ICIW2008: Interactive Visualization of Fused Intrusion Detection Data

Stuart Kurkowski, Air Force Institute of Technology, Wright-Patterson AFB

• Work in progress, developing the tool to do all this
• Fused Alert Data
• alert data is cleaned and reduced to remove redundant or false-positive alerts
• IDS Alerts and log files are grouped into "tracks"
• 10939 CGI Script events reduced to 150 tracks
• Cyber situation awareness model
• level 0 & 1 exist
• level 2+ is this project
• three part approach
• fused track data only
• minimalist additional data & track data
• visual attributes for context awareness
• why visualization?
• large volume of data
• visualization advantages
• more resources to apply
• humans process visual data faster
• relevant info visualized not searched
• patterns easier to recognize
• temporal activity becomes more obvious
• more configurable interface
• Other products
• NVisionIP 2004
• PortVIs 2005
• VisFlowConnect 2005
• VIAssist 2007
• VisAlert 2005
• Methodologies
• lots of screenshots. See fickr tag iciw2008 in my account for photos
• TCPDump data linked with the tracks to give additional context and information
• the visualizations involve a dynamic and interactive process (i.e. filters)
• filters can be saved and retrieved to run against different datasets
• Results
• allows visualization of heterogeneous sources
• provides more context
• provides viz filter
• easier to project behavior
• future
• add database source to front end
• colors, shapes & borders to be added
• directional information