms of time, the smaller the time interval between two warning messages, the higher the similarity value. Similarity between attack types can be assessed using a matrix matrix that records the similarity between each attack. The similarity value for each evaluated element is obtained by using weights according to each element, and when the value exceeds a predetermined threshold, it is integrated into one warning message.

Correlation analysis and integration using probability estimates overcome the problems of flooding and false positives in warning messages by integrating related warning messages into one, using high similarity between IP addresses or types of attacks between related attacks. .

Correlation analysis using probability estimates does not require the security administrator to describe the associated warning messages, and has the advantage of automatically identifying the associations. However, it is difficult for security administrators to know the causal relationship between warning messages that need to be associated or integrated because it uses an evaluation formula to analyze the association. In addition, there is a problem that it is difficult to define variables such as weights and factors that should be used in the evaluation expression.

B. Correlation analysis through predecessor relationship evaluation

The method of analyzing and integrating the correlations between messages using rules describing the preceding and following relationships between warning messages is integrated with the analysis of correlations by evaluating and comparing the prerequisites and consequences of a warning message. Will be performed. The warning messages are translated and evaluated using a prototype describing their predecessor and postrelationships, with a new warning message that records the predecessor and trailing relationship. Predecessors and trailing relationships describe the prerequisites for the attack indicated by the warning message and the attacks and risks that can be followed if the attack is successful. For example, a buffer overflow attack against a particular daemon has a prerequisite that the daemon must be running before that attack and scanning for that daemon from the attacker's IP address. In addition, if the attack is successfully executed, the attacker has the following relations that can perform other attacks with the administrator's authority of the system. The correlation analysis compares the preceding relations of the preceding warning messages with the preceding relations of the preceding warning messages, and correlates the two warning messages if the preceding relations of the preceding warning messages match the preceding conditions of the following warning messages.

Correlation analysis using leading and trailing relationships has the advantage of being able to grasp the clear causal relationship between related warning messages, and to analyze and identify unknown associations because it explores all possible combinations. However, one warning message has a number of prerequisites and trailing conditions, and it is difficult to apply in real time because it performs a multi-to-multi evaluation between all warning messages.

C. Association Analysis Using Explicit Rules

Association analysis and integration using explicit rules allow alert messages to be grouped together into a single group by specific criteria, or to associate and consolidate alert messages using rules describing the sequence of related attacks. do.

A) Relationship by homogeneity

The classification into the same group is classified into similar situations using three criteria: the attack address, the destination address, and the type of attack. These are the most significant when classifying attacks into the same group by homogeneity, which is classified into seven categories.

Similarity 1 - all kinds of attacks, the source address, destination address matches

Similar situation 2-1 - Match start address and destination address

Similar situation 2-2 - Type of attack and destination address match

Similarity 2-3-Type of attack, starting address match

Similarity 3-1-Attack Start Address

Similar situation 3-2-Attack destination address match

Similarities 3-3-Types of Attacks Match

The similar situation 1 may appear when an attacker performs multiple attacks such as a buffer overflow from one system to another target system. Similarity 2-1 occurs when the same attacker attempts different attacks against the same target system. Similar situation 2-2 occurs in the case of a distributed denial of service attack. Similar situations, such as 2-3, appear when attacking multiple systems from one system such as scanning.

If the warning message satisfies different similar situations in duplicate, the similarity constituting the similar situation follows a more specific case. For example, if an attack satisfies Similarity 1, then it satisfies Similarity 2 and 3, and if it matches multiple similarities, it is evaluated as the most specific Similarity 1.

Similarity due to homogeneity is simple enough to categorize the relevant warning messages appropriate for real-time execution. However, for warning messages with less homogeneity, there is a limit in the association, and it is difficult to identify the causal relationship between the associated warning messages.

B) Associations by sequentiality

Classification by homogeneity makes it difficult to know the clear causal relationship between the associated warning messages. Nor can you accurately track and analyze the flow of a particular attack. Thus, a rule is used to describe the sequence of related attacks, and to correlate warning messages that match this rule in turn. Rules are written by describing the sequence of attacks, the time conditions for their association, and the types, risks, and information of the attacks that can represent them collectively.

