A visualization paradigm for network intrusion detection

We present a novel paradigm for visual correlation of network alerts from disparate logs. This paradigm facilitates and promotes situational awareness in complex network environments. Our approach is based on the notion that, by definition, an alert must posses three attributes, namely: What, When, and Where. This fundamental premise, which we term omega(3), provides a vehicle for comparing between seemingly disparate events. We propose a concise and scalable representation of these three attributes, that leads to a flexible visualization tool that is also clear and intuitive to use. Within our system, alerts can be grouped and viewed hierarchically with respect to both their type, i.e., the What, and to their Where attributes. Further understanding is gained by displaying the temporal distribution of alerts to reveal complex attack trends. Finally, we propose a set of visual metaphor extensions that augment the proposed paradigm and enhance users' situational awareness. These metaphors direct the attention of users to many-to-one correlations within the current display helping them detect abnormal network activity.