Skip to Main Content
Low-level network traffic information is often times beyond the understanding of common system operators (byte counts, port numbers, packet data, etc.). However, anomaly based Intrusion Detection Systems (IDS) often provide such low-level, difficult to comprehend information. This paper details a Human Interface for Security Awareness (HISA) algorithm for interpreting cyber incident information to human operators from anomaly based intrusion detections systems. A similarity algorithm mapping anomaly results to signature based intrusion system rules is developed. Categorizations of attacks found in rules created for the Snort intrusion system were used as a basis of information to present to the user. A proof of concept system was developed using Perl native functions and custom modules. Testing with generated ICMP packets resulted in an identification accuracy of 60% proving the efficacy of the presented HISA algorithm.
Date of Conference: 21-23 May 2009