This association analysis and integration method is suitable for application in real time by using rules, and has the advantage of identifying causality between warning messages by using sequentiality. However, the rule used in the association by analyzing the relationship between the warning messages related to the dictionary has a disadvantage to be described. This disadvantage can be partially overcome by the classification of warning messages by identity.

Correlation analysis and integration described above assist in the processing of large numbers of warning messages by integrating related warning messages. Unrelated warning messages are also likely to be positive errors, providing a solution to positive errors. However, security administrators still need to analyze these warning messages in a list and analyze the information about the warning messages prior to association to determine if the associated warning message is valid.

Hereinafter, an intrusion detection technique through visualization will be described.

Visualization, which is being studied as an alternative to a large number of alert messages, allows security administrators to intuitively recognize information about intrusions, enabling rapid analysis and response. Visualization studies on intrusion detection are mostly based on detection of abnormal behaviors, and they take the form of visualizing the underlying data to detect abnormal behaviors rather than visualizing intrusion detection warning messages themselves.

A. Visualize the user's abnormal behavior

As a visualization method for host-based intrusion detection, there is a method of learning the normal state of a command or a program executed by a user and comparing and visualizing and displaying audit data. Information about the execution of a command or the execution of a program in a state without an attack is prepared as a normal state profile, and the execution of the command or the program by the user is audited and compared with the normal state. Visualization is performed by dividing into wide area visualization and detailed visualization, and the wide area visualization shows the amount of audit data that is out of the normal state by using a tree representing the system and the user as nodes, and the detailed visualization shows the system and the user. The horizontal axis is displayed using grid cells representing time. Cells in the grid are red if the audited data is outside of the steady-state profile, yellow for important commands and programs running in the system, blue for safe commands, and green for unknown hazards. Will be displayed. Finally, the visualized information is distorted by projecting it on an elliptic curve in order to show as much information as possible on a limited screen and to be able to search them. In this way, the currently selected area is displayed as the largest, and information far from the selected area is gradually displayed as small.

Such visualization can quickly recognize and analyze abnormal behavior of users, but this method cannot monitor suspicious activity on the network and cannot detect attacks that exploit new vulnerabilities in normal-learned instructions. .

B. Visualization of Network Traffic

A visual representation of information about the traffic on the network is to detect intrusions using graphical characteristics that differ from the normal state at the time of the attack. By using the computers on the network as nodes and displaying the amount and type of traffic between them, suddenly a lot of traffic is concentrated on a small number of systems, such as a distributed denial of service attack, or a system infected by a worm suddenly attacks a large number of systems. Intrusion detection can be performed by visually displaying increasing traffic.

Also, a network traffic visualization is used to extract feature features at the time of attack and to implement abnormal behavior detection and visualize it. It visualizes information such as packet's starting address, destination address, protocol, port number, and detects abnormal behavior by finding elements that are characteristic at the time of attack.

However, they do not visualize intrusion detection warning messages themselves, but rather visualize intrusion-related information to identify abnormal behavior. This is useful for detecting distributed denial of service attacks or worms that generate large amounts of traffic, but cannot analyze attacks that generate only a few traffic.

C. GrIDS

GrIDS distributes intrusion detection systems across large networks, and monitors and tracks suspicious activity in large networks by constructing graphs that represent alert messages from each node as nodes and alert messages between systems as lines. I can do it. GrIDS analyzes the warning message itself in the form of a graph, which can be used to monitor the attacker's activity in the network, and to analyze and track worm propagation.

Figure 1 shows the detection of malicious traffic propagated by the worm by GrIDS. Each node in FIG. 1 represents a system infected with a worm, and a line between nodes represents traffic by a worm. The worm, which was originally started on System A, infects the surrounding system and shows propagation back to the surrounding system through the infected systems.

