Research On 3D Representation Technology Of Network Security Visualization Based On Intrusion Detection

Since the situation of network security has become worse and worse and the amount of network data has increased rapidly, traditional analyzing methods upon alert logs in intrusion detection system can't deal with overall data within a limited time. The security analysts have lots of difficulties in analyzing network status quickly based on a huge quantity of multi-dimensional data, judging attack behaviors correctly, and predicting attack awareness and tendency to prevent them beforehand. These problems have become one of the bottlenecks in the field of attack response.Network security visualization is a new research field as a result of introducing information visualization into network security area. Taking advantage of the ability of human vision perception to model structure, this technique turns abstract network and system data into graphical displays to help analysts explore network status and identify network anomalies or intrusion and even forecast the trend of security events. Network security visualization can not only figure out problems effectively such as too heavy cognitive burden under massive information management, lack of overall awareness of network security, poor real-time and interactive ability and unable to forecast or prevent attack events, but also realize image communication between man and data to discover potential pattern among security data and provide the support for the recognition of principles and potential threat.Currently, the research on network security visualization based on intrusion detection technique is mainly focused on alarm as its investigation object, in which alarms are statistically analyzed and their quantity and distribution are usually represented using 2D/3D charts. However, the detail and process of network attack can not be shown, neither do the influence and harm of attack behavior towards network and system.Through the study of network security visualization techniques, a set of attack scenario representation technology of network security visualization based on intrusion detection is proposed in this paper to transform attack information abstracted from alert log into scenes data and to represent the process of network attack by animation in 3D scenes. Network analysts could obtain current network security situation intuitively with the scene demonstration and then make proper decision-making. Ordinary users may understand the process of attack quickly by watching the demo so as to have comprehensive perceptual knowledge of network attack and its principle and consequences.The research emphasis of scenario representation technology focuses on how to reflect the process of actual network attacks behind alarms and display them in the visual scene. In this paper, we design a prototype system of attack scenario representation. The main idea is that, through formatting and obtaining key information by reading and analyzing Snort alert log file, the attack type in the key information is matched with attack pattern library to receive specific attack description and create a scene configuration file, then the attack data are mapped to corresponding scenes presentation interface, and finally the attack process animation will be shown at 3D scene.The attack scenario representation system designed in the paper selects distributed Snort system as data source and Snort alert log as analyzing object, which can be used for displaying alarm and attack information as a IDS visualization tool. The system consists of three modules, i.e., alert log analysis module, scene conversion module and attack scene display module. The task of alert log analysis module is to read Snort alert log file, to interpret and abstract each alert data item to receive key information, and to store it as a new type of data structure. Scene conversion module takes charge of analyzing format data and get attack data by matching attack information from such data with predefined attack type in attack pattern library to create the scene configuration file corresponding to alert data and scene parameters. And attack scene display module invokes scene presentation interface according to configuration file, displays the complete attack process in 3D scene generated by 3D game engine. It should be noted that the attack pattern library mainly includes the knowledge and description of some attack types, which has both association and independence with scene presentation interface. Such thought of design is useful for system expansibility in attack types and presentation interface. Scene profiles save all the attack data and alarm key information, as the unique evidence for scene presentation.By establishing DoS attack pattern library and 3D scene environment, the scenario representation system implemented in the paper can display some kinds of DoS attack under virtual network environment scenario by transforming attack data into scene data. The key problem is how to find a proper method to realize the presentation of attack process. Based on mapping three kinds of visualizing objects including entity, entity attribute and behavior into scene elements, we create basic scene elements and logical procedure of attack process with 3DGS modeling and script programming toolkits. Both scene models and scripts program are realized based on 3DGS game engine. The advantage of using game engine as the basic platform of scene presentation is that we could ignore most of 3D technical details such as complex 3D display and render efficiency. Users can fully reuse all the functions of the game engine, which greatly saves development time.User experience and system performance are two critical indicators to verify visualization tools for practical utilization. The attack scenario representation system is discussed from two perspectives - user evaluation and performance test, to prove its validity and usability. The results testify that the system has a good capability of visualization and can satisfy the requirements of users at multiple levels.However, there are some limitations in our system at present. For example, it only supports a few number of attack types for scene presentation, and the data source is limited to Snort alert log file format etc. The future work of our paper will concentrate on some aspects, including increasing new kinds of attack types and scene presentation interface to extend attack pattern library, trying to define pattern library with attack description language, implementing alert analysis interface supporting more kinds of alert file format and building new type of visualization system integrated with existed visualization tools.