Countering security information overload through alert and packet visualization
G. Conti, K. Abdullah, J. Grizzard, J. Stasko, J.A. Copeland, M. Ahamad, H.L. Owen, C. Lee
2006
IEEE Computer Graphics and Applications
T he massive amount of security data that network sensors and host-based applications generate can quickly overwhelm the operators charged with defending the network. Often, operators overlook important details and it's difficult to gain a coherent picture of network health and security status by manually traversing textual logs, using commandline analysis scripts or traditional graphing and charting techniques. In many instances, this flood of data will actually reduce the overall level of
more »
... rity by consuming operators' available time or misdirecting their efforts. In extreme circumstances, the operators will become desensitized and ignore security warnings altogether, effectively negating the value of their security systems. We address this problem by carefully crafting graphical systems designed to present the data in insightful ways that tap into the high-bandwidth visual recognition capability of human operators. We began our work by surveying professional security operators to determine the limits of today's best systems and identify high payoff targets for improvement. Using these requirements to drive our designs, we created two complementary security visualization systems. The first system, intrusion detection system (IDS) RainStorm (see Figure 1 ), provides high-level overviews of intrusiondetection alerts. The second system, Rumint, provides detailed insights into packet-level network traffic. These systems mirror two primary tasks of security analysts: detect and respond to network intrusions (IDS Rain-Storm) and perform rapid in-depth analysis of specific intrusion events (Rumint). We have deployed these systems in a variety of laboratory and operational settings for a total of two years to evaluate their effectiveness. During this period, we iteratively improved their designs and developed a general framework for designing such systems. In this article, we provide multiple contributions: we present the results of our survey of security professionals, the design framework, lessons learned from the design of our systems as well as an evaluation of their effectiveness. Our results indicate that both systems effectively present significantly more information when compared to traditional textual approaches. We believe that the interactive, graphical techniques that we present will have broad applications in other domains seeking to deal with information overload. This article is based on a series of conference and workshop papers that describe earlier versions of our work. 1,2 Evaluating current best practices Information overload is an everyday occurrence for security analysts. While there is a tremendous amount of work on information overload by the psychology research community, little has been done that directly examines the real-world needs of security professionals and network administrators. We believe this specificity is critical to developing effective solutions. As an example, consider the day-to-day operation of the Georgia Institute of Technology's campus network. At this institution, the total campus population is approximately 15,000 undergraduate and graduate students and approximately 5,000 staff and faculty. There are 69 individual departments spread over the campus with between 30,000 to 35,000 networked computers operational at any given time. The total number of IP addresses allocated to Georgia Tech is equivalent to 2.5 class B networks or 163,840 addresses. The network connection from the campus to the Internet has an average throughput of 600 megabits per second. On average, the network processes more than 4 terabytes of data each day. Georgia Tech's Office of Information Technology manages the security, health, and welfare of the campus network. Staffed by a handful of network analysts and Visualization for Cybersecurity This article presents a framework for designing network security visualization systems as well as results from the end-to-end design and implementation of two highly interactive systems.
doi:10.1109/mcg.2006.30
pmid:16548461
fatcat:3jytq2chx5hpzoadq63ndsbmo4