This Article 
   
 Share 
   
 Bibliographic References 
   
 Add to: 
 
Digg
Furl
Spurl
Blink
Simpy
Google
Del.icio.us
Y!MyWeb
 
 Search 
   
Focusing on Context in Network Traffic Analysis
March/April 2006 (vol. 26 no. 2)
pp. 72-80
John R. Goodall, University of Maryland, Baltimore County
Wayne G. Lutters, University of Maryland, Baltimore County
Penny Rheingans, University of Maryland, Baltimore County
Anita Komlodi, University of Maryland, Baltimore County
Intrusion detection analysis requires understanding the context of an event, usually discovered by examining packet-level detail. When analysts attempt to construct the big picture of a security event, they must move between high-level representations and these low-level details. This continual shifting places a substantial cognitive burden on the analyst, who must mentally store and transfer information between these levels of analysis. This article presents an information visualization tool, the time-based network traffic visualizer (TNV), which reduces this burden. TNV augments the available support for discovering and analyzing anomalous or malicious network activity. The system is grounded in an understanding of the work practices of intrusion detection analysts, particularly foregrounding the overarching importance in the analysis task of integrating contextual information into an understanding of the event under investigation. TNV provides low-level, textual data and multiple, linked visualizations that enable analysts to simultaneously examine packet-level detail within the larger context of activity.

1. J.R. Goodall, "User Requirements and Design of a Visualization for Intrusion Detection Analysis," Proc. IEEE Workshop Information Assurance and Security (IAW), IEEE Press, 2005, pp. 394-401.
2. K. Julisch, "Clustering Intrusion Detection Alarms to Support Root Cause Analysis," ACM Trans. Information and System Security, vol. 6, no. 4, 2003, pp. 443-471.
3. . Mackinlay, G.G. Robertson, and S.K. Card, "The Perspective Wall: Detail and Context Smoothly Integrated," Proc. ACM Conf. Human Factors in Computing Systems (CHI), ACM Press, 1991, pp. 173-179.
4. A. Inselberg, "The Plane with Parallel Coordinates," The Visual Computer, vol. 1, 1985, pp. 69-91.
5. J. McHugh, "Testing Intrusion Detection Systems: A Critique of the 1998 and 1999 DARPA Off-Line Intrusion Detection System Evaluation as Performed by Lincoln Laboratory," ACM Trans. Information and System Security, vol. 3, no. 4, 2000, pp. 262-294.
6. J.R. Goodall, W.G. Lutters, and A. Komlodi, "I Know My Network: Collaboration and Expertise in Intrusion Detection," Proc. ACM Conf. Computer-Supported Cooperative Work (CSCW), ACM Press, 2004, pp. 342-345.
7. J.R. Goodall et al., "A User-Centered Approach to Visualizing Network Traffic for Intrusion Detection," Extended Abstracts ACM Conf. Human Factors in Computing Systems (CHI), ACM Press, 2005, pp. 1403-1406.
1. K. Lakkaraju, W. Yurcik, and A.J. Lee,"NVisionIP: Netflow Visualizations of System State for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 65-72.
2. X. Yin et al., "VisFlowConnect: NetFlow Visualizations of Link Relationships for Security Situational Awareness," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 26-34.
3. Y. Livnat et al., "A Visualization Paradigm for Network Intrusion Detection," Proc. IEEE Workshop Information Assurance and Security (IAW), IEEE Press, 2005, pp. 92-99.
4. A. D'Amico and M. Larkin,"Methods of Visualizing Temporal Patterns in and Mission Impact of Computer Security Breaches," Proc. DARPA Information Survivability Conf. and Exposition (DISCEX II), IEEE CS Press, 2001, pp. 343-354.
5. J. McPherson et al., "PortVis: A Tool for Port-Based Detection of Security Events," Proc. ACM Workshop Visualization and Data Mining for Computer Security (VizSEC/DMSEC), ACM Press, 2004, pp. 73-81.
6. R.F. Erbacher et al., "Intrusion and Misuse Detection in Large-Scale Systems," IEEE Computer Graphics and Applications, vol. 22, no. 1, 2002, pp. 38-48.
7. S.-T. Teoh et al., "Detecting Flaws and Intruders with Visual Data Analysis," IEEE Computer Graphics and Applications, vol. 24, no. 5, 2004, pp. 27-35.
8. S. Krasser et al., "Real-Time and Forensic Network Data Analysis Using Animated and Coordinated Visualization," Proc. IEEE Workshop Information Assurance and Security (IAW), IEEE Press, 2005, pp. 42-49.

Index Terms:
information visualization, user-centered design, network analysis, visualization for computer security
Citation:
John R. Goodall, Wayne G. Lutters, Penny Rheingans, Anita Komlodi, "Focusing on Context in Network Traffic Analysis," IEEE Computer Graphics and Applications, vol. 26, no. 2, pp. 72-80, March-April 2006, doi:10.1109/MCG.2006.31
Usage of this product signifies your acceptance of the Terms of Use.