GrIDS provides a graph-based method for detecting and tracking intrusions in large networks, but it is not a study of visualization. It is also not suitable as a way to visually express the relationship between individual alert messages as it is suitable for large networks.

As we have seen, there are various approaches to intrusion detection systems, but current intrusion detection systems still have some problems. The first is the flooding of warning messages. Intrusion detection systems send numerous warning messages to administrators for attacks such as DDoS Distribute Denial of Service, IP, and port scanning. The second is a false positive. This is not an attack, but is detected as an attack and sent a warning message to the administrator. There are many causes of positive detection errors, but they are often caused by inaccurate detection pattern descriptions, changes in the user's normal behavior, or similarities between normal flow and attack patterns in the network. Finally, current intrusion detection systems do not consider the context between attacks. Therefore, the administrator must analyze the common characteristics or relations among the warning messages generated in order to find the actual intrusion and respond. However, this task is expensive because of the many warning messages and many positive detection errors described above that require analysis. In order to overcome this problem, efforts are being made to integrate a large number of warning messages into one by analyzing the relationship between the warning messages and many studies to reduce the positive detection error. In addition, research is being actively conducted on intrusion detection visualization to enable security administrators to recognize intrusions intuitively.

Intrusion detection systems generate a large number of warning messages, including false positives, making it difficult for security administrators to obtain accurate information within them. Warning messages such as "Error! No reference source found" are the result of Snort's detection of a day's worth of network traffic without attack from DARPA's 99 year intrusion detection system assessment data. As shown in (a) of FIG. 2, even when there is no attack, Snort generates 20,000 warning messages. In addition, such a warning message is provided in the form of a list as shown in FIG. Therefore, it is difficult for a user to analyze a valid warning message among many warning messages.

Intrusion detection visualization solves these challenges and provides intuitive information about intrusions, enabling administrators to quickly analyze and respond. Problems of existing visualizations are as follows.

Traditional intrusion detection visualizations do not visualize alert messages from intrusion detection systems, but rather detect intrusions by visualizing user behavior or network traffic information. Visually expressing the user's abnormal behavior on a host basis cannot monitor suspicious activity on the network, nor detect attacks that exploit new vulnerabilities in normal-learned instructions.

Since network-based visualization mainly uses a method of recognizing an abnormal network state by visualizing various kinds of information of network traffic, it cannot provide useful information about an attack that does not generate characteristic traffic.

In the present invention, by visualizing the warning message itself, it is possible to provide visualized information even for individual attacks that do not cause distinctive features in visualization through network traffic. It provides a visualization method that can more efficiently support the analysis using messages.

In addition, the present invention provides a visualization method to visualize the warning message itself of the intrusion detection system, to provide useful information for analysis and tracking of attacks that do not generate characteristic traffic.

The present invention analyzes the problems and limitations of simple intrusion detection warning message visualization, and provides an extended visualization method incorporating an analysis of warning messages in order to overcome them.

The present invention provides a method for visualizing the warning message itself of the intrusion detection system in order to achieve the above technical problem.

Preferably it includes a wide area visualization process that provides overall information on the alert message and a detailed visualization process that displays the relationship between the information of the individual alert message and the alert message.

Preferably, the wide-area visualization process is characterized in that the amount of warning messages over time is represented by a histogram, and the relationship between the main elements constituting the warning message is represented by a mapping graph.

Preferably, the step of counting the warning message by a predetermined time unit for the histogram in the warning message counting step; The counted result value is visualized as the height of the histogram, and the color number search step evaluates whether the counted value exceeds a threshold and specifies a color of the histogram; The warning message may include searching for a color list for a mapping graph in the color list search step 510 to obtain color information according to the type of attack; If there is no color information of the attack in the color list, allocating a new color to register the type and color information of the attack in the color list; Next, the warning message may be obtained by searching for a coordinate value of each axis of the mapping graph in the mapping coordinate list in the mapping coordinate search step; If a coordinate value on a certain axis is not specified in the list, newly assigning and registering the coordinate value; And the color and coordinate information thus obtained are visualized in the mapping graph in the mapping graph visualization step.

