research-article

Visualizing PHPIDS log files for better understanding of web server attacks

Authors:

Mansour Alsaleh,

Abdullah Alqahtani,

Abdulrahman Alarifi,

AbdulMalik Al-SalmanAuthors Info & Claims

VizSec '13: Proceedings of the Tenth Workshop on Visualization for Cyber Security

Pages 1 - 8

https://doi.org/10.1145/2517957.2517958

Published: 02 October 2013 Publication History

Abstract

The prevalence and severity of application-layer vulnerabilities increase dramatically their corresponding attacks. In this paper, we present an extension to PHPIDS, an open source intrusion detection and prevention system for PHP-based web applications, to visualize its security log. The proposed extension analyzes PHPIDS logs, correlates these logs with the corresponding web server logs, and plots the security-related events. We use a set of tightly coupled visual representations of HTTP server requests containing known and suspicious malicious content, to provide system administrators and security analysts with fine-grained visual-based querying capabilities. We present multiple case studies to demonstrate the ability of our PHPIDS visualization extension to support security analysts with analytic reasoning and decision making in response to ongoing web server attacks. Experimenting the proposed PHPIDS visualization extension on real-world datasets shows promise for providing complementary information for effective situational awareness.

References

[1]

K. Abdullah, C. Lee, G. Conti, and J. A. Copeland. Visualizing network data for intrusion detection. In Information Assurance Workshop, 2005. IAW'05. Proceedings from the Sixth Annual IEEE SMC, pages 100--108. IEEE, 2005.

[2]

Z. Alshaikh, A. Alarifi, and M. Alsaleh. Christopher Alexander's fifteen properties: Toward developing evaluation metrics for security visualizations. In Proceedings of the IEEE Intelligence and Security Informatics Conference. IEEE Press, 2013.

[3]

S. Axelsson and D. Sands. Combining a Bayesian classifier with visualization: Understanding the IDS. Understanding Intrusion Detection Through Visualization, pages 69--87, 2006.

[4]

J. B. Colombe and G. Stephens. Statistical profiling and visualization for detection of malicious insider attacks on computer networks. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 138--142. ACM, 2004.

Digital Library

[5]

G. Conti. Security Data Visualization. No Starch Press, San Francisco, CA, USA, 2007.

Digital Library

[6]

M. Dastani. The role of visual perception in data visualization. Journal of Visual Languages and Computing, 13:601--622, 2002.

[7]

R. F. Erbacher, K. Christensen, and A. Sundberg. Designing visualization capabilities for IDS challenges. In IEEE Workshop on Visualization for Computer Security (VizSec'05), pages 121--127. IEEE, 2005.

Digital Library

[8]

J. Heer, S. K. Card, and J. A. Landay. Prefuse: a toolkit for interactive information visualization. In Proceedings of the SIGCHI conference on Human factors in computing systems, pages 421--430. ACM, 2005.

Digital Library

[9]

IpAddressLocation. http://www.ipaddresslocation.org/. Accessed: May 2013.

[10]

E. C. K. C. Khor, S. K. Lieong. Efficient information visualization for intrusion detection in web application. In International Conference on Computer Graphics, Imaging and Visualization (CGIV 2005), pages 98--102, Beijing, China, 2005.

[11]

H. Koike and K. Ohno. SnortView: visualization system of snort logs. In Proceedings of the ACM workshop on Visualization and data mining for computer security, pages 143--147. ACM, 2004.

Digital Library

[12]

K. Lakkaraju, W. Yurcik, and A. J. Lee. Nvisionip: netflow visualizations of system state for security situational awareness. In Proceedings of the 2004 ACM workshop on Visualization and data mining for computer security, pages 65--72. ACM, 2004.

Digital Library

[13]

C. P. Lee, J. Trost, N. Gibbs, R. Beyah, and J. A. Copeland. Visual firewall: real-time network security monitor. In IEEE Workshop on Visualization for Computer Security (VizSec'05), pages 129--136. IEEE, 2005.

Digital Library

[14]

Y. Livnat, J. Agutter, S. Moon, R. F. Erbacher, and S. Foresti. A visualization paradigm for network intrusion detection. In Information Assurance Workshop, 2005. IAW'05. Proceedings from the Sixth Annual IEEE SMC, pages 92--99. IEEE, 2005.

[15]

R. Marty. Applied security visualization. Addison-Wesley, 2009.

Digital Library

[16]

B.-G. Min, J. Kim, and S.-J. Hong. Visualization of intrusion detection alerts with alert correlation. In Second International Conference on Applied Cryptography and Network Security, 2004.

[17]

L. Nowell, R. Schulman, and D. Hix. Graphical encoding for information visualization: An empirical study. In Proceedings of the IEEE Symposium on Information Visualization (Info Vis'02), pages 43--, Washington, DC, USA, 2002. IEEE Computer Society.

