SED navigation bar go to SED home page go to SED publications page go to NIST home page SED Home Page SED Contacts SED Projects SED Products and Publications Search SED Pages

contents     previous     next

3.1.3 Statistical Visualization for Managing Network Intrusion and Anomaly Detection

David L. Banks, Mark Levenson

Statistical Engineering Division, ITL

John Cugini, Joseph Konczal, Sharon Laskowski

Information Access and User Interfaces Division, ITL

Donald Marks

Computer Security Division, ITL

Experts in computer security are concerned with the need for intrusion/anomaly detection, and a number of automated system monitors are under development. Most of this research has not yet been informed by the results of NIST's work in the Information Exploration Shoot-Out, which used system audit logs with known intrusions as the testbed for a comparison of visualization-based data-mining methods.

Our project is to develop an interactive visualization tool that acts as a post-processor for the output of an automated system monitor, thereby presenting the system manager with information on threat levels and system anomalies in a more directly interpretable way. Also, the tool will enable managers to take direct action in response to a threat, or access information useful in evaluating an apparent threat. The Information Security Systems Company (ISS) has provided support for this research, as has DARPA and Roy Maxion's Harbinger Project at the School of Computer Science, Carnegie Mellon University.

Our interactive visualization tool is called NAIVE, for Network Anomaly/Intrusion Visualization and Exploration. The tool has two versions; one is appropriate for maintaining security in small local area networks, and the other is scalable to address the needs of very large systems. NAIVE is being designed to ensure platform-independence. The development platform is a Unix workstation; software is written using Tcl/Tk, a portable user-interface environment, and the visualization is being accomplished with OpenGL, a portable graphics library.

An example prototype has been built using DARPA's Common Detection Intrusion Framework. It presents real-time intrusion data visually as a graph. Nodes represent terminals and whose edges represent links between terminals. The edges carry color-coded information about the transmission of secure files, atypical usage patterns, and other performance anomalies. By clicking on an edge, the display can indicate which ports are involved in the transmission, and other detailed information.


Figure 3: This figure shows a screendump of the NAIVE system, using simulated data to show threat levels and traffic on a small local area network. The colors of the edges show the level of threat, and their width indicates the volume of traffic. The colors of the nodes indicate categories of user.

contents     previous     next

Date created: 7/20/2001
Last updated: 7/20/2001
Please email comments on this WWW page to