Developing Network Situational Awareness through Visualizations of Fused Intrusion Detection System Alerts
Abstract
With networks increasing in physical size, bandwidth, traffic volume, and malicious activity, analysts are experiencing greater difficulty in developing network situation awareness. Traditionally, network analysts have used Intrusion Detection Systems to gain awareness but this method is outdated when analysts are unable to process the alerts at the rate they are being generated. Analysts are unwittingly placing the computer assets they are charged to protect at risk when they are unable to detect these network attacks. This research effort examines the theory, application, and results of using visualizations of fused alert data to develop network situational awareness. The fused alerts offer analysts fewer false-positives, less redundancy and alert quantity due to the pre-processing. Visualization offers the analyst quicker visual processing and potential pattern recognition. This research utilized the Visual Information Management toolkit created by Stanfield Systems Inc. to generate meaningful visualizations of the fused alert data. The fused alert data was combined with other network data such as IP address information, network topology and tcpdump data.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jun 01, 2008
- Accession Number
- ADA487566
Entities
People
- Serafin Avitia V
Organizations
- Air Force Institute of Technology