Digital Library

[18]

K. Nyarko, T. Capers, C. Scott, and K. Ladeji-Osias. Network intrusion visualization with NIVA, an intrusion detection visual analyzer with haptic integration. In Proceedings of the 10th Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems (HAPTICS'02), pages 277--284. IEEE, 2002.

Digital Library

[19]

A. Oline and D. Reiners. Exploring three-dimensional visualization for intrusion detection. In IEEE Workshop on Visualization for Computer Security, 2005 (VizSec'05), pages 113--120, 2005.

Digital Library

[20]

Y. J. Park and J. C. Park. Web application intrusion detection system for input validation attack. In Third International Conference on Convergence and Hybrid Information Technology (ICCIT'08), volume 2, pages 498--504. IEEE, 2008.

Digital Library

[21]

V. Paxson, M. Christodorescu, M. J. J. Rao, R. Sailer, D. Schales, M. P. Stoecklin, K. T. W. Venema, and N. Weaver. Practical Comprehensive Bounds on Surreptitious Communication Over DNS. In Proceedings of the in the Proceedings of the 22nd USENIX Security Symposium. USENIX, 2013.

[22]

PHPIDS. http://www.phpids.org/. Accessed: April 2013.

[23]

L. QoSient. Argus NetFlow. Accessed: July 2013. http://qosient.com/argus/argusnetflow.shtml.

[24]

A. E.-D. Riad, I. Elhenawy, A. Hassan, and N. Awadallah. Data visualization technique framework for intrusion detection. International Journal of Computer Science Issues (IJCSI), 8(5), 2011.

[25]

H. Shiravi, A. Shiravi, and A. A. Ghorbani. A survey of visualization systems for network security. IEEE Transactions on Visualization and Computer Graphics, 18(8):1313--1329, 2012.

Digital Library

[26]

T. Takada and H. Koike. Tudumi: Information visualization system for monitoring and auditing computer logs. In Proceedings of the Sixth International Conference on Information Visualisation, pages 570--576. IEEE, 2002.

[27]

R. R. Ur. Intrusion detection with SNORT: advanced IDS techniques using SNORT, apache, mySQL, PHP and acid. Prentice Hall Publishers, 2003.

[28]

Usage statistics and market share of PHP for websites. http://w3techs.com/technologies/details/pl-php/all/all. Accessed: June 2013.

[29]

A. Vasudevan, N. Qu, and A. Perrig. Xtrec: Secure real-time execution trace recording on commodity platforms. In Proceedings of the 44th Hawaii International Conference on System Sciences (HICSS), pages 1--10. IEEE, 2011.

Digital Library

[30]

I. Vekiri. What is the value of graphical displays in learning? Educational Psychology Review, 14(3):261--312, 2002.

[31]

M. Wattenberg and D. Fisher. Analyzing perceptual organization in information graphics. Information Visualization Journal, 3(2):123--133, June 2004.

Digital Library

[32]

Y. Zhao, F. Zhou, and X. Fan. A real-time visualization framework for ids alerts. In Proceedings of the 5th International Symposium on Visual Information Communication and Interaction, pages 11--17. ACM, 2012.

Digital Library

[33]

Y. Zhu. Measuring effective data visualization. In Proceedings of the 3rd international conference on Advances in visual computing - Volume Part II, ISVC'07, pages 652--661, Berlin, Heidelberg, 2007. Springer-Verlag.

Digital Library

Cited By

Fan ZYang BPeng JPei BZheng CLi X(2024)Dynamic Adaptive Mechanism Design and Implementation in VSS for Large-Scale Unified Log Data CollectionInternational Journal of Information Security and Privacy10.4018/IJISP.34956918:1(1-26)Online publication date: 9-Aug-2024
https://doi.org/10.4018/IJISP.349569
Yoo SJo JKim BSeo J(2020)Hyperion: A Visual Analytics Tool for an Intrusion Detection and Prevention SystemIEEE Access10.1109/ACCESS.2020.30107898(133865-133881)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3010789
Shi MCao H(2019)Association Visualization Analysis for the Application Service Layer and Network Control LayerCyber Security10.1007/978-981-13-6621-5_13(153-164)Online publication date: 20-Feb-2019
https://doi.org/10.1007/978-981-13-6621-5_13
Show More Cited By

Index Terms

Visualizing PHPIDS log files for better understanding of web server attacks

Recommendations

Countering Security Information Overload through Alert and Packet Visualization

When given the task of securing a network, security analysts and network administrators typically face large volumes of security data that demand analysis. Selectively mapping elements of these flows to carefully crafted graphical displays can provide ...
Log Visualization of Intrusion and Prevention Reverse Proxy Server against Web Attacks
ICICM '13: Proceedings of the 2013 International Conference on Informatics and Creative Multimedia

SQL Injection Attack (SQLIA) has made to the top of the OWASP, Top 10 Web Application Security Risks in 2013 and in 2010. The explosive use of web application with very little emphasis lay on securing it make this attack becoming more popular. Various ...
IDS RainStorm: Visualizing IDS Alarms
VIZSEC '05: Proceedings of the IEEE Workshops on Visualization for Computer Security

The massive amount of alarm data generated from intrusion detection systems is cumbersome for network system administrators to analyze. Often, important details are overlooked and it is difficult to get an overall picture of what is occurring in the ...

