Abstract
A Cyber Security Operations Center (CSOC) is a facility where target networks are monitored, analyzed and defended. To detect suspected intrusions, it in general installs an Intrusion Detection System (IDS) at a strategic point within each target network. Security operators in a CSOC should check and analyze security event logs generated by IDSs as fast as they could. However, the amount of security events detected by IDSs of a CSOC is massively increasing owing to ever-increasing cyber threats. It goes beyond the control of security operators using a text-based user interface (TUI) that an IDS typically provides.
Therefore, we propose a novel real-time visualization to effectively display a lot of security event logs collected by IDSs of a CSOC, as a complementary tool to the existing TUI. To the best of our knowledge, it is the first visualization designed for security events of IDSs installed in multiple networks. It is a three-dimensional coordinate system that consists of three parallel plane-squares representing global source networks, target networks, and global destination networks. Security events are displayed between the three planes according to intrusion detection methods, traffic direction, IP addresses and port numbers. We apply it to a public CSOC, and present its beneficial effects.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Bidou, R.: Security Operation Center Concepts & Implementation, August 2005. http://www.iv2-technologies.com/SOCConceptAndImplementation.pdf
D. Moore, C. Shannon, G.M.V., Savage, S.: Network telescopes: Technical report. Cooperative Association for Internet Data Analysis (CAIDA), July 2004
Inoue, D., Eto, M., Yoshioka, K., Baba, S., Suzuki, K., Nakazato, J., Ohtaka, K., Nakao, K.: nicter: An incident analysis system toward binding network monitoring with malware analysis. In: Information Security Threats Data Collection and Sharing, pp. 58–66, April 2008
Lau, S.: The spinning cube of potential doom. Commun. ACM 47(6), 25–26 (2004). http://doi.acm.org/10.1145/990680.990699
Moore, D.: Network telescopes observing small or distant security events. In: 11th USENIX Security Symposium, Invited talk, August 2003
Nunnally, T., Chi, P., Abdullah, K., Uluagac, A.S., Copeland, J.A., Beyah, R.: P3D: a parallel 3d coordinate visualization for advanced network scans. In: 2013 IEEE International Conference on Communications (ICC), pp. 2052–2057, June 2013
Onwubiko, C.: Cyber security operations centre: Security monitoring for protecting business and supporting cyber defense strategy. In: 2015 International Conference on Cyber Situational Awareness, Data Analytics and Assessment (CyberSA), pp. 1–10, June 2015
Paxson, V.: Bro: a system for detecting network intruders in real-time. Comput. Netw. Int. J. Comput. Telecommun. Networking 31(23–24), 2435–2463 (1999)
Rozekrans, T., M.M., de Koning, J.: Defending against DNS reflection amplification attacks. University of Amsterdam, Technical report, February 2013
Scarfone, K., Mell, P.: Guide to Intrusion Detection and Prevention Systems (IDPS) - Recommendations of the National Institute of Standards and Technology. National Institute of Standards and Technology, Gaithersburg (2007)
Sequeira, D.: Intrusion Prevention Systems - Security’s Silver Bullet? GSEC Version 1.4B. SANS Institute (2002)
Suzuki, K.: Studies on Network Monitoring Systems to Reveal Suspicious Activities. Ph.D. thesis, Graduate School of Informatics, Kyoto University (2011)
Taylor, T., Brooks, S., McHugh, J.: NetBytes Viewer: an entity-based netflow visualization utility for identifying intrusive behavior. In: Goodall, J.R., Conti, G., Ma, K.L. (eds.) VizSEC 2007: Proceedings of the Workshop on Visualization for Computer Security, pp. 101–114. Springer, Heidelberg (2007). doi:10.1007/978-3-540-78243-8_7
Vaughn, R., Evron, G.: DNS amplification attacks (preliminary release) (2006). http://packetstormsecurity.com/files/download/44824/DNS-Amplification-Attacks.pdf
Zimmerman, C.: Ten Strategies of a World-Class Cybersecurity Operations Center. MITRE Corporation (2014)
Acknowledgements
This research was supported by Korea Institute of Science and Technology Information (KISTI). Authors would like to thank Koei Suzuki, Daisuke Inoue, and Koji Nakao from National Institute of Information and Communications Technology (NICT) for their help in implementing VisIDAC.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Song, B., Choi, SS., Choi, J., Song, J. (2017). Visualization of Intrusion Detection Alarms Collected from Multiple Networks. In: Nguyen, P., Zhou, J. (eds) Information Security. ISC 2017. Lecture Notes in Computer Science(), vol 10599. Springer, Cham. https://doi.org/10.1007/978-3-319-69659-1_24
Download citation
DOI: https://doi.org/10.1007/978-3-319-69659-1_24
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-69658-4
Online ISBN: 978-3-319-69659-1
eBook Packages: Computer ScienceComputer Science (R0)