Security Incident Fusion Tools (SIFT)
We believe that the field of computer security visualization has reached a turning point. While in the future there may be new types of security relevant information to display, there are a limited number of ways to visualize the information in network traces - the type of data that has been the focus of security visualization to this point. We believe the next break-through will be "closing-the-loop" and we will take the field there.

This idea of "closing-the-loop" is based upon the following observations. Humans are particularly good at discovering patterns, especially visual ones. However, they are poor at performing pattern matching on large data sets. Computers excel at the opposite operations; they do not have the intelligence to discover patterns, but given a search string, they are excellent at matching a pattern throughout a large data set. We seek to exploit the strengths of both the human and the machine. The loop we speak of starts with log data collected by a computer. Log data is then visualized and passed to the human operator for pattern discovery. The loop is then closed when this pattern discovery is translated into a query/rule set that the computer can understand and use to process raw data again--not necessarily the exact same data or type of data. We have graphically represented “closing-the-loop” in Figure 1.



The types of pattern discovery and processing involved are almost limitless. In a basic scenario, the visualizations could be used to make simple filters to process the raw logs themselves. In a more complex scenario, one could visually create firewall rules based on NetFlow visualizations. It is conceivable that they could use visual selections to automatically generate intrusion detection system rules. This “closing the loop” idea also takes us closer and closer to IDS and anomaly detection algorithms. We have been surveying of current work in anomaly-based IDS to help us best determine where we can contribute. Our goal is to create algorithms that allow us to visually create sensor rules by the end of the NCASSR Year 3.
 
Project Leads
Bill Yurcik, NCSA

Return to Projects list


NCSA Staffers Participate in FloCon
Security Incident Fusion Tools (SIFT)
NCSA News Release, September 13, 2005.
NCSA Scores $400K Grant
Security Incident Fusion Tools (SIFT)
HPCwire, August 26, 2005.
NCSA Receives $400,000 NSF Grant to Develop Log Anonymization Framework
Security Incident Fusion Tools (SIFT)
NCSA Press Release, August 22, 2005
NCSA Shows Off Its Latest Technologies
Security Incident Fusion Tools (SIFT)
Champaign-Urbana News-Gazette, May 19, 2005
Researchers Develop Network-Security Visualization Tools
Security Incident Fusion Tools (SIFT)
IEEE Computer Magazine, April 2004
SIFT Researchers to Present Work at Security Workshop
Security Incident Fusion Tools (SIFT)
NCSA Access News Brief, released October 19, 2004
The Latest Research From Major Institutions With Advances In Security, Interoperability & Software, The Future Looks Bright
Security Incident Fusion Tools (SIFT)
Processor, May 21, 2004 • Vol. 26 Issue 21
Tools Let Network Operators See Their Way to Security
Security Incident Fusion Tools (SIFT)
Champaign-Urbana News Gazette, March 4, 2004
Two NCSA-Developed Tools Set Sights On Network Attacks
Security Incident Fusion Tools (SIFT)
Grid Today: Daily News and Information for the Global Grid Community, Vol 3 No 8, February 23, 2004
UI Chosen to Safeguard Military Computers from Attacks
Security Incident Fusion Tools (SIFT)
The Daily Illini July 7, 2003
Visualization Software Allows Close Examination of Networks
Security Incident Fusion Tools (SIFT)
HPCwire, April 4, 2004
Visualizing the Enemy
Security Incident Fusion Tools (SIFT)
NCSA Februrary 17, 2004


The National Center for Advanced Secure Systems Research NCASSR) at the University of Illinois at Urbana-Champaign (UIUC) is a multi-institutional cybersecurity research team. NCASSR focuses basic and applied research necessary to develop next generation information security technologies that address national cybersecurity needs. NCASSR is led by the National Center for Supercomputing Applications (NCSA) and supported by funding from the Office of Naval Research (ONR).


SELS 0.7 released
Secure Email List Services (SELS) is an open source software for creating and developing secure email list services among user communities.
 
Strong community engagement strengthens cybersecurity research and development
NCASSR-supported exploratory research at NCSA and elsewhere has sparked additional external funding and development opportunities as well as successful deployment and adoption by users ranging from the defense sector to state law enforcement to the utilities industry.
 
NCASSR Collaborator Goes To Washington
Carl Gunter, a professor in the University of Illinois Department of Computer Science and a project lead on NCASSR-supported work involving adaptive, secure messaging, recently spoke to an audience of congressional staffers and lobbyists on Capitol Hill regarding ways to address a variety of critical cybersecurity issues in areas such as healthcare and energy distribution.