Workshop on Statistical and Machine
Learning Techniques in Computer
Intrusion Detection
Designing Visualization Tools for Network Intrusion Detection
Bill Vitucci
Abstract:
This case study traces the experience of using one approach
to conceiving, designing, and implementing software used to visualize
network intrusion data. The resulting applications would be used as part
of a larger set of cyber-defense tools. The goal of this effort was to
improve the situational awareness of analysts, managers, and, by extension,
the larger information assurance (IA) organization as a whole. The design
embodied interactive charting techniques that indicated intrusive activity
in patterns, outliers, and trends residing
in data sets of network connection records. Visual filtering, data filtering,
drilldown, and other interactive techniques enhanced the utility of the
resulting analytical tools. The iterative approach taken as part of the
design effort was, at the same time, top-down, bottom-up, user-, task-,
and information-centric. The resulting progressive understanding of the
problem included: the nature of network attack and defense, competing
business processes of attackers and defenders, the roles of the users
and their information needs, and the dimensions of information pertinent
to network defense visualization. The use of metaphors drawn from a number
of sources including the environment and
human history were the basis of data ordering techniques and display concepts.
Concepts for how these visualization tools would fit in with extended
and higher-level analysis emphasized viewing connections in the context
of events that make up an activity; and activities forming identifiable
behaviors that fit into a larger inference model.