For the protection of critical infrastructures against complex virus attacks, automated network traffic analysis and deep packet inspection are unavoidable. However, even with the use of network intrusion detection systems, the number of alerts is still too large to analyze manually. In addition, the discovery of domain-specific multi stage viruses (e.g., Advanced Persistent Threats) are typically not captured by a single alert. The result is that security experts are overloaded with low-level technical alerts where they must look for the presence of an APT. In this paper we propose an alert-oriented visual analytics approach for the exploration of network traffic content in multiple contexts. In our approach CoNTA (Contextual analysis of Network Traffic Alerts), experts are supported to discover threats in large alert collections through interactive exploration using selections and attributes of interest. Tight integration between machine learning and visualization enables experts to quickly drill down into the alert collection and report false alerts back to the intrusion detection system. Finally, we show the effectiveness of the approach by applying it on real world and artificial data sets.
|Title of host publication||2016 IEEE Symposium on Visualization for Cyber Security (VizSec), 24 October 2016, Baltimore, Maryland|
|Editors||D.M. Best, D. Staheli, N. Prigent, S. Engle, L. Harrison|
|Place of Publication||Piscataway|
|Publisher||Institute of Electrical and Electronics Engineers|
|Number of pages||8|
|Publication status||Published - 10 Nov 2016|