Title :
Viewing IDS alerts: lessons from SnortSnarf
Author :
Hoagland, James A. ; Staniford, Stuart
Author_Institution :
Silicon Defense, Enreka, CA, USA
Abstract :
We consider the design of the user interface to an intrusion detection system console. We first analyze the requirements for this problem; our analysis is novel because we consider the possibility that an attacker can deliberately create spurious packets or audit records purely for the purpose of triggering the intrusion detection system. By this means, he can attempt to control the screen real estate of the security personnel using the IDS in such a way as to disguise the true nature of her activity. We also consider the way in which the ubiquitous false alarms generated by intrusion detection systems impact the console design. Next we describe a simple Web-based prototype console for the Snort IDS built by us: SnortSnarf. It partially embodies the analysis described above. We explain the features of SnortSnarf´s design and informally describe some of the experience of the IDS community in using it. We discuss possible future research
Keywords :
security of data; user interfaces; Snort; SnortSnarf; Web-based prototype console; intrusion detection system alerts; intrusion detection system console; screen real estate control; spurious audit records; spurious packets; ubiquitous false alarms; user interface; Computer interfaces; Computer networks; Intrusion detection; Mice; Performance analysis; Personnel; Prototypes; Security; Silicon; User interfaces;
Conference_Titel :
DARPA Information Survivability Conference & Exposition II, 2001. DISCEX '01. Proceedings
Conference_Location :
Anaheim, CA
Print_ISBN :
0-7695-1212-7
DOI :
10.1109/DISCEX.2001.932232
