Countering Security Analyst and Network Administrator Overload Through Alert and Packet Visualization

When given the task of securing a network, security analysts and network administrators typically face large volumes of security data that demand analysis. Selectively mapping elements of these flows to carefully crafted graphical displays can provide rapid insights while, at the same time, actively countering information overload. To this end, we present a generic framework for designing such visualization systems as well as results from the end-to-end design and implementation of two highly interactive systems. The first system focuses on increasing the utility of intrusion detection systems by providing information rich displays of network alerts. The second system provides new methods of visualizing network packets that enable the analyst to efficiently and effectively explore network traffic for malicious activity. To support our findings, we present the results of a user requirements study, which we used to base our designs, and an evaluation of our completed systems by professional security analysts. CR