Exploring three-dimensional visualization of intrusion detection system alerts and network statistics
Is Version Of
Intrusion Detection Systems (IDS) have been popular tools in the battle against adversaries who, for whatever reason, desire to break into networks, compromise hosts, and steal valuable information. One problem with current IDS implementations, however, is the sheer number of alerts they can generate, many of which tend to be false alarms. This drawback makes effective use of such systems a challenging task. In this thesis we explore three-dimensional approaches to visualizing network IDS alerts and aggregated network statistics in order to provide the system administrator with a better picture of the events occurring on his or her network. While some research has been done using two-dimensional concepts, 3D approaches have not received much attention with regard to detecting network intrusions. Evaluation of our visualizations using the 1999 DARPA Intrusion Detection Evaluation data set demonstrates the potential benefit of utilizing the third dimension. We show how a number of attack types in the data set, including Denial of Service, Probe, and Remote to Local, generate visual evidence of abnormal activity that a security administrator might use as motivation for further investigation. Using three dimensions provides a rich environment for visualization concepts, and while our initial efforts were successful, there is much room for other ideas and more complex techniques for interaction and drill-down. We hope research will continue in this direction and provide the basis for ever more powerful tools to aid security administrators in the fight against information technology threats.