Cognitive Analysis of Intrusion Detection System

Usability evaluation methods have gained a substantial attention in networks particularly in Intrusion Detection System (IDS) as these evaluation methods are envisioned to achieve usability and define usability defects for a large number of practical software’s. Despite a good number of available survey and methods on usability evaluation, we feel that there is a gap in existing literature in terms of usability evaluation methods, IDS interfaces and following usability guidelines in IDS development. This paper reviews the state of the art for improving usability of networks that illustrates the issues and challenges in the context of design matters. Further, we propose the taxonomy of key issues in evaluation methods and usability problems. We also define design heuristics for IDS users and interfaces that improves detection of usability defects and interface usability compared to conventional evaluation heuristics. The similarities and differences of usability evaluation methods and usability problems are summarized on the basis of usability factors, current evaluation methods and interfaces loopholes

Exploring utilization of visualization for computer and network security

The role of the network security administrator is continually morphing to keep pace with the ever-changing area of computer and network security. These changes are due in part to both the continual development of new security exploits by attackers as well as improvements in network security products available for use. One area which has garnered much research in the past decade is the use of visualization to ease the strain on network security administrators. Visualization mechanisms utilize the parallel processing power of the human visual system to allow for the identification of possible nefarious network activity. This research details the development and use of a visualization system for network security. The manuscript is composed of four papers which provide a progression of research pertaining to the system. The first paper utilizes research in the area of information visualization to develop a new framework for designing visualization systems for network security. Next, a visualization system is developed in the second paper which has been utilized during multiple cyber defense competitions to aid in competition performance. The last two papers deal with evaluating the developed system. First, an exploratory analysis provides an initial assessment using participant interviews during one cyber defense competition. Second, a quasi field experiment explores the intention of subjects to use the system based on the type of visualization being viewed

AlertWheel visualisation radiale de graphes bipartis appliquée aux systèmes de détection d'intrusions sur des réseaux informatiques

Les systèmes de détection d’intrusions (IDS) sont couramment employés pour détecter des attaques sur des réseaux informatiques. Ces appareils analysent le trafic entrant et sortant à la recherche d’anomalies ou d’activités suspectes. Malheureusement, ces appareils génèrent une quantité importante de bruit (ex. : faux positifs, alertes redondantes, etc.), complexifiant grandement l’analyse des données. Ce mémoire présente AlertWheel, une nouvelle application logicielle visant à faciliter l’analyse des alertes sur des grands réseaux. L’application intègre une visualisation radiale affichant simultanément plusieurs milliers d’alertes et permettant de percevoir rapidement les patrons d’attaques importants. AlertWheel propose, entre autres, une nouvelle façon de représenter un graphe biparti. Les liens sont conçus et positionnés de façon à réduire l’occlusion sur le graphique. Contrairement aux travaux antérieurs, AlertWheel combine l’utilisation simultanée de trois techniques de regroupement des liens afin d’améliorer la lisibilité sur la représentation. L’application intègre également des fonctionnalités de filtrage, d’annotation, de journalisation et de « détails sur demande », de façon à supporter les processus d’analyse des spécialistes en sécurité informatique. L’application se décompose essentiellement en trois niveaux : vue globale (roue), vue intermédiaire (matrice d’alertes) et vue détails (une seule alerte). L’application supporte plusieurs combinaisons et dispositions de vues, de façon à s’adapter facilement à la plupart des types d’analyse. AlertWheel a été développé principalement dans le but d’étudier le trafic sur des pots de miel (honeypots). Dans la mesure où tout le trafic sur un honeypot est nécessairement malveillant, ces derniers permettent d’isoler plus facilement les attaques. AlertWheel a été évalué à partir de données provenant du réseau international de honeypots WOMBAT. Grâce à l’application, il a été possible d’isoler rapidement des attaques concrètes et de cibler des patrons d’attaques globaux