Preferably, the step of evaluating whether the numerical value counted by a specific time unit in the warning message count step to create a histogram for the warning message exceeds a threshold designated by the user in the threshold evaluation step; And a histogram visualization step of displaying a histogram in a specific color designated in the histogram visualization step so that a user can easily recognize the result when the user evaluates the state of the attention or warning through the threshold evaluation.

Preferably, the detailed visualization process uses the correlation analysis after filtering the warning message of the intrusion detection system and the result of the correlation analysis, so that the security administrator intuitively recognizes the information of the intrusion in the intrusion detection messages. Make analysis and response quick and easy,

Preferably the step comprises providing the wide area visualization and detailed visualization to identify the overall frequency and relationship of the attack, as well as to recognize the relationship between the detailed warning messages.

Preferably, warning messages that are isolated and not associated with other warning messages can be classified as false positives and eliminated.

Hereinafter, the configuration and operation of the intrusion detection visualization method using the correlation of the intrusion detection warning message of the present invention will be described in detail with reference to the accompanying drawings.

First, before describing the intrusion detection visualization method using the correlation of the intrusion detection warning message of the present invention, a simple visualization method of the intrusion detection warning message will be described.

Because intrusion detection systems generate many warning messages that contain a large number of false positives, a simple visualization of these warning messages does not benefit. We will analyze and view the information that can be obtained through simple visualization of intrusion detection messages and identify the disadvantages of this approach.

3 is part of intrusion detection visualization using DARPA's 2000 intrusion detection system assessment data. In the visualization used in FIG. 3, dots of different colors are taken according to the type of warning message, (a) indicates the starting address of the warning message on the horizontal axis, and the arrival address on the vertical axis, and (b) starts the time on the horizontal axis. The address is shown on the vertical axis.

Figure 3 illustrates the massive scanning and distributed denial of service attacks. A series of warning messages (parallel to the vertical axis) in (a) shows that an attack of the same color is being executed against a number of systems from one system. This is characteristic of scanning attacks from one system to multiple internal systems. The series of attacks shown parallel to the horizontal axis in (a) shows that the same attack is being performed on multiple systems against one system, and (b) shows that such attacks are concentrated at a specific point in time. Giving. As shown in FIG. 3, the warning message was visualized to allow intuitive recognition of scanning and distributed denial of service attacks. However, these attacks generate characteristic traffic, which can be detected by visualization of existing network traffic. In the simple visualization of the warning message of FIG. 3, since the individual intrusion detection messages are displayed as a single point, information about them is buried. Although the attack of the administrator authority is shown in FIG. 3, it cannot be recognized because it does not provide visually clear information. Also, because they cannot express the relationship between warning messages, the administrator must still analyze the listed warning messages to analyze the relationship between them. Therefore, there is a need for an approach to overcome this in the visualization of warning messages.

In order to overcome the shortcomings of simple visualization of warning messages, we implemented an intrusion detection visualization method using the correlation of warning messages. The overall structure of the visualization of the present invention is as shown in FIG.

As shown in FIG. 4, the visualization method of the present invention provides a wide-area visualization process 60 and 70 for providing overall information on the warning message and a detailed visualization process 60 for displaying the relationship between the information of the individual warning message and the warning message. , 80, 90, 100).

In FIG. 4, the warning message from the intrusion detection system 40 is stored in the database 50, and the visualization analysis 60, which is a visualization tool, reads the warning message stored in the database 50 to perform visualization. The warning message obtained from the database 50 is converted into basic visualization information by analyzing the information necessary for visualization, and performs the analysis required for the wide area visualization and updates statistical information in the wide area visualization step 70. The updated information is immediately reflected in the wide area visualization.

