Stuart Kurkowski, Air Force Institute of Technology, Wright-Patterson AFB
- Work in progress, developing the tool to do all this
- Fused Alert Data
- alert data is cleaned and reduced to remove redundant or false-positive alerts
- IDS Alerts and log files are grouped into “tracks”
- 10939 CGI Script events reduced to 150 tracks
- Cyber situation awareness model
- level 0 & 1 exist
- level 2+ is this project
- three part approach
- fused track data only
- minimalist additional data & track data
- visual attributes for context awareness
- why visualization?
- large volume of data
- visualization advantages
- more resources to apply
- humans process visual data faster
- relevant info visualized not searched
- patterns easier to recognize
- temporal activity becomes more obvious
- more configurable interface
- Other products
- NVisionIP 2004
- PortVIs 2005
- VisFlowConnect 2005
- VIAssist 2007
- VisAlert 2005
- Methodologies
- lots of screenshots. See fickr tag iciw2008 in my account for photos
- TCPDump data linked with the tracks to give additional context and information
- the visualizations involve a dynamic and interactive process (i.e. filters)
- filters can be saved and retrieved to run against different datasets
- Results
- allows visualization of heterogeneous sources
- provides more context
- provides viz filter
- easier to project behavior
- future
- add database source to front end
- colors, shapes & borders to be added
- directional information
