Defending the network: Visualizing network traffic for intrusion detection analysis
Intrusion detection, the process of using computer network and system data to identify potential cyber attacks, has become an increasingly essential component of information security infrastructure. Due to the dynamic and complex nature of computer networks and the potential for inappropriate or self-damaging responses to potential attacks, intrusion detection systems are only effective when complemented by a human analyst. Human analysts utilize vast amounts of multi-dimensional data from disparate sources to make timely decisions about potential attacks. Yet, there is limited understanding of this critical human component. This research consisted of two interrelated components: a field study examining the work practices of these human analysts, and the user-centered design and evaluation of an information visualization tool for intrusion detection analysis grounded in the realities of analysts' work.
The field study---consisting of interviews and a survey---resulted in a rich understanding of the practice of intrusion detection. This understanding informed the design of a new tool that takes advantage of humans' perceptual and analytic capabilities through an interactive, graphical data presentation. This visualization tool was iteratively developed and evaluated to support a specific, complex intrusion detection task: network traffic analysis. This tool, called Time-based Network Traffic Visualizer (TNV), graphically displays network traffic patterns between networked computers. The finding from the field study that analysts rely on situated knowledge---they must "know their network" to allow them to differentiate normal from abnormal behavior---resulted in a system design that facilitates learning this behavior. This design objective was furthered as a result of a formative usability evaluation, which resulted in a design change to emphasize analysts' home network. Another key finding was the disconnect in current tools between high-level overviews and low-level details, which required analysts to lose context when changing levels of analysis. This resulted in the design of TNV to underscore the importance of context by presenting high- and low-level details simultaneously. A summative evaluation demonstrated that users' could use TNV to examine the low-level details while preserving context to enable better performance than the currently used tools in overview and comparison tasks.
0984: Computer science