Visualizing Network Traffic for Intrusion Detection

Intrusion detection, the process of using network data to identify potential attacks, has become an essential component of information security. Human analysts doing intrusion detection work utilize vast amounts of data from disparate sources to make decisions about potential attacks. Yet, there is limited understanding of this critical human component. This research seeks to understand the work practices of these human analysts to inform the design of a task-appropriate information visualization tool to support network intrusion detection analysis tasks. System design will follow a usercentered, spiral methodology. System evaluation will include both a field-based qualitative evaluation, uncommon in information visualization, and a lab-based benchmarking evaluation. Author Keywords Information visualization, HCI, intrusion detection, network security. ACM Classification Keyword

Defending the Network: Visualizing Network Traffic for Intrusion Detection Analysis

Intrusion detection, the process of using computer network and system data to identify potential cyber attacks, has become an increasingly essential component of information security infrastructure. Due to the dynamic and complex nature of computer networks and the potential for inappropriate or self-damaging responses to potential attacks, intrusion detection systems are only effective when complemented by a human analyst. Human analysts utilize vast amounts of multi-dimensional data from disparate sources to make timely decisions about potential attacks. Yet, there is limited understanding of this critical human component. This research consisted of two interrelated components: a field study examining the work practices of these human analysts, and the user-centered design and evaluation of an information visualization tool for intrusion detection analysis grounded in the realities of analysts' work. ; The field study - consisting of interviews and a survey - resulted in a rich understanding of the practice of intrusion detection. This understanding informed the design of a new tool that takes advantage of humans' perceptual and analytic capabilities through an interactive, graphical data presentation. This visualization tool was iteratively developed and evaluated to support a specific, complex intrusion detection task: network traffic analysis. This tool, called Time-based Network Traffic Visualizer (TNV), graphically displays network traffic patterns between networked computers. The finding from the field study that analysts rely on situated knowledge - they must ""know their network"" to allow them to differentiate normal from abnormal behavior - resulted in a system design that facilitates learning this behavior. This design objective was furthered as a result of a formative usability evaluation, which resulted in a design change to emphasize analysts' home network. Another key finding was the disconnect in current tools between high-level overviews and low-level details, which required analysts to lose context when changing levels of analysis. This resulted in the design of TNV to underscore the importance of context by presenting high- and low-level details simultaneously. A summative evaluation demonstrated that users' could use TNV to examine the low-level details while preserving context to enable better performance than the currently used tools in overview and comparison tasks

Defending the Network: Visualizing Network Traffic for Intrusion Detection Analysis

Intrusion detection, the process of using computer network and system data to identify potential cyber attacks, has become an increasingly essential component of information security infrastructure. Due to the dynamic and complex nature of computer networks and the potential for inappropriate or self-damaging responses to potential attacks, intrusion detection systems are only effective when complemented by a human analyst. Human analysts utilize vast amounts of multi-dimensional data from disparate sources to make timely decisions about potential attacks. Yet, there is limited understanding of this critical human component. This research consisted of two interrelated components: a field study examining the work practices of these human analysts, and the user-centered design and evaluation of an information visualization tool for intrusion detection analysis grounded in the realities of analysts' work. ; The field study - consisting of interviews and a survey - resulted in a rich understanding of the practice of intrusion detection. This understanding informed the design of a new tool that takes advantage of humans' perceptual and analytic capabilities through an interactive, graphical data presentation. This visualization tool was iteratively developed and evaluated to support a specific, complex intrusion detection task: network traffic analysis. This tool, called Time-based Network Traffic Visualizer (TNV), graphically displays network traffic patterns between networked computers. The finding from the field study that analysts rely on situated knowledge - they must ""know their network"" to allow them to differentiate normal from abnormal behavior - resulted in a system design that facilitates learning this behavior. This design objective was furthered as a result of a formative usability evaluation, which resulted in a design change to emphasize analysts' home network. Another key finding was the disconnect in current tools between high-level overviews and low-level details, which required analysts to lose context when changing levels of analysis. This resulted in the design of TNV to underscore the importance of context by presenting high- and low-level details simultaneously. A summative evaluation demonstrated that users' could use TNV to examine the low-level details while preserving context to enable better performance than the currently used tools in overview and comparison tasks