For the detailed visualization process, the filtering 80 and the correlation analysis 90 for the warning message in which the visualization analysis 60 is performed are additionally performed. The alert message filtering 80 emphasizes the visualization or does not visualize non-critical alert messages so that important alert messages are not buried in the visualization information of other alert messages. The correlation analysis 90 analyzes the relationship between the warning messages using the association rule and converts the relationship between them into visualization information. Finally, the detailed visualization 100 is performed by reflecting such information.

Wide area visualization 70 is to express the overall information about the warning message that is not represented in the detailed visualization to intuitively grasp. The wide area visualization 70 expresses the amount of warning messages over time as a histogram and expresses the relationship between the main elements of the warning messages using a mapping graph.

5 shows the overall performance of the global visualization. The warning message is counted in units of time for the histogram in the warning message counting step 500. This number is visualized with the height of the histogram and specifies the color of the histogram by evaluating whether the number counted in color list search step 510 exceeds a threshold. In addition, the warning message searches for the color list 520 for the mapping graph in the color list search step 510 to obtain color information according to the type of attack. If there is no color information of the attack in the color list 520, a new color is assigned to register the type and color information of the attack in the color list. Next, the warning message is obtained by searching the mapping values list 540 for the coordinate values of each axis of the mapping graph in the mapping coordinate search step 530. If the coordinate value of a certain axis is not specified in the list, a new coordinate value is assigned and registered. The color and coordinate information thus obtained are visualized in the mapping graph in the mapping graph visualization step 550.

In addition, in order to create a histogram for the warning message in FIG. 5, the value counted by a specific time unit in the warning message counting step 500 evaluates whether or not the threshold value specified by the user is exceeded in the threshold evaluation step 560. Done. The threshold can be set in two ways: attention and warning. Attention evaluates the occurrence of more warning messages than normal at a given time, and the warning evaluates the occurrence of a large amount of warning messages that interfere with normal system or network activity such as distributed denial of service attacks. When evaluated as a state of attention or warning through the threshold evaluation, the histogram is displayed in a specific color designated in the histogram visualization step 570 so that the user can easily recognize it. 6 shows a state of such a histogram.

Histograms of alert messages help security administrators easily identify when a large number of alert messages are generated at any given time in the analysis of intrusions. Histograms provide an intuitive way to identify attacks that generate many warning messages at a specific time, such as scanning, denial of service attacks, and worms.

In the warning message mapping graph, warning messages have elements in common, such as the start address or destination address of a detected attack. The mapping graph of the wide area visualization provides an overview of the warning messages by mapping the relationship between the five basic elements of the warning message.

The mapping graph used in the visualization method of the present invention shows the relationship between the five elements of the detected attack time, attack type, start address (src), destination address (dst), and protocol (protocol). Mappings show the relationship between them. 7 shows the appearance of a mapping graph having five elements.

The mapping graph shows the percentage of warning messages in five elements and allows you to see the relationship between them. Through the mapping graph, you can intuitively identify scanning, denial-of-service attacks, etc., and find positive errors that occur continuously due to the characteristics of the network.

In FIG. 7, the mapping graph between the time and the attack type shows that a positive error occurs continuously even when no attack occurs. Analyzing the graph shows that it is detected as one specific attack type in all time domains, which shows a positive error that occurs continuously due to the characteristics of the network. These false positives occur when traffic that is constantly detected, such as heartbeat signals between specific systems, is mistakenly detected as an attack.

The detailed visualization step 100 of FIG. 4 visualizes information of individual warning messages that cannot be described in detail in the wide area visualization, and provides information on intrusions that cannot be shown in the wide area visualization by visualizing and expressing the relationship between them. Through detailed visualization, the security administrator can intuitively recognize the type of attack, the time when the attack occurred, the location of the attacker or the target system, and the relationship between the attacks.

The warning messages are displayed with different colored dots according to the type and importance of the attack. The coordinates of the points indicate the time of the attack and the address of the attacker or the target system. Since this visualization alone has limited information and cannot analyze the relationship between the warning messages, the proposed visualization performs an association analysis in addition to the associated warning messages using different colored lines based on these relationships. By linking them together, the relationship between warning messages can be understood intuitively. 8 shows a procedure of performing detailed visualization.