Comments

Information & Contributors

Information

Published In

cover image ACM Other conferences

VizSec '13: Proceedings of the Tenth Workshop on Visualization for Cyber Security

October 2013

77 pages

ISBN:9781450321730

DOI:10.1145/2517957

Editors:
John Goodall
Oak Ridge National Laboratory
,
Kwan-Liu Ma
University of California, Davis
,
Sophie Engle
University of San Francisco
,
Fabian Fischer
University of Konstanz, Konstanz, Germany

Copyright © 2013 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

In-Cooperation

SIGACT: ACM Special Interest Group on Algorithms and Computation Theory

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 02 October 2013

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

King Abdulaziz City for Science and Technology

Conference

VizSec '13

VizSec '13: Visualization for Cyber Security

October 14, 2013

Georgia, Atlanta, USA

Acceptance Rates

VizSec '13 Paper Acceptance Rate 9 of 30 submissions, 30%;

Overall Acceptance Rate 39 of 111 submissions, 35%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

12
Total Citations
View Citations
677
Total Downloads

Downloads (Last 12 months)10
Downloads (Last 6 weeks)3

Reflects downloads up to 07 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

Fan ZYang BPeng JPei BZheng CLi X(2024)Dynamic Adaptive Mechanism Design and Implementation in VSS for Large-Scale Unified Log Data CollectionInternational Journal of Information Security and Privacy10.4018/IJISP.34956918:1(1-26)Online publication date: 9-Aug-2024
https://doi.org/10.4018/IJISP.349569
Yoo SJo JKim BSeo J(2020)Hyperion: A Visual Analytics Tool for an Intrusion Detection and Prevention SystemIEEE Access10.1109/ACCESS.2020.30107898(133865-133881)Online publication date: 2020
https://doi.org/10.1109/ACCESS.2020.3010789
Shi MCao H(2019)Association Visualization Analysis for the Application Service Layer and Network Control LayerCyber Security10.1007/978-981-13-6621-5_13(153-164)Online publication date: 20-Feb-2019
https://doi.org/10.1007/978-981-13-6621-5_13
Agarwal NHussain S(2018)A Closer Look at Intrusion Detection System for Web ApplicationsSecurity and Communication Networks10.1155/2018/96013572018Online publication date: 14-Aug-2018
https://dl.acm.org/doi/10.1155/2018/9601357
Zhao HTang WZou XWang YZu Y(2018)Analysis of Visualization Systems for Cyber SecurityRecent Developments in Intelligent Computing, Communication and Devices10.1007/978-981-10-8944-2_122(1051-1061)Online publication date: 23-Aug-2018
https://doi.org/10.1007/978-981-10-8944-2_122
Alsaleh MAlomar NAlshreef MAlarifi AAl-Salman A(2017)Performance-Based Comparative Assessment of Open Source Web Vulnerability ScannersSecurity and Communication Networks10.1155/2017/61581072017Online publication date: 24-May-2017
https://dl.acm.org/doi/10.1155/2017/6158107
Franklin LPirrung MBlaha LDowling MFeng M(2017)Toward a visualization-supported workflow for cyber alert management using threat models and human-centered design2017 IEEE Symposium on Visualization for Cyber Security (VizSec)10.1109/VIZSEC.2017.8062200(1-8)Online publication date: Oct-2017
https://doi.org/10.1109/VIZSEC.2017.8062200
Crouser RFranklin LEndert ACook K(2017)Toward Theoretical Techniques for Measuring the Use of Human Effort in Visual Analytic SystemsIEEE Transactions on Visualization and Computer Graphics10.1109/TVCG.2016.259846023:1(121-130)Online publication date: 1-Jan-2017
https://dl.acm.org/doi/10.1109/TVCG.2016.2598460
Zhang SShi R(2016)Visual fusion of multi-source network security data based on labelled treemapInternational Journal of Networking and Virtual Organisations10.1504/IJNVO.2016.07918016:3(265-282)Online publication date: 1-Jan-2016
https://dl.acm.org/doi/10.1504/IJNVO.2016.079180
Guimaraes VFreitas CSadre RTarouco LGranville L(2016)A Survey on Information Visualization for Network and Service ManagementIEEE Communications Surveys & Tutorials10.1109/COMST.2015.245053818:1(285-323)Online publication date: Sep-2017
https://doi.org/10.1109/COMST.2015.2450538
Show More Cited By

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten