Y. Livnat, Jim Agutter, Sham Moon, R. Erbacher, Stefan 0 Foresti
{"title":"A visualization paradigm for network intrusion detection","authors":"Y. Livnat, Jim Agutter, Sham Moon, R. Erbacher, Stefan 0 Foresti","doi":"10.1109/IAW.2005.1495939","DOIUrl":null,"url":null,"abstract":"We present a novel paradigm for visual correlation of network alerts from disparate logs. This paradigm facilitates and promotes situational awareness in complex network environments. Our approach is based on the notion that, by definition, an alert must possess three attributes, namely: what, when, and where. This fundamental premise, which we term w/sup 3/, provides a vehicle for comparing between seemingly disparate events. We propose a concise and scalable representation of these three attributes, that leads to a flexible visualization tool that is also clear and intuitive to use. Within our system, alerts can be grouped and viewed hierarchically with respect to both their type, i.e., the what, and to their where attributes. Further understanding is gained by displaying the temporal distribution of alerts to reveal complex attack trends. Finally, we propose a set of visual metaphor extensions that augment the proposed paradigm and enhance users' situational awareness. These metaphors direct the attention of users to many-to-one correlations within the current display helping them detect abnormal network activity.","PeriodicalId":252208,"journal":{"name":"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2005-06-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"110","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Proceedings from the Sixth Annual IEEE SMC Information Assurance Workshop","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IAW.2005.1495939","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 110
Abstract
We present a novel paradigm for visual correlation of network alerts from disparate logs. This paradigm facilitates and promotes situational awareness in complex network environments. Our approach is based on the notion that, by definition, an alert must possess three attributes, namely: what, when, and where. This fundamental premise, which we term w/sup 3/, provides a vehicle for comparing between seemingly disparate events. We propose a concise and scalable representation of these three attributes, that leads to a flexible visualization tool that is also clear and intuitive to use. Within our system, alerts can be grouped and viewed hierarchically with respect to both their type, i.e., the what, and to their where attributes. Further understanding is gained by displaying the temporal distribution of alerts to reveal complex attack trends. Finally, we propose a set of visual metaphor extensions that augment the proposed paradigm and enhance users' situational awareness. These metaphors direct the attention of users to many-to-one correlations within the current display helping them detect abnormal network activity.
京公网安备 11010802042870号
京ICP备2023020795号-1
分享
求助内容:
应助结果提醒方式:
扫码关注我们
