Hierarchical visualization of network intrusion detection data
read more
Citations
CAT: A Hierarchical Image Browser Using a Rectangle Packing Technique
Visual Analysis of Network Traffic for Resource Planning, Interactive Monitoring, and Interpretation of Security Threats
idMAS-SQL: Intrusion Detection Based on MAS to Detect and Block SQL injection through data mining
A hybrid space-filling and force-directed layout method for visualizing multiple-category graphs
Nature-Inspired Techniques in the Context of Fraud Detection
References
VisFlowConnect: netflow visualizations of link relationships for security situational awareness
Home-centric visualization of network traffic for security administration
Intrusion and misuse detection in large-scale systems
SnortView: visualization system of snort logs
MAIDS: mining alarming incidents from data streams
Related Papers (5)
Frequently Asked Questions (13)
Q2. What are the future works mentioned in the paper "Hierarchical visualization of network intrusion detection data in the ip address space" ?
The authors plan to prove the effectiveness of the technique by observing with real network management and users. Also, the following issues, as well as issues discussed in Section 6, will be the focus of future work based on this technique: • Combination with intelligent techniques, such as data mining and knowledge management, to effectively discover and alert high-security incidents. Some kinds of trends or attack patterns can be also discovered by developing visualizations of the time-sequence of intrusions.
Q3. What is the way to minimize occlusions?
Another idea for minimizing the occlusions is applying the viewing optimization problem so that entropy of the visualization result is maximized.
Q4. How long did it take to create the hierarchy of computers?
In their measurement, the implementation took 120 seconds for reading the log file, 0.6 seconds for forming and visualizing the hierarchy of computers, and 7.1 seconds for recounting incidents while GUI operations.
Q5. How many candidates can be generated for the rectangle?
It generates at most four candidates at the corner of empty subspaces of the grid-like space, where the current rectangle can be placed without yielding any unnecessary gaps with previously placed rectangles.
Q6. What is the function for displaying the list of attacks?
If the display space allows displaying a larger dialog window, additional information, such as IP addresses of receivers, and signature IDs, is presented so that users can easily specify past attacks.
Q7. How many times did administrators disconnect the senders or receivers of high-security incidents?
administrators of the computer network used for these figures disconnected the senders or receivers of incidents 16 times in two months, because of pernicious attacks.
Q8. What is the algorithm for putting a rectangle?
The algorithm then decides the position of the rectangle while it avoids overlapping the rectangle with previously placed ones, and attempts to minimize the area and aspect ratio of the whole grid-like space.
Q9. What is the description of the visualization technique?
Figure 1 is an example of the visualization by this technique, which represents leaf-nodes as black square icons, and branch-nodes as rectangular borders enclosing the icons.
Q10. What is the improved rectangle packing algorithm?
As shown in Figure 2, the improved rectangle packing algorithm [4] applies grid-like subdivision of a display area using extension lines of edges of previously placed rectangles.
Q11. How many computers can be represented in the technique?
The technique can represent the distribution of incidents in large-scale computer networks consisting of several thousand computers.
Q12. What are the goals of the visualization technique?
The goals of the visualization technique are to make the available statistics from IDS systems understandable and to offer an interactive way of exploring detailed information.
Q13. What is the ability to configure high-security computers?
the capability allows configuring the following computers as high-security: • ''Computers that sent or received more than a constantnumber of incidents in a constant time'', and• ''Computers whose number of sending or receivingincidents drastically increases.