As the Internet has grown, so to have the instances of network misuse: disruption of network services, attempts to gain unauthorized access to computer systems, and the like. The development of strategies to identify and defeat attacks on computer systems is a key issue for industry, government, and individuals.
Existing systems tend toward attempts to completely automate the process of intrusion detection or to leave the user in complete control over a set of ad hoc tools. We view these approaches (fully automated or fully manual) as two ends of a continuum. This proposal describes a hybrid solution for mixed-initiative intrusion detection, in which the user and the system actively collaborate with one another. Our system is designed to allow a user to easily monitor an underlying intrusion detection system (IDS), intercede if it fails to detect potential attacks, identify and address an attack, and update the IDS with a profile of the attack so future occurrences will be properly reported.
We will accomplish this by combining new intrusion correlation algorithms with scientific visualization and human-computer interaction techniques specifically designed for network security analysis. The intrusion correlation algorithms will monitor the alerts generated by the IDS and identify possibly missed attacks. A visualization engine will convert the alerts and the underlying events into on-screen displays that show "at a glance" what is happening within the system. An intelligent interaction manager will assist users in organizing the displays to highlight evidence of potential attack scenarios. New patterns representing previously unknown attacks will be fed back to the IDS.