Abstract :
The threat posed by modern network attacks requires novel means for detection of intrusions, as regular signature-based systems fail to cope with the amount and diversity of attacks. Recently, several methods for detection of anomalies in network payloads have been proposed to counteract this threat and identify novel attacks during their initial propagation. However, intrusion detection systems must not only flag malicious events but also provide information needed for assessment of security incidents. Previous work on payload-based anomaly detection has largely ignored this need for explainable decisions. In this paper, we present instruments for visualization and explanation of anomaly detection which can guide the decisions of a security operator. In particular, we propose two techniques: feature differences, for identifying relevant string features of detected anomalies, and feature shading, for highlighting of anomalous contents in network payloads. Both techniques are empirically evaluated using real attacks and network traces, whereby their ability to emphasize typical patterns of attacks is demonstrated.
