Nesting Circles: An Interactive Visualization Paradigm for Network Intrusion Detection System Alerts

Abstract

Intrusion detection systems (IDSs) are valuable tools for fighting against those who want to intrude on the network and steal sensitive information for any reason. These tools, however, have difficulties in their essence. The generated alerts are in textual format, and extracting the exact information from the textual files needs lots of time and scrutiny. Also, not all alerts are accurate, and these tools suffer a setback named false-positive alerts, meaning that although no attack occurs, they may log some alerts. It is almost impossible to detect the penetration according to the discussed conditions. Information visualization is a method that transforms information into a visual representation for a better and quicker understanding. Indeed, the more the visualization is representative and straightforward, the more information it can transfer and the more worthy it is. This paper proposes a new paradigm for visualizing IDS alerts named nesting circles. We keep simplicity by using circles as the primary mark and the size and color as the only used channels. This makes the visualization easy to read and intuitive to understand. Furthermore, nesting circles provide a complete visualization of explicit and implicit information to the admin, and the previous approaches lacked this vital feature. The efficiency of nesting circles is examined through the VAST challenge case study, and it is shown to be effective in finding hidden attacks in the logs.