national computational science university of illinois at urbana-champaign 1 “enabling proactive...

1

National Computational ScienceUniversity of Illinois at Urbana-Champaign

“Enabling Proactive Prediction, Avoidance, and Diagnosis by Providing Situational Awareness to

Human Operators”{a work in progress}

Bill YurcikNational Center for Supercomputing Applications (NCSA)

University of Illinois at Urbana-Champaign

IBM Academy Conference on Proactive Problem Prediction, Avoidance, and DiagnosisApril 28, 2003

2


The Problem

• Current state of networked software systems– asymmetries of software bugs and security attacks– metrics show bad -> worse

– increasing complexity of software systems– expectation of vigilant patching for vulnerabilities– point-and-click attack software requires little skill

– surveys show insider security attacks greatest threat despite denial– critical infrastructures all depend on underlying automation

• Situational Awareness is Abysmal– “Is there a problem?” -> “Where is the problem?” -> “What is the problem?”

3


Alternate Solutions

1) Acquiescence (learning to live with it)2) Prevention (zero defect software engineering)3) Detection (early and continuous)4) Survivability (transparent recovery)

a) human-in-the-loop decision-making for recoveryb) autonomic computing (no human-in-the-loop)

5) Disaster Recovery and Backup6) Deterrence (liability, retribution) • ….• Prediction?

… either The Holy Grail or “Minority Report”

4


Our Solution: SIFT

Motivation: “Know Thy fill in the blank ”

• SIFT = Security Incident Fusion Tools

• NCSA Proposal – Increase Low-Level Situational Awareness to Human Operators (Anti-Autonomic Computing)– “Is there a problem?” -> “Where is the problem?” -> “What is the problem?”

– leverage human cognitive abilities especially visual processing

– continuous awareness of the security state of an entire network– Class B address space = 65K machines with 130K+ ports on each machine

5


Prediction / Avoidance / Diagnosis

Examples:– time-sequence of network-based attacks

– software decay

How?

– Visualization– Profiling– Data Mining for Discovery

6


Current Network Monitoring

7


Discovery Across Network Logs

8


Attributes Across Logs

9


The Data Management Problem

10


Four (4) Parallel Data Management Efforts

11


SIFT Preliminary Results

12


SIFT Preliminary Results:Security Monitoring Prototype

LEGEND

DRILL-DOWNVIEWS

OPTIONS FOR 172

DIFFERENTVIEWS

MAGNIFIERWIDGET

NVisionIP

13


Prototype Drill-Down Security Views

14


Insights Thus Far …

• Humans are good at processing visual patterns (known) • No expert knowledge required!• Abstraction – finding the appropriate level of observation• “What If” Question Bonanza• Visual Debugging (problem-solving)• The Millisecond Fantasy • Holistic Macro/Micro Views vs Divide-and-Conquer• Though we think in pictures, we are no good at describing pictures (save

functions)• Capturing the time dimension of high-dimension data via animation is

incredibly engaging to humans• Success depends on effective HCI

– Looking at new ways to augment operators in complex environments… (anti-autonomic)

15


Demo – NVisionIP:lite

Cut to Demo and Pray it Works!

national computational science university of illinois at urbana-champaign 1 “enabling proactive...

Documents

proactive problem prediction

security state

security attacksmetrics

security viewsinsights

dimension data

proactive prediction

preliminary results

network logsattributes