Abstract
Intrusion Detection Systems (IDS) is an automated cyber security monitoring system to sense malicious activities. Unfortunately, IDS often generates both a considerable number of alerts and false positives in IDS logs. Information visualization allows users to discover and analyze large amounts of information through visual exploration and interaction efficiently. Even with the aid of visualization, identifying the attack patterns and recognizing the false positives from a great number of alerts are still challenges. In this paper, a novel visualization framework, IDSRadar, is proposed for IDS alerts, which can monitor the network and perceive the overall view of the security situation by using radial graph in real-time. IDSRadar utilizes five categories of entropy functions to quantitatively analyze the irregular behavioral patterns, and synthesizes interactions, filtering and drill-down to detect the potential intrusions. In conclusion, IDSRadar is used to analyze the mini-challenges of the VAST challenge 2011 and 2012.
Similar content being viewed by others
References
Marty R. Applied Security Visualization. Indiana: Addison Wesley Professional Indianapolis, 2008
Shin M S, Kim E H, Ryu K H. False alarm classification model for network-based intrusion detection system. Lect Note Comput Sci, 2004, 3177: 259–265
Lakkaraju K, Bearavolu R, Slagell A, et al. Closing-the-loop in NVisionIP: integrating discovery and search in security visualizations. In: IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 75–82
Abdullah K, Lee C, Conti G, et al. IDS RainStorm: visualizing IDS alarms. In: IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 1–10
Koike H, Ohno K. SnortView: visualization system of snort logs. In: The ACM workshop on Visualization and data mining for computer security, Washington, 2004. 143–147
Yin X, Yurcik W, Treaster M, et al. VisFlowConnect: netflow visualizations of link relationships for security situational awareness. In: the ACM workshop on Visualization and data mining for computer security, Washington, 2004. 26–34
Livnat Y, Agutter J, Moon S, et al. A visualization paradigm for network intrusion detection. In: the 6th Annual IEEE SMC Information Assurance Workshop, West Point, 2005. 92–99
Draper G M, Livnat Y, Riesenfeld R F. A survey of radial methods for information visualization. IEEE Trans Vis Comput Graph, 2009, 15: 759–776
Mansmann F, Gobel T, Cheswick W. Visual analysis of complex firewall configurations. In: Proceedings of the VizSec Symposium on Visualization for Cyber Security, Seattle, 2012. 1–8
Alsallakh B, Aigner W, Miksch S, et al. Reinventing the contingency wheel: scalable visual analytics of large categorical data. IEEE Trans Vis Comput Graph, 2012, 18: 2849–2858
Nyarko K, Capers T, Scott C, et al. Network intrusion visualization with niva, an intrusion detection visual analyzer with haptic integration. In: Haptic Interfaces for Virtual Environment and Teleoperator Systems, Orlando, 2002. 277–284
Ren P, Gao Y, Li Z, et al. IDGraphs: intrusion detection and analysis using histographs. In: IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 39–46
Koike H, Ohno K, Koizumi K. Visualizing cyber attacks using IP matrix. In: IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 91–98
Lee C P, Trost J, Gibbs N, et al. Visual firewall: real-time network security monitor. In: IEEE Workshop on Visualization for Computer Security, Minneapolis, 2005. 129–136
Livnat Y, Agutter J, Moon S, et al. Visual correlation for situational awareness. In: IEEE Symposium on Information Visualization, Minneapolis, 2005. 95–102
Foresti S, Agutter J, Livnat Y, et al. Visual correlation of network alerts. IEEE Trans Vis Comput Graph, 2006, 26: 48–59
Bertini E, Hertzog P, Lalanne D. Spiralview: towards security policies assessment through visual correlation of network resources with evolution of alarms. In: IEEE Symposium on Visual Analytics Science and Technology, Sacramento, 2007. 139–146
Musa S, Parish D J. Using time series 3D alert graph and false alert classification to analyze Snort alerts. In: the 5th International Workshop on Visualization for Computer Security, Cambridge, 2008. 169–180
Shiravi H, Shiravi A, Ghorbani A A. IDS alert visualization and monitoring through heuristic host selection. Lect Note Comput Sci, 2010, 6476: 445–458
Shiravi H, Shiravi A, Ghorbani A A. A survey of visualization systems for network security. IEEE Trans Vis Comput Graph, 2012, 18: 1313–1329
Xu K, Zhang Z L, Bhattacharyya S. Internet traffic behavior profiling for network security monitoring. IEEE/ACM Trans Netw, 2008, 16: 1241–1252
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Zhao, Y., Zhou, F., Fan, X. et al. IDSRadar: a real-time visualization framework for IDS alerts. Sci. China Inf. Sci. 56, 1–12 (2013). https://doi.org/10.1007/s11432-013-4891-9
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11432-013-4891-9