Date of Award
6-16-2008
Document Type
Thesis
Degree Name
Master of Science in Computer Science
Department
Department of Electrical and Computer Engineering
First Advisor
Stuart H. Kurkowski, PhD
Abstract
With networks increasing in physical size, bandwidth, traffic volume, and malicious activity, network analysts are experiencing greater difficulty in developing network situational awareness. Traditionally, network analysts have used Intrusion Detection Systems to gain awareness but this method is outdated when analysts are unable to process the alerts at the rate they are being generated. Analysts are unwittingly placing the computer assets they are charged to protect at risk when they are unable to detect these network attacks. This research effort examines the theory, application, and results of using visualizations of fused alert data to develop network situational awareness. The fused alerts offer analysts fewer false-positives, less redundancy and alert quantity due to the pre-processing. Visualization offers the analyst quicker visual processing and potential pattern recognition. This research utilized the Visual Information Management toolkit created by Stanfield Systems Inc. to generate meaningful visualizations of the fused alert data. The fused alert data was combined with other network data such as IP address information, network topology and network traffic in the form of tcpdump data. The process of building Situational Awareness is an active process between the toolkit and the analyst. The analyst loads the necessary data into the visualization(s), he or she configures the visualization properties and filters the visualization(s). Results from generating visualizations of the network attack scenarios were positive. The analyst gained more awareness through the process of defining visualization properties. The analyst was able to filter the network data sources effectively to focus on the important alerts. Ultimately, the analyst was able to follow the attacker through the entry point in the network to the victims. The analyst was able to determine that the victims were compromised by the attacker. The analyst wasn't able to definitively label the attack specifically yet the analyst was able to follow the attack effectively leading to Situational Awareness.
AFIT Designator
AFIT-GCS-ENG-08-23
DTIC Accession Number
ADA487566
Recommended Citation
Avitia, Serafin A. V, "Developing Network Situational Awareness through Visualization of Fused Intrusion Detection System Alerts" (2008). Theses and Dissertations. 2760.
https://scholar.afit.edu/etd/2760