Evaluating Visualization of Security Alerts in Complex Network Environments for Maintenance of Situational Awareness

Network security manager are faced with a rapidly changing and complex threat environment due to the proliferation of sophisticated hacking tools. Field studies of network security managers show that they rely on ad hoc collections of log analyzers and custom tools to make sense of multiple sources of data from distributed sensors. The volume of log data exceeds the ability of network security managers to analyze and interpret it. Network security managers must maintain a high level of situational awareness in order to respond to attacks. A variety of tools have been developed to visualize alerts from network intrusion detection and other security tools. No empirical research has demonstrated their usefulness. Limitations in the existing literature are described and an initial framework for empirically evaluating the effectiveness of visualization environments for network security is presented using the VisAlert tool.