Abstract
Traversing through multiple pages of log entries, trying to detect malicious and anomalous behavior and being able to correlate events to address multiple use cases is a non trivial task for a security administrator. It requires resources, expert knowledge and time. In this paper, we present a novel security visualization system entitled Avisa. It accentuates fundamental matters of information visualization, namely interaction and animation and synthesizes it with intrusion detection audit traces. Visual constraints inspired the use of heuristic metrics to select and display hosts with irregular and variant behaviors. We thoroughly describe the ideas behind the heuristic metrics and perform an empirical analysis to individually evaluate each metric’s functionality. Avisa’s intuitive interface, accompanied by the power of the heuristic functions, allows the perception of patterns and emergent properties, facilitating in understanding the underlying data.
Chapter PDF
Similar content being viewed by others
Keywords
References
Morin, B., Mé, L., Debar, H., Ducassé, M.: M2D2: A formal data model for IDS alert correlation. In: Wespi, A., Vigna, G., Deri, L. (eds.) RAID 2002. LNCS, vol. 2516, pp. 115–137. Springer, Heidelberg (2002)
Debar, H., Wespi, A.: Aggregation and correlation of intrusion-detection alerts. In: Lee, W., Mé, L., Wespi, A. (eds.) RAID 2001. LNCS, vol. 2212, pp. 85–103. Springer, Heidelberg (2001)
Shin, M., Kim, E., Ryu, K.: False alarm classification model for network-based intrusion detection system. In: Yang, Z.R., Yin, H., Everson, R.M. (eds.) IDEAL 2004. LNCS, vol. 3177, pp. 259–265. Springer, Heidelberg (2004)
Cuppens, F., Miege, A.: Alert correlation in a cooperative intrusion detection framework. In: 2002, IEEE Symposium on Security and Privacy, Proceedings (2002)
Valeur, F., Vigna, G., Kruegel, C., Kemmerer, R.: Comprehensive approach to intrusion detection alert correlation. IEEE Transactions on Dependable and Secure Computing (2004)
Ware, C.: Information Visualization: Perception for Design. Morgan Kaufmann Publishers Inc., San Francisco (2004)
Marty, R.: Applied Security Visualization. Addison-Wesley Professional, Reading (2008)
Draper, G., Livnat, Y., Riesenfeld, R.: A survey of radial methods for information visualization. IEEE Transactions on Visualization and Computer Graphics (2009)
Hoagland, J., Staniford, S.: Viewing IDS alerts: lessons from SnortSnarf. In: Proceedings DARPA Information Survivability Conference and Exposition II (2001)
Danyliw, R.: Analysis console for intrusion databases (acid) (January 2001)
Nyarko, K., Capers, T., Scott, C., Ladeji-Osias, K.: Network Intrusion Visualization with NIVA, an Intrusion Detection Visual Analyzer with Haptic Integration. In: International Symposium on Haptic Interfaces for Virtual Environment and Teleoperator Systems (2002)
Koike, H., Ohno, K.: SnortView: visualization system of snort logs. In: Proceedings of the 2004 ACM Workshop on Visualization and Data Mining for Computer Security, vol. 29, pp. 143–147. ACM, New York (2004)
Koike, H., Ohno, K., Koizumi, K.: Visualizing cyber attacks using IP matrix. In: Proceedings of the IEEE Workshops on Visualization for Computer Security (2005)
Abdullah, K., Lee, C., Conti, G., Copeland, J., Stasko, J.: IDS rainStorm: visualizing IDS alarms. In: IEEE Workshop on Visualization for Computer Security, VizSEC 2005, pp. 1–10. IEEE, Los Alamitos (2005)
Livnat, Y., Agutter, J., Moon, S., Erbacher, R., Foresti, S.: A visualization paradigm for network intrusion detection. In: Proceedings of the IEEE Information Assurance Workshop (2005)
Foresti, S., Agutter, J.: VisAlert: From Idea to Product. In: VizSEC. Mathematics and Visualization (2007)
Musa, S., Parish, D.: Using Time Series 3D AlertGraph and False Alert Classification to Analyse Snort Alerts. In: Visualization for Computer Security (2008)
Viinikka, J., Debar, H.: Monitoring IDS Background Noise Using EWMA Control Charts and Alert Information. In: Jonsson, E., Valdes, A., Almgren, M. (eds.) RAID 2004. LNCS, vol. 3224, pp. 166–187. Springer, Heidelberg (2004)
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2010 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Shiravi, H., Shiravi, A., Ghorbani, A.A. (2010). IDS Alert Visualization and Monitoring through Heuristic Host Selection. In: Soriano, M., Qing, S., López, J. (eds) Information and Communications Security. ICICS 2010. Lecture Notes in Computer Science, vol 6476. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-17650-0_31
Download citation
DOI: https://doi.org/10.1007/978-3-642-17650-0_31
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-17649-4
Online ISBN: 978-3-642-17650-0
eBook Packages: Computer ScienceComputer Science (R0)