Understanding the context of network traffic alerts

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

12 Citations (Scopus)

Abstract

For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets.
Original languageEnglish
Title of host publication2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland
EditorsD.M. Best, D. Staheli, N. Prigent, S. Engle, L. Harrison
Place of PublicationPiscataway
PublisherInstitute of Electrical and Electronics Engineers
Pages1-8
Number of pages8
ISBN (Electronic)978-1-5090-1605-1
ISBN (Print)978-1-5090-1606-8
DOIs
Publication statusPublished - 10 Nov 2016

Fingerprint

Intrusion detection
Telecommunication traffic
Computer viruses
Critical infrastructures
Viruses
Learning systems
Visualization
Inspection

Cite this

Cappers, B. C. M., & van Wijk, J. J. (2016). Understanding the context of network traffic alerts. In D. M. Best, D. Staheli, N. Prigent, S. Engle, & L. Harrison (Eds.), 2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland (pp. 1-8). [5] Piscataway: Institute of Electrical and Electronics Engineers. https://doi.org/10.1109/VIZSEC.2016.7739579
Cappers, B.C.M. ; van Wijk, J.J. / Understanding the context of network traffic alerts. 2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland. editor / D.M. Best ; D. Staheli ; N. Prigent ; S. Engle ; L. Harrison. Piscataway : Institute of Electrical and Electronics Engineers, 2016. pp. 1-8
@inproceedings{14d68d79767246e9a0cbf3edb2827666,
title = "Understanding the context of network traffic alerts",
abstract = "For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets.",
author = "B.C.M. Cappers and {van Wijk}, J.J.",
year = "2016",
month = "11",
day = "10",
doi = "10.1109/VIZSEC.2016.7739579",
language = "English",
isbn = "978-1-5090-1606-8",
pages = "1--8",
editor = "D.M. Best and D. Staheli and N. Prigent and S. Engle and L. Harrison",
booktitle = "2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland",
publisher = "Institute of Electrical and Electronics Engineers",
address = "United States",

}

Cappers, BCM & van Wijk, JJ 2016, Understanding the context of network traffic alerts. in DM Best, D Staheli, N Prigent, S Engle & L Harrison (eds), 2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland., 5, Institute of Electrical and Electronics Engineers, Piscataway, pp. 1-8. https://doi.org/10.1109/VIZSEC.2016.7739579

Understanding the context of network traffic alerts. / Cappers, B.C.M.; van Wijk, J.J.

2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland. ed. / D.M. Best; D. Staheli; N. Prigent; S. Engle; L. Harrison. Piscataway : Institute of Electrical and Electronics Engineers, 2016. p. 1-8 5.

Research output: Chapter in Book/Report/Conference proceedingConference contributionAcademicpeer-review

TY - GEN

T1 - Understanding the context of network traffic alerts

AU - Cappers, B.C.M.

AU - van Wijk, J.J.

PY - 2016/11/10

Y1 - 2016/11/10

N2 - For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets.

AB - For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets.

U2 - 10.1109/VIZSEC.2016.7739579

DO - 10.1109/VIZSEC.2016.7739579

M3 - Conference contribution

SN - 978-1-5090-1606-8

SP - 1

EP - 8

BT - 2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland

A2 - Best, D.M.

A2 - Staheli, D.

A2 - Prigent, N.

A2 - Engle, S.

A2 - Harrison, L.

PB - Institute of Electrical and Electronics Engineers

CY - Piscataway

ER -

Cappers BCM, van Wijk JJ. Understanding the context of network traffic alerts. In Best DM, Staheli D, Prigent N, Engle S, Harrison L, editors, 2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland. Piscataway: Institute of Electrical and Electronics Engineers. 2016. p. 1-8. 5 https://doi.org/10.1109/VIZSEC.2016.7739579