Referring to FIG. 8, the detailed visualization step includes alert message filtering 820 after color list search 810, association analysis 840, and graph visualization 860.

Warning messages are displayed in different colors according to the type of attack, and the filtering separates the warning message that should be highlighted and the warning message to be removed from the visualization. If all warning messages are marked with the same dot, it is difficult to find important warning messages. Rather than paying attention to every warning message listed, the security administrator tracks and responds to intrusions by analyzing the warning messages associated with the critical attack. Therefore, in the visualization, the warning message filtering 820 is performed after the color list search 810 in order to highlight the warning message importantly recognized by the administrator so that the administrator can intuitively recognize the warning message.

Another purpose of the alert message filtering 820 is to filter out a meaningless alert message such as a positive error that occurs continuously. The administrator can specify which warning messages should be highlighted and which warning messages should be removed by filtering. Therefore, the security administrator may add filtering rule 830 to visually express high-risk attacks and attacks on critical systems in the network.

In addition, the correlation analysis 840 of the detailed visualization uses the association rule 850. Association analysis 840 using the association rule 850 provides an advantage of intuitively analyzing the relationship between warning messages through visualization so that the relationship between the associated warning messages can be clearly understood, and the manual analysis rule can be ruled out. It has the advantage that can be expressed by combining. In addition, association analysis using association rules is suitable for real-time applications. The relationship between the warning messages that can be used for the correlation analysis can be divided into the homogeneity of the association and the sequentiality of the association by evaluating the specific sequential relationship of the warning messages based on the common characteristics between the warning messages.

Association evaluation by homogeneity evaluates warning messages that can be grouped into common characteristics by specific criteria. Assessing correlation by homogeneity used in detailed visualization of the present invention uses classification according to similar situations. In the present invention, the similar situation is newly constructed and the criteria are extended to be suitable for visualization.

In the detailed visualization of the present invention, since different types of attacks are represented by different colored dots, the same type of attack can be intuitively recognized. Therefore, the type of attack is not required as a classification criteria of similar situations. In the detailed visualization of the present invention, necessary similar situations were reconstructed as follows.

Similarity 1-The attack address and destination address all match

Similarity 2-1-Attack start address is same

Similar situation 2-2-Attack destination address match

However, the user can apply all seven similar situations based on the type of attack if necessary, or use a combination of extended similar situation criteria. In the detailed visualization of the present invention, the IP address and the port number can be separated and used as a reference, and the protocol, the risk of attack, and the type of attack have been extended to be used as the standard of similar situations. Extended criteria help to categorize more similar situations. The proposed visualization connects the warning messages related to these similar situations with a line, and is assigned a different color according to the type of similar situation.

Assessing the associations by sequentiality evaluates the cases in which the attacks proceed in a particular order. This method allows a single large attack to be performed in its entirety, but at a finer level it can be associated with different stages of attack. The description of the relationship by sequentiality is made by enumerating the types of attacks for each stage and describing the evaluation time interval between each attacks. In evaluating associations by sequentiality, if a particular attack matches a rule, the next attack is detected within the stated time interval and associated and marked.

The implementation of the visualization method of the present invention is as shown in FIGS. 9 and 10. 9 shows a warning message in the form of a list read from a database. In FIG. 9, the security manager may view a warning message in a list form with visualized information. 10 is a view visualizing and displaying a warning message. 10 (c) and 10 (d) show wide area visualizations, respectively, showing histograms and mapping graphs of warning messages. (a) shows the detailed visualization and visualizes each warning message in different colors and connects the relationship between them by a line. In addition, the warning message registered by the administrator as an important attack in the filtering rule is highlighted by a white circle around the point. (b) displays detailed information on the warning message indicating the point when the corresponding point is clicked with the mouse in the detailed visualization. In addition, the user can determine the relationship and location of the warning messages in more detail by using the zoom in and zoom out buttons. Alert messages, highlighted by filtering, are automatically resized so that they are always visible even when the graph is zoomed in or out.

