GGrantIndex
← Search

ITR: An Interactive Visual Anomaly Detection System for Faults and Intrusions on Network Protocols

$400,171FY2002CSENSF

University Of California-Davis, Davis CA

Investigators

Abstract

With the growing use of the Internet technology, unintentional faults and intentional intrusions directly on network protocols, such as routing protocols (e.g., BGP, OSPF), have become a serious threat to our Internet-connected society. Over the past few years, the researchers have seen many fault or security related instances happening to our Internet and, because of these problems, significant losses occurred one way or the other. In the research communities, such as fault tolerant networking, network security, and intrusion detection, many new ideas have been explored to enhance the existing network protocols or, more drastically, to propose a completely new Internet architecture. Some vulnerabilities have been reduced or removed, but yet the researchers expect many more new vulnerabilities and problems to be discovered. The researchers believe that, to effectively monitor and control a large system, they need not only a well-designed and implemented system but also, equally important, a good human interface to know the system after it is deployed and operated. The researchers also believe that, in the foreseeable future, human intelligence will play a critical role in managing and maintaining large distributed systems such as the Internet. But, surprisingly few research efforts are currently toward this direction. The main contribution in this project is a human-interactive approach to handle faults and security attacks on the Internet routing protocols such as BGP (Border Gateway Protocol) and OSPF (Open Shortest Path First). We will investigate several critical but very difficult (difficult in the sense if we would rely completely on machine intelligence) issues and offer solutions based on an interactive visual-based analysis process. For example, anomaly detection systems for unknown/novel attacks are hard to build due to the consideration of effectiveness, coverage, and false positive. Also, network event correlation is very difficult because this task normally involves very complicated potential relations among various events on the Internet and the amount of resources to complete the task is prohibitively expensive. This research addresses two very fundamental problems. One is the formulation of typical visual-based anomaly detection processes. The other is the mapping of not only the protocol data but also the analysis process to appropriate visualization representations and associated operations. The resulting visual-based process would allow a human network operator quickly navigate to the right level of details to discover critical facts about the Internet. For the network routing protocol management, we study the "optimal" boundary between the machine intelligence and the human intelligence on detecting and tracking anomaly that was previously impossible to understand.

View original record on NSF Award Search →