Open challenges in visual analytics for security information and event management

Abstract

Introduction: Visual analytics techniques support efficient analysis of the ever-growing amounts of data generated by security sensors and facilitate a timely and reasonable response to the threats. Modern security information and event management systems propose various solutions for processing large data streams and integrating heterogeneous sources which can be used as a framework to construct a visual analytics system for security tasks. Purpose: The analysis of visual analytics techniques implemented in security information and event management systems and designed to support the studies on security incidents in the context of the main visual analytics problems, including the validation of automatic analysis models. Results: A contradiction has been detected between the capabilities of security information and event management systems in the visual analysis of security data and the implementation of these capabilities. Techniques for visual correlation of the data from different security sensors and for visual validation of automatic analysis models which would allow you to evaluate their accuracy and adaptability to the changes in data streams are almost missing. A possible way to resolve this contradiction is using techniques which support a flexible mechanism for adjusting the analyzed attributes of the network device events. The article presents the main approaches to the development of such techniques, discussing their advantages and disadvantages. We propose a dashboard for monitoring the behavior of an automated network traffic analysis model used in a cloud computing infrastructure. It allows you to monitor the analysis model behavior, perform a visual correlation of the analyzed parameters, and track changes in the network flows. Practical relevance: The results of the research can be used when designing security visual analytics tools for monitoring data flows and the behavior of automated analysis models.