The Community for Technology Leaders
Visualization for Computer Security, IEEE Workshops on (2005)
Minneapolis, Minnesota
Oct. 26, 2005 to Oct. 26, 2005
ISBN: 0-7803-9477-1
pp: 1
John A. Copeland , Georgia Tech
Gregory Conti , Georgia Tech
Chris Lee , Georgia Tech
John Stasko , Georgia Tech
Kulsoom Abdullah , Georgia Tech
The massive amount of alarm data generated from intrusion detection systems is cumbersome for network system administrators to analyze. Often, important details are overlooked and it is difficult to get an overall picture of what is occurring in the network by manually traversing textual alarm logs. We have designed a novel visualization to address this problem by showing alarm activity within a network. Alarm data is presented in an overview where system administrators can get a general sense of network activity and easily detect anomalies. They then have the option of zooming and drilling down for details. The information is presented with local network IP (Internet Protocol) addresses plotted over multiple yaxes to represent the location of alarms. Time on the x-axis is used to show the pattern of the alarms and variations in color encode the severity and amount of alarms. Based on our system administrator requirements study, this graphical layout addresses what system administrators need to see, is faster and easier than analyzing text logs, and uses visualization techniques to effectively scale and display the data. With this design, we have built a tool that effectively uses operational alarm log data generated on the Georgia Tech campus network. The motivation and background of our design is presented along with examples that illustrate its usefulness.
IDS alarms, alert visualization, log visualization, alarm visualization, network monitoring, network security information visualization
John A. Copeland, Gregory Conti, Chris Lee, John Stasko, Kulsoom Abdullah, "IDS RainStorm: Visualizing IDS Alarms", Visualization for Computer Security, IEEE Workshops on, vol. 00, no. , pp. 1, 2005, doi:10.1109/VIZSEC.2005.8
539 ms
(Ver )