This Article 
 Bibliographic References 
 Add to: 
Hierarchical Visualization of Network Intrusion Detection Data
March/April 2006 (vol. 26 no. 2)
pp. 40-47
Takayuki Itoh, Ochanomizu University
Hiroki Takakura, Kyoto University
Atsushi Sawada, Kyoto University
Koji Koyamada, Kyoto University
This article presents a visualization technique for log files of intrusion detection systems (IDSs), especially for a large-scale computer network connecting to thousands of computers. The technique first constructs hierarchical data of computers according to their IP addresses. It then visualizes the hierarchical data as bars and nested rectangles in a 2D display space, where bars denote computers and rectangles denote groups of computers. The technique represents the statistics of incidents for thousands of computers in one display space by mapping the number of incidents as bar heights. The technique attempts to minimize the display space; therefore, it enables the computers to be represented as clickable metaphors so that each computer's user interface presents its detail on demand. Also, the technique can help a user understand the relationship between a distribution of incidents and the organization of real society, because IP addresses are usually assigned according to the physical and organizational layouts of real society. The article introduces interesting behavior that the presented technique visualizes, including malicious accesses on real large-scale computer networks as discovered from over sixty thousands lines of a real IDS log file.

1. Y.D. Cai et al., "Maids: Mining Alarming Incidents from Data Streams," Proc. Int'l Conf. Management of Data (SIGMOD), ACM Press, 2004, pp. 919-920.
2. S.J. Stolfo et al., "Data Mining-Based Intrusion Detectors: An Overview of the Columbia IDS," Project SIGMOD Record, vol. 30, no. 4, 2001, pp. 5-14.
3. T. Itoh et al., "Hierarchical Data Visualization Using a Fast Rectangle-Packing Algorithm," IEEE Trans. Visualization and Computer Graphics, vol. 10, no. 3, 2004, pp. 302-313.
4. T. Itoh and F. Yamashita, "Visualization of Multidimensional Data of Bioactive Chemicals Using a Hierarchical Data Visualization Technique 'HeiankyoView'," to be published in Proc. Asia Pacific Symp. Information Visualization (APVIS), Australian Computer Soc., 2006.
5. Y. Yamaguchi and T. Itoh, "Visualization of Distributed Processes Using 'Data Jewelry Box' Algorithm," Proc. Computer Graphics Int'l, IEEE CS Press, 2003, pp. 162-169.
1. T. Takada and H. Koike, "MieLog: A Highly Interactive Visual Log Browser Using Information Visualization and Statistical Analysis," Proc. LISA XVI 16th Systems Administration Conf., Usenix Assoc., 2002, pp.133-144.
2. H. Koike and K. Ohno, "SnortView: Visualization System of Snort Logs," Proc. CCS Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC 04), ACM Press, 2004, pp. 543-547.
3. S. Axelsson, "Combining a Bayesian Classifier with Visualization: Understanding the IDS," Proc. CCS Workshop on Visualization and Data Mining for Computer Security (VizSEC/DMSEC 04), ACM Press, 2004, pp. 99-108.
4. S. Axelsson, "Visualization for Intrusion Detection: Hooking the Worm," Proc. European Symp. Research in Computer Security, LNCS 2808, Springer-Verlag, 2003, pp. 309-325.
5. X. Yin et al., "VisFlowConnect: Netflow Visualization of Link Relationships for Security Situational Awareness," Proc. 2004 ACM Workshop Visualization and Data Mining for Computer Security, ACM Press, 2004, pp. 26-34.
6. S.T. Teoh et al., "Visual Data Analysis for Detecting Flaws and Intruders in Computer Network Systems," IEEE Computer Graphics and Applications, vol. 24, no. 5, 2004, pp. 27-35.
7. R.F. Erbacher, K.L. Walker, and D.A. Fincke, "Intrusion and Misuse Detection in Large-Scale Systems," IEEE Computer Graphics and Applications, vol. 22, no. 1, 2002, pp. 38-48.
8. W. Yurcik et al., "A Prototype Tool for Visual Data Mining of Network Traffic for Intrusion Detection," Proc. ICDM Workshop on Data Mining for Computer Security (DMSEC), IEEE CS Press, 2003; DMSEC03.pdf.
9. R. Ball, G.A. Fink, and C. North, "Home-Centric Visualization of Network Traffic for Security Administration," Proc. 2004 ACM Workshop Visualization and Data Mining for Computer Security, ACM Press, 2004, pp. 55-64.

Index Terms:
Hierarchical data visualization, Rectangle packing, Intrusion detection system, IP address space
Takayuki Itoh, Hiroki Takakura, Atsushi Sawada, Koji Koyamada, "Hierarchical Visualization of Network Intrusion Detection Data," IEEE Computer Graphics and Applications, vol. 26, no. 2, pp. 40-47, March-April 2006, doi:10.1109/MCG.2006.34
Usage of this product signifies your acceptance of the Terms of Use.