A visualization paradigm for network intrusion detection Export

@inproceedings{citeulike:679180, abstract = {We present a novel paradigm for visual correlation of network alerts from disparate logs. This paradigm facilitates and promotes situational awareness in complex network environments. Our approach is based on the notion that, by definition, an alert must possess three attributes, namely: what, when, and where. This fundamental premise, which we term w/sup 3/, provides a vehicle for comparing between seemingly disparate events. We propose a concise and scalable representation of these three attributes, that leads to a flexible visualization tool that is also clear and intuitive to use. Within our system, alerts can be grouped and viewed hierarchically with respect to both their type, i.e., the what, and to their where attributes. Further understanding is gained by displaying the temporal distribution of alerts to reveal complex attack trends. Finally, we propose a set of visual metaphor extensions that augment the proposed paradigm and enhance users' situational awareness. These metaphors direct the attention of users to many-to-one correlations within the current display helping them detect abnormal network activity.}, author = {Livnat, Yarden and Agutter, J. and Moon, S. and Erbacher, R. F. and Foresti, S.}, citeulike-article-id = {679180}, citeulike-linkout-0 = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1495939}, journal = {Systems, Man and Cybernetics (SMC) Information Assurance Workshop, 2005. Proceedings from the Sixth Annual IEEE}, keywords = {analysis, anomaly, detection, event, glyphs, graphing, interface, monitoring, networking, visualization}, pages = {92--99}, posted-at = {2006-06-01 06:45:33}, priority = {2}, title = {A visualization paradigm for network intrusion detection}, url = {http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1495939}, year = {2005} }

TY - CONF ID - citeulike:679180 L3 - citeulike-article-id:679180 N2 - We present a novel paradigm for visual correlation of network alerts from disparate logs. This paradigm facilitates and promotes situational awareness in complex network environments. Our approach is based on the notion that, by definition, an alert must possess three attributes, namely: what, when, and where. This fundamental premise, which we term w/sup 3/, provides a vehicle for comparing between seemingly disparate events. We propose a concise and scalable representation of these three attributes, that leads to a flexible visualization tool that is also clear and intuitive to use. Within our system, alerts can be grouped and viewed hierarchically with respect to both their type, i.e., the what, and to their where attributes. Further understanding is gained by displaying the temporal distribution of alerts to reveal complex attack trends. Finally, we propose a set of visual metaphor extensions that augment the proposed paradigm and enhance users' situational awareness. These metaphors direct the attention of users to many-to-one correlations within the current display helping them detect abnormal network activity. JF - Systems, Man and Cybernetics (SMC) Information Assurance Workshop, 2005. Proceedings from the Sixth Annual IEEE EP - 99 TI - A visualization paradigm for network intrusion detection SP - 92 KW - analysis KW - anomaly KW - detection KW - event KW - glyphs KW - graphing KW - interface KW - monitoring KW - networking KW - visualization AU - Livnat, Yarden AU - Agutter, J AU - Moon, S AU - Erbacher, RF AU - Foresti, S PY - 2005/// UR - http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=1495939 ER -