Visualization and Explanation of Payload-Based Anomaly Detection
Konrad Rieck and Pavel Laskov
European Conference on Computer Network Defense (EC2ND)
The threat posed by modern network attacks requires novel means for detection of intrusions, as regular signature-based systems fail to cope with the amount and diversity of attacks. Recently, several methods for detection of anomalies in network payloads have been proposed to counteract this threat and identify novel attacks during their initial propagation. However, intrusion detection systems must not only flag malicious events but also provide information needed for assessment of security incidents. Previous work on payload-based anomaly detection has largely ignored this need for explainable decisions. In this paper, we present instruments for visualization and explanation of anomaly detection which can guide the decisions of a security operator. In particular, we propose two techniques: feature differences, for identifying relevant string features of detected anomalies, and feature shading, for highlighting of anomalous contents in network payloads. Both techniques are empirically evaluated using real attacks and network traces, whereby their ability to emphasize typical patterns of attacks is demonstrated.
|Project Keyword:||Project Keyword UNSPECIFIED|
|Subjects:||Theory & Algorithms|
|Deposited By:||Konrad Rieck|
|Deposited On:||20 February 2010|