Hierarchical visualization of network intrusion detection data

This article presents a visualization technique for log files of intrusion detection systems (IDSs), especially for a large-scale computer network connecting to thousands of computers. The technique first constructs hierarchical data of computers according to their IP addresses. It then visualizes the hierarchical data as bars and nested rectangles in a 2D display space, where bars denote computers and rectangles denote groups of computers. The technique represents the statistics of incidents for thousands of computers in one display space by mapping the number of incidents as bar heights. The technique attempts to minimize the display space; therefore, it enables the computers to be represented as clickable metaphors so that each computer's user interface presents its detail on demand. Also, the technique can help a user understand the relationship between a distribution of incidents and the organization of real society, because IP addresses are usually assigned according to the physical and organizational layouts of real society. The article introduces interesting behavior that the presented technique visualizes, including malicious accesses on real large-scale computer networks as discovered from over sixty thousands lines of a real IDS log file. © 2006 IEEE.