ICIW2008: Interactive Visualization of Fused Intrusion Detection Data

Stuart Kurkowski, Air Force Institute of Technology, Wright-Patterson AFB

  • Work in progress, developing the tool to do all this
  • Fused Alert Data
    • alert data is cleaned and reduced to remove redundant or false-positive alerts
    • IDS Alerts and log files are grouped into “tracks”
      • 10939 CGI Script events reduced to 150 tracks
  • Cyber situation awareness model
    • level 0 & 1 exist
    • level 2+ is this project
  • three part approach
    • fused track data only
    • minimalist additional data & track data
    • visual attributes for context awareness
  • why visualization?
    • large volume of data
    • visualization advantages
      • more resources to apply
      • humans process visual data faster
      • relevant info visualized not searched
      • patterns easier to recognize
      • temporal activity becomes more obvious
      • more configurable interface
  • Other products
    • NVisionIP 2004
    • PortVIs 2005
    • VisFlowConnect 2005
    • VIAssist 2007
    • VisAlert 2005
  • Methodologies
    • lots of screenshots. See fickr tag iciw2008 in my account for photos
    • TCPDump data linked with the tracks to give additional context and information
  • the visualizations involve a dynamic and interactive process (i.e. filters)
  • filters can be saved and retrieved to run against different datasets
  • Results
    • allows visualization of heterogeneous sources
    • provides more context
    • provides viz filter
    • easier to project behavior
  • future
    • add database source to front end
    • colors, shapes & borders to be added
    • directional information
Posted in UncategorizedTagged

Leave a Reply

Your email address will not be published. Required fields are marked *