This visualization tool allows security administrators to track the volume of alert messages at a specific time, the type and risk of alert messages encountered, the location of attackers and target systems, the tracking of alert messages related to the occurrence of critical alert messages, and similar alert messages. Intuitive analysis can be used to enable faster and more efficient intrusion analysis and response than lists. In addition, when detailed information on the warning message displayed in the visualization is required, detailed information can be provided by selecting the point with a mouse.

The present invention provides a method for visualizing an intrusion detection message so as to intuitively recognize the intrusion. In addition to visualizing existing user behavior or network traffic information, the intrusion detection system's warning message itself can be visualized to provide information by visualizing attacks that do not appear to be abnormal user behavior or cause characteristic traffic of the network. Can be. Since the simple intrusion detection message visualization cannot express the relationship between the warning message and a lot of information of the warning message, in the present invention, it is possible to analyze and trace the intrusion by the security manager by visualizing the emphasis and the correlation information of the warning message through filtering. Facilitated. In addition, wide-area and detailed visualizations were provided to identify the overall frequency and relationship of attacks, while tracking the relationship between detailed warning meshes. In general, the intrusion analysis by the security manager tracks the identity and sequentiality between warning messages, and analyzes the correlation between important attacks and the rapid increase in warning messages at a specific point in time. The proposed visualization enables us to quickly analyze and respond to intrusions by visualizing these analyzes.

Through the visualization method of the present invention, information on a plurality of warning messages can be quickly and intuitively grasped, and the correlation analysis can be visualized to visually analyze and track the relationship between related warning messages. It also allows you to classify false positives for warning messages that are not related to other warning messages. Highlighting and elimination of alert messages through filtering eliminates false positives while keeping administrators from missing important alert messages.

Claims (8)

A method of visualizing an intrusion detection system, the method of visualizing a warning message itself. The intrusion detection visualization method according to claim 1, further comprising a wide area visualization process for providing overall information on the warning message and a detailed visualization process for displaying the relationship between the information of the individual warning message and the warning message. The visualization method of claim 2, wherein the global visualization process expresses the amount of warning messages over time as a histogram and expresses a relationship between key elements of the warning message as a mapping graph. 4. The method of claim 3, further comprising: counting the warning message by a predetermined time unit for a histogram in a warning message counting step; The counted result value is visualized as the height of the histogram, and the color number search step evaluates whether the counted value exceeds a threshold and specifies a color of the histogram; The warning message may include searching for a color list for a mapping graph in the color list searching step and obtaining color information according to the type of attack; If there is no color information of the attack in the color list, allocating a new color to register the type and color information of the attack in the color list; Next, the warning message may be obtained by searching for a coordinate value of each axis of the mapping graph in the mapping coordinate list in the mapping coordinate search step; If a coordinate value on a certain axis is not specified in the list, newly assigning and registering the coordinate value; The color and coordinate information thus obtained includes the step of visualizing the mapping graph in the mapping graph visualization step. The method of claim 4, further comprising: evaluating whether a value counted by a specific time unit in the warning message count step exceeds a threshold designated by a user in a threshold evaluation step to create a histogram for the warning message; And a histogram visualization step of displaying a histogram in a specific color designated in the histogram visualization step so that a user can easily recognize the result when the state of the attention or warning is evaluated through the threshold evaluation. The method of claim 2, wherein the detailed visualization is performed by using a correlation analysis after filtering the warning message of the intrusion detection system and the result of the correlation analysis. , A visualization method that enables quick and easy analysis and response to intrusions. The visualization according to any one of claims 2 to 6, comprising providing the wide area visualization and the detailed visualization to identify the relationship and the frequency of the overall attack, as well as to recognize the relationship between the detailed warning messages. Way. 8. The method of claim 7, wherein the warning message can be classified as false positive and eliminated for warning messages that are not associated with other warning messages.

Images