Defending the network: Visualizing network traffic for intrusion detection analysis

2007 2007

Other formats: Order a copy

Abstract (summary)

Intrusion detection, the process of using computer network and system data to identify potential cyber attacks, has become an increasingly essential component of information security infrastructure. Due to the dynamic and complex nature of computer networks and the potential for inappropriate or self-damaging responses to potential attacks, intrusion detection systems are only effective when complemented by a human analyst. Human analysts utilize vast amounts of multi-dimensional data from disparate sources to make timely decisions about potential attacks. Yet, there is limited understanding of this critical human component. This research consisted of two interrelated components: a field study examining the work practices of these human analysts, and the user-centered design and evaluation of an information visualization tool for intrusion detection analysis grounded in the realities of analysts' work.

The field study---consisting of interviews and a survey---resulted in a rich understanding of the practice of intrusion detection. This understanding informed the design of a new tool that takes advantage of humans' perceptual and analytic capabilities through an interactive, graphical data presentation. This visualization tool was iteratively developed and evaluated to support a specific, complex intrusion detection task: network traffic analysis. This tool, called Time-based Network Traffic Visualizer (TNV), graphically displays network traffic patterns between networked computers. The finding from the field study that analysts rely on situated knowledge---they must "know their network" to allow them to differentiate normal from abnormal behavior---resulted in a system design that facilitates learning this behavior. This design objective was furthered as a result of a formative usability evaluation, which resulted in a design change to emphasize analysts' home network. Another key finding was the disconnect in current tools between high-level overviews and low-level details, which required analysts to lose context when changing levels of analysis. This resulted in the design of TNV to underscore the importance of context by presenting high- and low-level details simultaneously. A summative evaluation demonstrated that users' could use TNV to examine the low-level details while preserving context to enable better performance than the currently used tools in overview and comparison tasks.

Indexing (details)

Information systems;
Computer science
0723: Information systems
0984: Computer science
Identifier / keyword
Communication and the arts; Applied sciences; Information visualization; Intrusion detection; Network traffic; User-centered design
Defending the network: Visualizing network traffic for intrusion detection analysis
Goodall, John R.
Number of pages
Publication year
Degree date
School code
DAI-A 68/05, Dissertation Abstracts International
Place of publication
Ann Arbor
Country of publication
United States
Lutters, Wayne
University of Maryland, Baltimore County
Information Systems
University location
United States -- Maryland
Source type
Dissertations & Theses
Document type
Dissertation/thesis number
ProQuest document ID
Database copyright ProQuest LLC; ProQuest does not claim copyright in the individual underlying works.
Document URL
Access the complete full text

You can get the full text of this document if it is part of your institution's ProQuest subscription.

Try one of the following:

  • Connect to ProQuest through your library network and search for the document from there.
  • Request the document from your library.
  • Go to the ProQuest login page and enter a ProQuest or My Research username / password.